VMware Cloud Community
jcerqueira1
Contributor
Contributor

AD Sync Error

Good morning,

I have run into a issue where I feel like I've exhausted all possible options and cannot get any further.  I was in the process of trying to configure vRealize Automation to sync users with our AD environment using VMware's external ID Manager Connector running on Windows Server 2016.  All certificates are in place and coming up as trusted, the connector is activated and able to communicate with the vRA server.  During deployment, it was able to populate users and groups without an issue.  Where I'm facing the issue is within sync.  I get an error message saying "Could not pull the required object from Identity Manager. Resource not found."  When I pulled the log files, I found the following in the logs (sanitized names for security purposes:

2019-07-02T09:55:57,408 INFO  (resourceSyncTaskExecutor-3) [;;;] com.vmware.horizon.directory.ldap.LdapConnector - Starting LDAP Query: Host: ldap://DC.DOMAIN.LOCAL PageSize - 1000 SearchDN - distinguishedName={DN to users group} SearchFilter - (objectCategory=group) Scope - 2

2019-07-02T09:55:57,408 INFO  (resourceSyncTaskExecutor-3) [;;;] com.vmware.horizon.directory.ldap.LdapConnector - Query Completed for SearchDN - {DN to users group} SearchFilter - (objectCategory=group)

2019-07-02T09:55:57,408 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.admin.StateService - Saving config for 3104@VSPHERE.LOCAL to file C:\VMware\VMwareIdentityManager\Connector\usr\local\horizon\conf\states\VSPHERE.LOCAL\3104\config-state.json

2019-07-02T09:55:57,423 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.admin.StateService - Saving state config to disk DONE.

2019-07-02T09:55:57,423 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.utils.RestClient - BEGIN sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/connectors/7404..., ..., null, GET, null, ...)

2019-07-02T09:55:57,501 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.utils.RestClient - END   sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/connectors/7404..., ..., null, GET, null, ...)

2019-07-02T09:55:57,533 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.utils.RestClient - BEGIN sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/directoryconfig..., ..., null, GET, null, ...)

2019-07-02T09:55:57,611 INFO  (Timer-6) [;;;] com.vmware.horizon.connector.utils.RestClient - END   sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/directoryconfig..., ..., null, GET, null, ...)

2019-07-02T09:55:57,611 WARN  (Timer-6) [;;;] com.vmware.horizon.engine.ObjectPullEngine - Code from Service :-404

2019-07-02T09:55:57,611 WARN  (Timer-6) [;;;] com.vmware.horizon.engine.ObjectPullEngine - Error message from Service :-Resource not found.

2019-07-02T09:55:57,611 WARN  (Timer-6) [;;;] com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService - Failed to update directory user attribute mapping for tenantStateID: 3104@VSPHERE.LOCAL

com.vmware.horizon.connector.exception.PullEngineException: Could not retrieve required object from Horizon

at com.vmware.horizon.engine.ObjectPullEngine.processResult(ObjectPullEngine.java:336) ~[connector-service-api-0.1.jar:19.03.0.0 Build 13322315]

at com.vmware.horizon.engine.ObjectPullEngine.getObjectFromHorizon(ObjectPullEngine.java:91) ~[connector-service-api-0.1.jar:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.connectormanagement.DirectorySyncConfigPullEngine.getDirectoryUserAttributeMappingFromService(DirectorySyncConfigPullEngine.java:134) ~[classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.updateDirectoryUserAttributeMappingFromService(DirectorySyncConfigUpdateService.java:114) [classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.updateDirectorySyncConfigFromService(DirectorySyncConfigUpdateService.java:101) [classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.SyncScheduleService.syncIfAppropriate(SyncScheduleService.java:166) [classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.ScheduleService$1.run(ScheduleService.java:99) [classes/:19.03.0.0 Build 13322315]

at java.util.TimerThread.mainLoop(Unknown Source) [?:1.8.0_201]

at java.util.TimerThread.run(Unknown Source) [?:1.8.0_201]

2019-07-02T09:55:57,611 ERROR (Timer-6) [;;;] com.vmware.horizon.connector.admin.ScheduleService - Sync of Directory aborted.

com.vmware.horizon.connector.exception.PullEngineException: Could not retrieve required object from Horizon

at com.vmware.horizon.engine.ObjectPullEngine.processResult(ObjectPullEngine.java:336) ~[connector-service-api-0.1.jar:19.03.0.0 Build 13322315]

at com.vmware.horizon.engine.ObjectPullEngine.getObjectFromHorizon(ObjectPullEngine.java:91) ~[connector-service-api-0.1.jar:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.connectormanagement.DirectorySyncConfigPullEngine.getDirectoryUserAttributeMappingFromService(DirectorySyncConfigPullEngine.java:134) ~[classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.updateDirectoryUserAttributeMappingFromService(DirectorySyncConfigUpdateService.java:114) ~[classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.updateDirectorySyncConfigFromService(DirectorySyncConfigUpdateService.java:101) ~[classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.SyncScheduleService.syncIfAppropriate(SyncScheduleService.java:166) [classes/:19.03.0.0 Build 13322315]

at com.vmware.horizon.connector.admin.ScheduleService$1.run(ScheduleService.java:99) [classes/:19.03.0.0 Build 13322315]

at java.util.TimerThread.mainLoop(Unknown Source) [?:1.8.0_201]

at java.util.TimerThread.run(Unknown Source) [?:1.8.0_201]

2019-07-02T09:55:57,611 ERROR (Timer-6) [;;;] com.vmware.horizon.connector.mvc.UIAlerts - Could not pull the required object from Identity Manager. Resource not found.

2019-07-02T09:55:57,627 INFO  (resourceSyncTaskExecutor-2) [;;;] com.vmware.horizon.connector.utils.RestClient - BEGIN sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/connectors/7404..., ..., application/vnd.vmware.horizon.manager.connector.directory.sync.result+json, POST, null, ...)

2019-07-02T09:55:57,720 INFO  (resourceSyncTaskExecutor-2) [;;;] com.vmware.horizon.connector.utils.RestClient - END   sendRequestBase (https://vra.domain.local/SAAS/t/vsphere.local/jersey/manager/api/connectormanagement/connectors/7404..., ..., application/vnd.vmware.horizon.manager.connector.directory.sync.result+json, POST, null, ...)

I couldn't find anything online in terms of where to start to troubleshoot this.  Does anyone have any ideas or advice towards finding a resolution for this?

Reply
0 Kudos
4 Replies
daphnissov
Immortal
Immortal

If you're getting a 404, it seems logical to assume that one or more objects in your sync list are no longer found in AD. Have you done any experimentation to change that list to maybe one group which you have validated is in AD and perform a sync? Or, if so, is it the case where no matter what object you select you're still getting that error? Trying to understand the scope of the failure and if it's isolated or global.

Reply
0 Kudos
jcerqueira1
Contributor
Contributor

Hi daphnissov,

Yes, I have tried to narrow down the scope and tried each domain individually.  Each time, they logged the exact same error.  At the times this was done, there were no changes made to AD to add or remove any users in those groups.  What's strange is everything works fine during setup (i.e. it is able to communicate with the DC on that network as well as the other networks, poll the groups and users, etc).  It just fails on sync.

Domain authentication is also working, but when a domain user logs in, they are presented with an access denied error (which I'm assuming is because the users are not synced with vRA).

Reply
0 Kudos
daphnissov
Immortal
Immortal

I would probably recommend opening an SR and providing logs plus details on the environment to have them check into it.

Reply
0 Kudos
jcerqueira1
Contributor
Contributor

Unfortunately, I don't have that option.  As this is going to be used in a non-production environment, we won't be getting a support contract for this as per my supervisor.

Reply
0 Kudos