Active Directory to Identity Vault Group Synchronization is Limited to 5000 Members

Posted by Darenji
at Monday, September 07, 2020
Labels: , , ,

Situation

Active Directory Groups that contain more than 5000 members cannot be published / synchronized to Identity Vault via Identity Manager's Active Directory Driver. They are truncated to 5000 members during the Publisher Channel polling cycle.

However, migrating the Group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

Search:  Users members being lost from large groups 


Environment

  • Novell Identity Manager 4.8
  • Novell Identity Manager Driver- Active Directory Driver


Resolution

Under the Driver Parameters > Advanced Options, set Enable DirSync Incremental Values to Yes.   This allows the driver to query and synchronize only modified users in the group (users being added or removed from the group) instead of the whole group. 


Additional Information

This issue occurs due to a limitation in Microsoft's DirSync API. Microsoft Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see ntdsutil.exe)


For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES control resolves this issue. This control was implemented since Identity Manager 3.5 Active Directory Driver Patch 1 - 20070601, now replaced by the Identity Manager 3.5.1 or later downloads.


The Incremental Values server control allows the Active Directory driver to ask for (and receive) only changed values of an attribute such as the member attribute on a group object preventing the need to continually sync the entire member list and hit the 5000 value DirSync limitation.


This parameter is already included in current versions of the Active Directory driver configuration (3.6 and higher)


<definition display-name="Enable DirSync Incremental Values" hide="false" id="115" name="enable-incremental-values" type="enum">

<description>Ordinarily the publisher will receive all member values of a group when one or more has changed. This option reports only the added or deleted member values during the poll interval. Requires 2003 Forest functional mode.</description>

<enum-choice display-name="Yes">yes</enum-choice>

<enum-choice display-name="No">no</enum-choice>

<value>yes</value>

</definition>

[+/-] Read More...

 

Subscribe to: Posts (Atom)