VMware Horizon Community
WTopping
Contributor
Contributor

Strange issue with AD sync of objects

I am having an odd issue with AD objects in App Volumes.

If I assign a new AD user or group to an App Stack I can search AD just fine and add them. They then show up in the Directory tab as enabled and all seems to work fine if I log in to a VDI session.

However if I then attempt to either do a manual sync of either a user or group with AD it will disable them and give them this status:

Disabled, verify the user exists and is enabled in ActiveDirectory.

Any ideas?

Wes

Tags (1)
Reply
0 Kudos
10 Replies
Ray_handels
Virtuoso
Virtuoso

What version of the manager are you running?

Older version, pre 2.12 used the CN for these groups and users. So if you moved a user from 1 OU to another it would not recognize the user anymore because it's CN did not exist anymore. Could this be the case?

Reply
0 Kudos
WTopping
Contributor
Contributor

Running 2.1.21 the newest version.

Users have not been moved. I just brought up a whole new App Volumes manager that was installed fresh to a new SQL DB and I am getting the exact same behavior.

I can search for a user/group and assign it just fine and it works. Then as soon as a directory sync occurs they become disabled.

Wes

Reply
0 Kudos
LFC
Enthusiast
Enthusiast

Do your APV client machines use the same DNS servers as the APV Manager machines? , also do you have AD subnet objects created (in AD Sites & Services) for the IP subnets that your client machines reside on? Also have you added the IP Addresses of the DC's during APV setup?

I have seen strange issues with a number of large APV installations where changes are made on the APV Manager using one DNS / AD Domain controller, and that change has not replicated to the domain controllers used by the client machines. This is often due to subnet / Site associations not having been created and the client attaches to a DC from the completely wrong site

Regards,
Sean

Reply
0 Kudos
DDunaway
Enthusiast
Enthusiast

Any updates on this? I am having the same issue.

Reply
0 Kudos
jqvm
Enthusiast
Enthusiast

We also see this issue, it occurred after upgrading from 2.9 to 2.12.1 as a resync of objects is initiated after the upgrade.   The user object gets re-enabled after their first login, but you can't modify direct assignments to the user until this first login.

Additional resync operations mark all users as disabled again.

Reply
0 Kudos
Ray_handels
Virtuoso
Virtuoso

We had a lot of issues with the database after upgrading from 2.9 to 2.12.1. Apparently they was a new way of storing the datastores within the database and we ended up with every user having multiple writable volumes because it would see 2 datastores that were tight to 1 physical datastore.

At the end we decided to just recreate the database which in our case was a lot easier than dealing with the issues that arose with the upgrade.

Reply
0 Kudos
jqvm
Enthusiast
Enthusiast

Ray we also had issues during the schema upgrade, ours was related to transferring the 'trusted domain' settings in 2.9 to the new domains settings in 2.12.x.   We had to remove the trusted domain settings prior to running the upgrade.

Has anyone progressed their SR's with this disabled users after AD sync?  We have an SR running for this also.  DDunawayWTopping

Josh

Reply
0 Kudos
Ray_handels
Virtuoso
Virtuoso

Nope, not anymore. As said, we decided to recreate the database. Is the best option, No. Did it do the trick, Yes.

Reply
0 Kudos
jqvm
Enthusiast
Enthusiast

GSS have reproduced our issue where an AD Sync causes all users to be 'disabled' until next login. This only seems to occur when more than one domain is added to the manager.

No timeframe on a fix from engineering as yet.

Reply
0 Kudos
jqvm
Enthusiast
Enthusiast

FYI, support have provided a workaround for the Disabled users issue that we see when multiple AD domains are specified in AppVol 2.12+.  (This is still an issue in 2.13.1 I believe)

Setting the LDAP Base on all domains allows the AD sync to find the users in the correct domain.  Working well for us, all users appear enabled after changing the settings.

Navigate to Appvolumes Manager console go to Configuration-> Select AD domains> set Base for all domain controllers:
For example if the Parent domain name is : corp.com and child domain name is child1.corp.com and child2.corp.com then below is the format that has to be set in LDAP Base
For Parent domain : DC=corp,DC=com
For child domain1 : DC=child1,DC=corp,DC=com
For child domain2 : DC=child2,DC=corp,DC=com

Reply
0 Kudos