What can be checked when troubleshooting the Synchronization of users with Active Directory in Equitrac Directory Synchronization?
In Active Directory, Users have a field called USNchanged and this is updated every time any user is updated with a new incrementally higher value.
AD sync is performed by the Equitrac Scheduler, it uses an internal database entry in CAS called mostRecentUSN, this starts on first sync at 0 and is updated with the highest USNchanged field it finds when the sync is completed. Every user with a USNchanged field greater than mostRecentUSN is checked for update based on Adds, Changes and Deletes settings:
Adds - if this is checked the user is added and fields synchronized
Changes - If USNchanged is higher then user details are changed including Locking accounts when inactivated
Deletes - If access to the deleted users container - user is marked in Equitrac as deleted and disappears from view.
This run on a frequency setting - as Scheduler forces communication on a timely basis. If new containers are added then the users may have a lower USNChanged than mostRecentUSN, in which case 'Synchronize on Save' resets mostRecentUSN to 0 so all users are checked.
Use a third party tool e.g. AD Explorer to connect to the AD with the same credentials as the Service account to check this field is visible, if it is not, then the System Administrators will need to ensure this field is visible to the required user. Otherwise the Synchronization will not work.
Creating the connection
When adding a new connection, in the Active Directory server, initially enter the domain name, not a server. Then check the failback to other servers checkbox. This shoild then choose an AD server and add the domain name to the fallback, so if the DC cannot be contacted, any DC in the domain can then field the request.
There are many ways to configure adding users. It is not always necessary to enable 'Adds' to add them through AD synchronization as this can lead to a large number of users being added to the system that may never use it.
It is easier to allow the user to be added on first print and then the AD synchronization should bring in the extra fields of user details. This way only those users using the system will be in the system.
'Deletes' can only be removed if the EQModifyDeletedContainerSecurity.exe application has been used to allow the system access to the DeletedUser container in AD. Otherwise only account locking will take place and not removal, this process is taken care of by the 'changes' option
A common mistake is to try to use LDAP to force a secure communication with the DC, however this is not necessary for Active Directory Sync and there are no settings because domain policy for LDAP channel binding determines whether connection is Secure or not and this takes place at the Operating System level, not at application level.