none
AD Sync - Disconnectors RRS feed

  • Question

  • Hello all,

    Hope I have the correct forum category for this. I see disconnectors  when I do an import from AD in AD Sync (about 800) and I think that this could be some issue, because this states that there are a lot of accounts in the CS that do not have a connection anymore with an object in the metaverse. I wonder how I can effectively find out if this is an issue and what kind of objects that are.


    • Edited by Oekeloen Wednesday, September 28, 2016 9:34 AM initial problem solved.
    Wednesday, September 28, 2016 7:35 AM

Answers

  • You already have the answer in your description. You can't search for disconnectors in Metaverse, because they are disconnectors, meaning not connected to any Metaverse object and so not included in Metaverse.

    But you could do a SQL search (although not recommended/supported) to directly access MIM Sync Database and tables.

    have a look at the table dbo.mms_connectorspace. you will find a column with the guid of your MA's guid and another column 'is_connector' and a third column 'rdn' which in your case is the DN of the AD object not connected to a Metaverse Object.

    Henry

    • Marked as answer by Oekeloen Monday, October 3, 2016 10:01 AM
    Thursday, September 29, 2016 8:09 AM
  • Do those same isconnector='0' objects have an is_phantom_link='1' or is_phantom_parent='1' value?

    If so, they're placeholders. i.e. they are references to objects which are not in the same connector space. If they're showing as SIDs they could be references to objects in a different domain/forest from the management agent. 

    Placeholders wouldn't show up in your disconnectors statistics though so you would want to filter your is_phantom_parent='1' and is_phantom_link='1' connectors out of that query... you also need to make sure you're searching the right connector space by filtering by ma_id.. there's probably other things you'd need to be aware of here too (e.g. is_phantom_delete). 

    There's really no reason to be searching in the SQL for this though, it's complex and unsupported. The better way to examine your disconnectors would be to click the "management agents" tab in the sync service then select the affected management agent and click "search connector space" - click search and examine those non-placeholders with a connector value of "False". You can look at these to determine why they haven't projected or joined.

    • Marked as answer by Oekeloen Monday, October 3, 2016 10:01 AM
    Thursday, September 29, 2016 12:30 PM

All replies

  • Hi

    Disconnectors as by name, are not connected to Metaverse objects. Without knowing more about your projection and provisioning its hard to say, if there is a problem with these objects. Explicit disconnectors may be a problem because they will never connect again, you should avoid this type of disconnectors. Normal disconnectors are not a problem, they are re-evaluated only if someone changes the object in the connected directory. Otherwise they stay until one deletes the Object in the connected directory. Other types of objects are maybe disconnectors. OUs for example are disconnectors as long as you do not manage them. They are kind of placeholders to create the DN of user objects.

    Hope this helps a bit.

    Henry

    Wednesday, September 28, 2016 1:04 PM
  • Hello Henry,

    Thanks for the reply. Iam starting with Identity Management and all bits help :-). I think i understand the concept of the metaverse and so on, so that's why I worried about the disconnectors. Thanks for the explanation about the type of disconnectors. I can fit that in to the concept now. Problem is only that I cannot find how to check what type of disconnectors they are. Is there any way to do that? FYI, I use AD Sync and not yet FIM or MIM.

    Thursday, September 29, 2016 6:04 AM
  • Hi again
    yes of course is there a way to what kind of disconnectors you have. search connector space of your ma in question. look at properties of the object. Then click on the "Lineage" tab. there is a "Object state" attribute. this is what you are looking for.

    Henry

    Thursday, September 29, 2016 6:10 AM
  • Hello Henry,

    Thanks for the quick reply. The problem is that I would like to see an overview of the objects that have a status of "disconnected". If I do a metaverse search, then I cannot lookup objects on "objectstate" or "state". If I look at the properties of the object in the metaverse search, then I only see 2 tabs: Attributes and Connectors. Also, in the overview "Operations" (main tab of the Sync Service Manager), when I click on an operations and see disconnectors, then I cannot click on it. It is not "highlighted" (like an URL for example) as is with errors or "Connectors with Flow Updates".

    
    • Edited by Oekeloen Thursday, September 29, 2016 6:39 AM
    Thursday, September 29, 2016 6:34 AM
  • You already have the answer in your description. You can't search for disconnectors in Metaverse, because they are disconnectors, meaning not connected to any Metaverse object and so not included in Metaverse.

    But you could do a SQL search (although not recommended/supported) to directly access MIM Sync Database and tables.

    have a look at the table dbo.mms_connectorspace. you will find a column with the guid of your MA's guid and another column 'is_connector' and a third column 'rdn' which in your case is the DN of the AD object not connected to a Metaverse Object.

    Henry

    • Marked as answer by Oekeloen Monday, October 3, 2016 10:01 AM
    Thursday, September 29, 2016 8:09 AM
  • Hi Henry,

    Thanks, that is what I was looking for. I assume that isconnector='0' stands for disconnected objects. I have found out which objects there are and they are indeed OUs and seems like old uers. I at least now know where to look if I have issues with users. I also see a lot of SID's. Do you know why there are SIDs in there and not names?

    Thursday, September 29, 2016 11:45 AM
  • Do those same isconnector='0' objects have an is_phantom_link='1' or is_phantom_parent='1' value?

    If so, they're placeholders. i.e. they are references to objects which are not in the same connector space. If they're showing as SIDs they could be references to objects in a different domain/forest from the management agent. 

    Placeholders wouldn't show up in your disconnectors statistics though so you would want to filter your is_phantom_parent='1' and is_phantom_link='1' connectors out of that query... you also need to make sure you're searching the right connector space by filtering by ma_id.. there's probably other things you'd need to be aware of here too (e.g. is_phantom_delete). 

    There's really no reason to be searching in the SQL for this though, it's complex and unsupported. The better way to examine your disconnectors would be to click the "management agents" tab in the sync service then select the affected management agent and click "search connector space" - click search and examine those non-placeholders with a connector value of "False". You can look at these to determine why they haven't projected or joined.

    • Marked as answer by Oekeloen Monday, October 3, 2016 10:01 AM
    Thursday, September 29, 2016 12:30 PM
  • Thanks, that helps! I found the 'search connector space'.
    Monday, October 3, 2016 10:01 AM