Czernobog
Expert
Expert

vRA 7.2 - Directory Sync with nested groups?

I'm trying to sync some AD groups that have other groups as members. So far I've tried many combinations but could not find a way to do the sync without errors.

The structure looks similar to this:

OU=MyVRAGroups:

AD-Group-VRA-Users

|

|--->AD-Group-Members1

     |

     |--->MemberA

     |--->MemberB

|--->AD-Group-Members2

     |

     |--->MemberC

     |--->MemberD

vRA directory type: Active Directory over LDAP.

All groups belong to the same domain. Base DN ist the root of the domain, Bind DN is an account that has read permissions on all objects.

In the sync settings I input the OU LDAP path that includes the AD-Group-VRA-Users DN  as the Group and User DN.

When trying to start the sync I get the errors:

While verifying the directory configuration, the following errors occurred. You might want to resolve these errors before syncing to the directory:

Directory object not found: OU=MyVRAGroups,DC=domain,DC=local.

While verifying the directory configuration, the following warnings occurred. You might want to resolve these errors before syncing to the directory:

Missing group (CN=AD-Group-Members1,OU=MyVRAGroups,DC=domain,DC=local) referenced by user.

Missing group (CN=AD-Group-Members2,OU=MyVRAGroups,DC=domain,DC=local) referenced by user.

The sync can be run, however only the user objects are synced and the one "top" level group AD-Group-VRA-Users, not the nested groups objects. After the sync is finished, there is a success message, but there are still Alerts with the same warnings about "Missing group referenced by user".

So in vRA, for example under business group members, I can add the synced users as members, but not the synced groups.

Are there any guidlines on how to properly configure AD object for the vRA directory sync? So far my deployment has been a failure because of that.

Additionally, the appliance does not seem to be able to sync a big number of (nested) groups above a certain treshold and just throws errors about problems with the connector in the sync log.

Tags (1)
0 Kudos
6 Replies
CSvec
Enthusiast
Enthusiast

This is a shot in the dark with 7.2, but under the directory sync settings, Groups:

They added a checkbox for "Sync nested group members", is that checked for you?

(I've had a similar issue in 7.0, which didn't have that button.)

0 Kudos
Czernobog
Expert
Expert

It's checked, I forgot to mention that. If it wouldn't, the sync would run fine, but, well, without the nested groups.

It's an issue we experience since the 7.0 release, so far it seems it is not possible for IDM to sync an AD larger than ~40000 objects with nested groups.

0 Kudos
pizzle85
Expert
Expert

Are you syncing "Groups" "Users" or both?

In our environment we don't sync any users at all only Groups. Both "Sync nested group members" and "Select All" are checked. We allow users to provide any group they want in their business groups and sometimes have AD group nesting 10+ levels deep.

FWIW we currently sync about 120,000 AD objects between AD and vRA. It takes a while (4+ hours) but it works.

There was an issue for me where the "Select All" checkbox would un-check after each manual sync. Not sure that fits your issues but something to look out for.

0 Kudos
Czernobog
Expert
Expert

Thanks for the information and sorry for the late answer.

The fact that you sync only groups is very interesting. I've tried syncing my AD today and, after 2hrs of runing AD queries, the connector took about 16 hours to recreate the connections in vRA itself, only for the sync to get stuck in a loop, where "refresh page" button would not change it's status:/

I'v also tried it with an OU where an AD group is placed, only 2 layers deep and none of the nested group objects are discovered.

Which build are you using?

0 Kudos
darrengoff3
VMware Employee
VMware Employee

Are the nested groups within the OU structure of your Base DN, within a child OU?

- DG If you find this or any other answer useful please mark the answer as correct or helpful.
0 Kudos
Czernobog
Expert
Expert

They are within the Base DN.

Pulling information from the AD worked fine so far (ca. 2,5hrs), however later, recreating all the AD account-group relations in IDM is extremely slow, with my AD it takes about 14 hours. This is, when in the sync settings, all groups (nested) as well as all users are synced on the root DN. The connector process is not really causing much load during this time, so it does not seem to be an issue with available reosurces. I've yet to try it only with the group DN's, like pizzle85 mentioned.

Also, another issue mentioned: the "select all" setting cannot be changed after the sync has ran. I guess it is dependant on the size of the sync, when changing this setting by selecting or deselecting the box, a dry (?) run ist started in the background (connector.log shows it's working) and before it is done, the web GUI times out, before the setting is saved.

0 Kudos