Custodian Manager's AD Synchronization never completes in an environment with multiple or very large Active Directory domains.
Enterprise Vault (EV) Discovery Accelerator (DA) Custodian Manager (CM) ADSynchroniser processing either takes weeks or never completes synchronizing Active Directory (AD) domains when either very large (i.e., over 100K users and groups) or multiple AD domains are configured for synchronization.
Event Type: Error
Event Source: Accelerator AD Synchronizer
Event ID: 34
APP AT - Customer ID: X - An error occured in ProfileSynchroniser::SynchroniseEmployeeProfile while retrieving properties.
System.Runtime.InteropServices.COMException (0x8000500C): Unknown error (0x8000500c)
at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.UpdateProfileRowFromDirEntry(DirectoryEntry entry,
ProfileRow& profileRow, StringCollection& emailAddresses, StringCollection& allDisplayNameAddresses, String userLogin)
at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.SynchroniseADEmployeeProfile(ProfileRow profileRow,
StringCollection& allEmailAddresses, StringCollection& allDisplayNameAddresses, PropertyCollection& ADUserProps,
Several causes exist to prevent the ADSynchroniser process from completing with all Active Directory (AD) users and groups synchronized. The following is a partial list of the known causes:
- Data for a history start reference date parameter is missing for indirect group to user members in 2 tables of the Custodian Manager (CM) database (db).
- Groups deleted from AD have wrong entries in 2 tables of the CM db.
- A retry flag is not being properly reset.
- Moving a Group from one AD container (i.e., Organizational Unit) to another is not being properly tracked, which can cause unwanted users added to the moved group.
- When the 'Recurse into nested list' check box is unchecked for a group and that group is synchronized as part of an incremental synchronization, direct and indirect users in the group will be displayed in the CM group.
- Clicking the 'Synchronize now' button does not synchronize all groups.
- A failure obtaining a proxy address for a user will stop the crawler process that obtains data from AD.
- A blank search of AD used by some ADSynchroniser processing does not work.
- An AD user or group that was deactivated using the CM site does not propagate when reactivated unless there is an AD Update Serial Number (USN) change in the user or group.
- Once a deactivated user fails to get the associated AD profile, all remaining users in the batch do not get picked up for synchronization.
- CM launches multiple processes per AD domain in a single run when more than one AD Domain is added for synchronization.
- The deactivation pass processes all users and groups in a single transaction, which can cause all deactivations in that pass to be rolled back should an error occur.
- The deactivation pass can time out for a large number of qualified users and groups.
- Each synchronization run would attempt to complete a full synchronization of each AD domain instead of just synchronizing changes within the domain (i.e., changed users or groups).
This issue has been addressed in the following release:
Enterprise Vault 10.0.4 - Release Details
- Discovery Accelerator 9.0 or greater
- Very large (i.e., 250K+ users and groups) Active Directory domain or multiple Active Directory domains configured to synchronize with Custodian Manager.
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):