locked
Fixing AD Connector to use LDAP Query RRS feed

  • Question

  • When setting up this system in our haste we allowed our AD connector to import everything.I would like to fix it to just use an LDAP filter to get only users from specific OUs.

    So my question is...

    Can I easily swap out connectors, add the new one, remove the old one?

    Will there be any problems with doing this? (Users missing from tickets, PCs missing, etc.)

    Thanks.

    Wednesday, May 27, 2015 3:37 PM

Answers

  • Yes, you can add a new AD connector and remove the old one.

    Yes, you may have issues with users being removed from tickets. If the objects have been updated by a user or a workflow, they will remain in the system even after you remove the AD connector. If an object has been updated only by your old AD connector, it will be removed when you delete that old AD connector (effectively removing relationships between those users and their tickets).

    Here's some reading material on Service Manager's "discovery source" concept which should give you some more insight into the effects of deleting a connector: http://contoso.se/blog/?p=2594

    Basically, as long as your new LDAP query AD connector covers all AD objects that are important in your CMDB, then you won't lose anything.

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Wednesday, May 27, 2015 4:10 PM
  • Yes, deleting connectors works exactly the way you would hope:

    1. any items synchronized in that haven't been used or updated by any other sources will be marked for deletion
    2. any items that HAVE been used will never be automatically marked for deletion by removing a connector.
    3. items that are updated from more then one connector will only be marked if all of the connectors that update that item are removed. 

    under the hood, each object has a list of update sources, and if all of those sources are removed (i.e. the connector is deleted) then those items will be marked for deletion. items that you edit in the console or with powershell are marked with a special "manually edited" source that cannot be deleted, so they will never be automatically marked for deletion. 

    you might want to look into SMLets and the Remove-SCSMObject commandlet and it's -force parameter which immediately removes the object, in case you need to do some manual cleanup. 


    • Edited by Thomas Bianco Wednesday, May 27, 2015 4:14 PM phrasing
    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:25 PM
    Wednesday, May 27, 2015 4:13 PM
  • Hi,

    Many of the configuration items that are found in the System Center 2012 – Service Manager database are the result of the data that is imported by using connectors. Therefore, if a connector is deleted, the configuration items that are associated with that connector will also be deleted, except where the configuration item is related to an active incident or change request. If more than one connector defines a configuration item, the configuration item will be deleted when all of the contributing connectors are deleted.

    If you are creating a new connector to replace an existing connector, create the new connector first, and then synchronize the new connector before deleting the old connector.

    Please also go through the article below:

    http://blogs.technet.com/b/brianbarrington/archive/2014/10/17/my-ad-connector-won-t-delete-ad-deleted-items.aspx

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Thursday, May 28, 2015 6:23 AM
  • Hi there,

    This is my approach.


    Cheers,
    Marat
    Site: www.scutils.com  Twitter: LinkedIn: Graveyard:

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Thursday, May 28, 2015 9:14 AM

All replies

  • Yes, you can add a new AD connector and remove the old one.

    Yes, you may have issues with users being removed from tickets. If the objects have been updated by a user or a workflow, they will remain in the system even after you remove the AD connector. If an object has been updated only by your old AD connector, it will be removed when you delete that old AD connector (effectively removing relationships between those users and their tickets).

    Here's some reading material on Service Manager's "discovery source" concept which should give you some more insight into the effects of deleting a connector: http://contoso.se/blog/?p=2594

    Basically, as long as your new LDAP query AD connector covers all AD objects that are important in your CMDB, then you won't lose anything.

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Wednesday, May 27, 2015 4:10 PM
  • Yes, deleting connectors works exactly the way you would hope:

    1. any items synchronized in that haven't been used or updated by any other sources will be marked for deletion
    2. any items that HAVE been used will never be automatically marked for deletion by removing a connector.
    3. items that are updated from more then one connector will only be marked if all of the connectors that update that item are removed. 

    under the hood, each object has a list of update sources, and if all of those sources are removed (i.e. the connector is deleted) then those items will be marked for deletion. items that you edit in the console or with powershell are marked with a special "manually edited" source that cannot be deleted, so they will never be automatically marked for deletion. 

    you might want to look into SMLets and the Remove-SCSMObject commandlet and it's -force parameter which immediately removes the object, in case you need to do some manual cleanup. 


    • Edited by Thomas Bianco Wednesday, May 27, 2015 4:14 PM phrasing
    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:25 PM
    Wednesday, May 27, 2015 4:13 PM
  • Hi,

    Many of the configuration items that are found in the System Center 2012 – Service Manager database are the result of the data that is imported by using connectors. Therefore, if a connector is deleted, the configuration items that are associated with that connector will also be deleted, except where the configuration item is related to an active incident or change request. If more than one connector defines a configuration item, the configuration item will be deleted when all of the contributing connectors are deleted.

    If you are creating a new connector to replace an existing connector, create the new connector first, and then synchronize the new connector before deleting the old connector.

    Please also go through the article below:

    http://blogs.technet.com/b/brianbarrington/archive/2014/10/17/my-ad-connector-won-t-delete-ad-deleted-items.aspx

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Thursday, May 28, 2015 6:23 AM
  • Hi there,

    This is my approach.


    Cheers,
    Marat
    Site: www.scutils.com  Twitter: LinkedIn: Graveyard:

    • Marked as answer by Eric Marro Tuesday, June 2, 2015 2:26 PM
    Thursday, May 28, 2015 9:14 AM
  • Thank you everyone, this helps me get started in cleaning this up.
    Tuesday, June 2, 2015 2:26 PM
  • Please use PS cmdlets to add/edit LDAP queries for existing connectors:

    Update-SCSMConnector:     https://technet.microsoft.com/en-us/library/hh316217(v=sc.20).aspx

    Get-SCSMConnector:            https://technet.microsoft.com/en-us/library/hh316209(v=sc.20).aspx

    <<< Example >>>
    Step1
    $ADConnector = Get-SCSMConnector –DisplayName "ADCon123"

    Step2
    $ADConnector.SelectedUsers = "(objectCategory=user)"
    and/or
    $ADConnector.SelectedComputers = "(objectCategory=computer)"
    and/or
    $ADConnector.SelectedPrinters = "(objectCategory=Printqueue)"

    Step3
    Update-SCSMConnector -Connector $ADConnector


    Saturday, September 26, 2015 8:23 PM