Objects are not updated in the Identity Manager (1IM) database after the synchronization server has been changed or after having added a property to the mapping, despite unchecking "Changes Only":
If “Changes only” is checked USN numbers are sent to the target system and then only objects relevant for synchronization are sent back.
If “Changes only” is unchecked, all objects are sent to Identity Manager and then Identity Manager compares the USN numbers of these objects with the ones in the database.
On first glance this setting might not make sense, as a comparison based on USN numbers is done anyway. But there is a difference: In the first case Active Directory (AD) ignores deleted objects, so Identity Manager does not become aware of that.
The Configuration Parameter "TargetSystem\ADS\useUSN" is no longer used by Identity Manager and is there only for compatibility reasons. This parameter had a similar effect as “Changes only”.
Possible effects stemming from this behaviour:
1. The USN number of objects is not replicated within AD. Every Domain Controller is maintaining its own list of USN number. So if the synchronization server for Identity Manager is changed it may be the case that objects are ignored. This should not be done routinely. If so, use the SQL statement provided below.
2. If an AD Property is added in the mapping this additional property will not be loaded because there is no change in the USN. This will happen on the next change of the USN.
There is no other way to enforce a full synchronization other than with the following SQL statement (the following applies to user accounts, i.e. ADSAccount table):
UPDATE adsaccount SET objectusn = NULL
This statement will delete all USN numbers stored in the Identity Manager database and the next synchronization will update all user objects.
Note: It is strongly recommended to have a current database backup before issuing any SQL statements on the Identity Manager database.