none
FIM syncrhonization: slowness during export with ad management agent RRS feed

  • Question

  • Hello,

    We are suffering from very bad performance when exporting updates from metaverse to AD.
    The AD management agent takes among one minute per updated account(several days if we have an update on all accounts).
    However the synchronization step is quite fast (among a few minutes).

    In order to identify the source of the problem, we tried to made an update on all accounts with a VB.NET script.
    We have executed this script localy (on the FIM synchronization service server) and it takes only several minutes.
    This is why we are convinced that this issue is not relative to AD configuration.

    Then, we have made several checks on the database configuration but we didn't find any problem in particulary, regarding the points below.
    - table size
    - cpu / memory / disk space shortage
    - no dead lock
    - queries execution time lower than one second

    We would be grateful for any help, advice or feedback on the subject

    Regards,

    Serge Bouchut

    Thursday, December 19, 2013 11:07 AM

All replies

  • My first suspect would be network, infrastructure and AD configuration:

    - AD - DNS : check if all names resolves correctly and DNS works as expected

    - Check which DC is used by your FIM. Your AD MA uses DC Locator to find a DC. If AD configuration will point it out to some remote location round trip might be a long one 

    Second: Are you using it t provision Exchange - if yes it is doing a call to Exchange after every export operation. This might be a suspect. 

    For all above - doing network trace will tell you what's wrong right away. 

    BTW - synchronization is process which is being done only within FIM service and database so time of its execution is irrelevant for network operations.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    • Proposed as answer by UNIFYBobMVP Thursday, January 16, 2014 7:04 AM
    Thursday, December 19, 2013 11:48 AM
  • Hello Tomasz,

    Thank your for your answer. I will investiguate all this points and made a feedback later. :)

    Regards,

    Thursday, December 19, 2013 5:04 PM
  • Also, you could pinpoint AD management agent to communicate with a specific DC. It was the case in my recent Galsync scenario at customer test lab site. Export speed went up from 5 objects/minute to 1200/minute.
    Wednesday, December 25, 2013 7:57 AM
  • I was going to make the second of Tomasz' recommendations - my first thought is Exchange.  If this turns out to be the problem, and you do need to provision Exchange mailboxes, try turning off the Exchange settings on the MA and use a post-export PowerShell script to check for AD accounts missing their mailboxes, calling the Enable-Mailbox for each user object returned.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, January 16, 2014 7:04 AM
    Thursday, December 26, 2013 12:04 PM
  • Thank you all for your replies. After desactivated exchange provisioning in AD MA, the connector performed 100 updates in 9 seconds (instead of more than 1h with the provisioning).

    Do we have alternatives to the "post export powershell" way?

    Regards,

    Serge

    • Edited by Serge_B Wednesday, January 15, 2014 12:21 PM
    Wednesday, January 15, 2014 12:13 PM
  • Only alternatives that come to mind are an ECMA or a PowerShell MA.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Thursday, January 16, 2014 7:06 AM
  • Hello Bob,

    We have submit a ticket to the Microsoft helpdesk. To be continued...


    Serge

    Friday, January 24, 2014 12:12 PM