none
AD Connector Not Removing CIs

    Question

  • For some reason the AD Connector on two separate installs of SCSM does not remove deleted CIs. It adds and updates users and computers fine but will not remove either of them. They do not go to pending delete or get removed from the list of CIs.

    My first attempt was with the RTM release with no updates. I configured the DW and successfully created the AD, SCCM, and SCOM connectors. Once I noticed the issue I installed CU3 and there was no change. I created and deleted several user/computer objects in addition to the daily AD activity and no AD objects ever got moved to deleted items.

    I deleted and recreated the AD connector and repeated the process with no change. The SCCM connector's deleted objects showed up in deleted items with no issues. Also if I manually created then deleted a user in SCSM it would show up in deleted items.

    I kept getting errors in the SCSM logs about "failed to import AD connector" periodically so I figured maybe I had done something wrong. So I reinstalled everything on a new system and immediately installed CU3 before I created any connectors. Once this was done I created an AD connector to a small OU for testing (~700 users). Everything was imported fine and there were no AD errors in the event log. I created several user and computer objects and let them sit for 24 hours. After this I deleted some of them and gave them another day to see what happened. Needless to say deleted items is still empty several days later.

    The only thing that I can see that looks funny it that looking at the extensions of some accounts there is a "/" in the path (example below).

    CN=test\, seth,OU=SUBOU1,OU=SUBOU,OU=TLOU,DC=test,DC=test1,DC=domain,DC=com

    I have seen this on both deleted and non-deleted accounts so I don't know if it means anything.

    My main goal is to track our AD activity and create incidents when objects are created and removed. Unfortunately not all of our AD actions get tickets created for them so automatically creating incidents when something is added or removed is going to be my initial selling point for using SCSM. I have the creation part down but without a pending delete flag I am not sure how I can track the deletions.

    Any assistance would be appreciated. Thanks in advance!

    Friday, November 12, 2010 11:59 PM

Answers

  • With a little help from mssalesdemos.com I was able to reproduce this issue.

    If the AD Connector account is a domain admin, deleted AD objects are moved to deleted items.

    If the AD connector account is not a domain admin, deleted AD objects are not moved to deleted items and remain in the CMDB.

    If anyone has any other suggestions please let me know, otherwise I will give this a day and submit as a bug.

    Thanks for everyone's help!

     

    Thursday, November 18, 2010 6:40 PM
  • I sent this to our AD team and they have escalated it within their group. It has probably been a month or so since this has happened and I haven't heard anything yet. When I hear something I will update this thread.

    Thanks

    Seth

    Thursday, January 20, 2011 6:58 PM

All replies

  • In my opinion an CI object in the SCSM CMDB should not be deleted by any connector for a good reason.

    For example: AD connector created a user in the SCSM CMDB. After the user is in the CMDB you added this user as an Affected User or Assigned To User in Incidents, Change Requests or Activities. If you delete this  user in the SCSM CMDB you will loose all relationships between the work items and the user. The result will be work items without the related user information (Affected User, Assigned User, Created By User, Closed By User ...) because the user is deleted. It doesn't matter if this "deleting" is done manually or by a conncector. The result will be the same.
    The same will happen with computers and other CIs. E.g. an computer is added in the CMDB by AD connector and used as "affected item" in Work Items.

    For this scenarios descriped above the connectors should not remove the CIs in CMDB if they are deleted in the source e.g. in AD.

    From the process view deleting a user in the AD could be handled as a change request.
    An approach could be:

    • Add an attribute to the AD User class like "Status in AD"
    • Use change requests with activities to manage the "delete user in AD" process
    • One activity in this Change Request could be something like "mark user as removed in AD" in CDMB.

     


    Andreas Baumgarten | H&D International Group

    Saturday, November 13, 2010 9:01 AM
    Moderator
  • I understand your opinion on this but what I am looking for is whether the product is working as is should or there is an issue.

    From all the docs and forums I have read when a connector detects a deletion from its source it marks the CI as pending delete. In my environment this is not happening with the AD connector and no objects are displayed in deleted items. Is this by design or am I missing something?

    For now I am really only interested in tracking AD changes and having some way of reporting the total actions. From what I have seen and read this should be simple to do if everything works as it should.

    I do not have access to our DCs or I would gladly do this with SCOM! 

    Monday, November 15, 2010 1:59 PM
  • Now I got it.

    I tried your scenario some minutes ago:

    • Deleted a User in AD
    • Started the sync of the AD Connector in SCSM
    • The User is "removed" from the CI/Users  and is visible at Administration/Deleted Items

    The object status of the user is changed from "active" to "pending delete".
    The change of the object status from "active" to "pending delete" was done by the AD Connector (atleast it's listed in the history). Not sure if your AD Connector is allowed to initiate the delete process.

     

     Quote from SM_AdminGuide.docx:

    "Advanced Operators, Authors, and Administrators user roles can initiate the Delete process"


    Andreas Baumgarten | H&D International Group
    Monday, November 15, 2010 2:58 PM
    Moderator
  • Glad we are on the same page!

    Anyways the scenario you walked through is not happening for me. No AD objects get marked as pending delete after they have been removed from AD. Additions and updates work fine.

    The account used for the AD connector is the service account for SCSM which has no special permissions to AD.

    There are no errors in the SCSM logs so I don't know what else to look at.

    Monday, November 15, 2010 3:55 PM
  • Just to be sure please check if the SCSM service account is in one of the user roles "Advanced Operators", "Authors" or "Administrators" in SCSM.

    I will give it a try tomorrow in our test environment with the SCSM service account for the Ad Connector as well.


    Andreas Baumgarten | H&D International Group
    Monday, November 15, 2010 9:23 PM
    Moderator
  • The service account is part of the Administrators. For grins I created another AD connector to a different OU and used an OU admin account to see if it was a AD permissions issue. This account is also in the Administrator's group in SCSM and it did not make any difference.
    Tuesday, November 16, 2010 12:24 AM
  • Weird thing:

    AD Connector account = Domain Admin = User is marked as "pending deleted".

    AD Connector account = normal user in AD = User isn't marked as "pending deleted".

    Related to the SM_AdminGuide.docx (page 14) the account needs only rights to read from AD DS. Any normal user in AD should have this rights to read in AD as far as I know.

    Maybe you can verify this with a domain admin account for the AD Connector please?


    Andreas Baumgarten | H&D International Group
    Tuesday, November 16, 2010 8:58 AM
    Moderator
  • I created a few test connectors with the highest privledged account I have and the result is the same.

    Unfortunately I do not have access to a full domain admin account.

    Tuesday, November 16, 2010 3:50 PM
  • So should I submit this as a bug or repost this to the connectors forum?

    I went throught the trace logs again and I still can't find anything pointing to what is wrong.

    Let me know and thanks!

    Wednesday, November 17, 2010 4:52 PM
  • Can you also verify AD replication? If you fall in between replication windows this can happen as well.

     

    cheers

    TM


    Best Regards Thomas Mortsell
    Thursday, November 18, 2010 10:46 AM
  • I can verify that the objects I am testing with are on or removed from both of my local DCs. Throughout most of my testing I have kept a 24h window between creation, deletion, and checking status in the CMDB.

    Can anyone try the scenario that Mr. Baumgarten did in their test environment to see if this is coming from a lack of domain admin rights?

    Thursday, November 18, 2010 1:19 PM
  • With a little help from mssalesdemos.com I was able to reproduce this issue.

    If the AD Connector account is a domain admin, deleted AD objects are moved to deleted items.

    If the AD connector account is not a domain admin, deleted AD objects are not moved to deleted items and remain in the CMDB.

    If anyone has any other suggestions please let me know, otherwise I will give this a day and submit as a bug.

    Thanks for everyone's help!

     

    Thursday, November 18, 2010 6:40 PM
  • Friday, November 19, 2010 7:24 PM
    Moderator
  • Hi

    We are having the exact same problem.

    Did you ever find a solution for this problem/bug?

    Thanks

    Mikkel

    Wednesday, January 12, 2011 7:55 AM
  • I sent this to our AD team and they have escalated it within their group. It has probably been a month or so since this has happened and I haven't heard anything yet. When I hear something I will update this thread.

    Thanks

    Seth

    Thursday, January 20, 2011 6:58 PM
  • Hi

    I have the same issue but with objects inside in system groups for Resources but the same environment.

     

    Cheers

    Matthias

    Saturday, April 30, 2011 6:32 PM
  • Travis Wright wrote a blog post outlining how to get this working. We have not yet tested it in our environment but it's worth a shot!

     

    "If the run as account that is used for the AD connector has List Object rights on the Deleted Items container in Active Directory, it can detect that the object has been deleted in Active Directory."

     

    http://blogs.technet.com/b/servicemanager/archive/2011/04/29/what-happens-to-a-user-in-the-cmdb-when-it-is-deleted-in-active-directory-ad.aspx

    Thursday, May 26, 2011 12:22 AM