-
Title
Dynamic Groups are not updating as efficiently as expected after installing 8.2.1 SP6 -
Description
After an upgrade to Active Roles 8.2.1 SP6, it may be observed that some Dynamic Groups take longer than expected to update the Members.
Clicking Rebuild does not update the group immediately or as quickly as expected.
-
Cause
Dynamic Group functionality in Active Roles 8.2.1 SP6 has been re-implemented with the specific goal of minimizing the number of Dynamic Group membership changes in Active Directory.
This means that Active Roles needs to do more work in order to confirm and calculate the necessary changes. Because of this need to perform more work, some large or complicated environments may find that this specific version of Active Roles is not processing Dynamic Group membership changes as quickly as previous versions once did.
-
Resolution
STATUS
Enhancement Request 704876 has been logged to improve Dynamic Group pre-filtering. This feature will be included in an upcoming release of Active Roles.
WORKAROUND
If you are experiencing Dynamic Group update delays, it could be due to Dynamic Groups with broken or inefficient membership rules, or there may be several Dynamic Groups with complex rules that are not being processed efficiently.
Step One
To help identity Dynamic Groups with broken membership rules, please follow the steps in this KB:
Step Two
If you are still experiencing issues after correcting Dynamic Group membership rules, enable Dynamic Group Log Verbosity to help identity any other potential issues.
1. Change the following Registry entry to a value of 1 to enable Verbosity:
HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Active Roles\Configuration\Service\DynamicGroupEventLogVerbosity
2. Review the Active Roles Admin Service event log entries for Event IDs 2589 with the text containing high priority queue and review the details of the entries waiting in the queues. For example:
Step Three
If the high priority queue items are steadily increasing and not appearing to be processed, it may be required to increase the Dynamic Group Parallel processing registry value to compensate. Note that in some environments it may be normal to see tens or hundreds of items at any given time.
The registry entry is located here and is a per-server setting:
HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Active Roles\Configuration\Service\DynamicGroupParallelHandlingNumber
NOTES:
Increasing these values will increase CPU usage on the Active Roles host and the Domain Controllers. If CPU utilization is already high, adding additional CPU resources will be necessary before proceeding.
A) Our recommendation for most environments is a value of 3. This requires a quad-core CPU and 16gb of RAM on the Active Roles host, and a quad-core CPU and 32gb of RAM on the Domain Controllers.
B) For customers that have complex rules, or a large number of Dynamic Groups, this value can be first increased to 4 and gradually increased to 6 if needed. For values of 4, 5 or 6 it is recommended to have quad-core CPU and 32gb of RAM on the Active Roles host and eight-core CPU with 64gb of RAM on the Domain Controllers.
After increasing the Parallel Handling number, revisit the Active Roles event log and confirm the high priority queue items are 0 or close to 0 at any given time.
Step Four
If the above workarounds do not resolve the issue, please contact One Identity Support and reference this Solution.