cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD retrieve created/changed entries job - puzzling timing / logic

Go to solution
Former Member

on ‎07-28-2011 4:57 PM

0 Kudos

Hello IDM Gurus,

We have "Retrieve created/changed entries from AD" jobs running every minute to pick up any changes or new creates within Active Directory. We don't understand what the frequency of updates are though; sometimes creates come through the jobs in 5 minutes sometimes it takes 45 mins; the same goes with changes / updates within AD. Is there a setting in AD that determines how frequently the USN is updated or how often a change or create is registered/acknowledged? When we first started running the jobs manually every 2-3 minutes or so, these changes were coming through quite frequently, but after it started running every minute on schedule the updates seem to take anywhere between 5 minutes to 45 minutes to be acknowledged and come through. Any ideas why this might be happening?

Thanks a lot in advance!

Best regards,

Sandeep

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎08-01-2011 1:28 PM
0 Kudos

Sandeep,

My understanding is that USNChanged is updated every time an AD entry is altered and this is saved directly back to the AD Object. Therefore the updates occur as often as there are changes.

However, your AD Search Query will also play a role in this. If you are querying on (objectclass=person) and you've made several changes to group objects, there will be a change in USNChanged for AD, but none that your task would pick up.

Does this answer your question or was I not understanding your issue correctly?

Matt

Show replies
Show replies
Former Member
‎08-01-2011 3:00 PM
0 Kudos

Hey Matt,

Thanks a lot for your quick response!

Yes this does answer my question, but additionally if one was to add a user to a group in AD, does the change get registered for the group, the person or BOTH?

We set a job to run every minute; one to pick up changes and one to pick up creates and it was initially only registering such changes or creates much after the actual event (30 to 50 mins later), which really didn't make any sense. The following day it worked as expected and changes and creates were getting picked up within one to two minutes of actually happening; not too sure why that initial delay was there but I'm guessing it must've been some weird delay or temporary problem with AD which seems to have rectified itself now.

Thanks a lot Matt!

Best regards,

Sandeep

former_member2987
Active Contributor
‎08-01-2011 6:59 PM
0 Kudos

Sandeep,

The answer as far as I know is BOTH as you would be adding the memberOf attribute to the User and updating the member attribute of the group (it's a multivalue) Not sure what order this happens in, but of course, by checking the USNChanged values, you would have the answer!

As far as the timing goes, that depends how you are provisioning and what, if any, replication is going on. Have a chat with your local AD guru to find out where you should be provisioning to in the domain and what the replication policies are. Sometimes it's better to provision to doimain (dc=company,dc=com) rather than a domain controller (dc=domaincontroller1,dc=company,dc=com)

Matt

Former Member
‎08-03-2011 7:03 AM
0 Kudos

Hey Matt,

Thanks a lot! that makes sense.

Will check with the AD administrators if they have any special rules/ policies set up for replication.

Thanks again!

Cheers,

Sandeep

Answers (0)

Ask a Question