Seemingly inconsistent synchronisation behaviour of Identity Manager on Active Directory objects. (180747)

Seemingly inconsistent synchronisation behaviour of Identity Manager on Active Directory objects.

Properties from AD objects are synchronized in a seemingly random fashion.

Active Directory uses USN numbers for replication of its objects between domain controllers. These USN fields will be set on higher (not necessarily consecutive) values after every update of any field of the object.

Identity Manager makes use of these USN numbers to decide if an object needs to be synchronized with the master database or not, by storing these USN numbers in the database. On start of synchronisation, Identity Manager looks at the USN numbers in the target system and in the database and only when the USN number in the target system is higher than in the database, the object will be synchronized.

If for whatever reasons a particular field is not synchronized, but the current USN number is written to the database, the object will not be updated on the next synchronisation attempt. If another field of the object is changed then the USN number will be incremented and on the next synchronisation run updated in the database including the failed field.

This may appear to the user, as randomly updating fields in Identity Manager.

Situations like that are likely to occur when the Q1IM schema and the mapping is extended by additional properties, not used so far.

Overwriting the value of a field in Active Directory with the same value is not likely to change the USN number. So synchronisation of that object will not be triggered.

Synchronisation of every object can be enforced by running the following command on the Identity Manager database:

“UPDATE adsaccount SET objectusn = NULL”

All objects will be updated then on the next synchronisation run.

Please make a backup of your database before running any SQL statements on your database.