Day: January 20, 2020

HCL Domino V11 – Directory Synchronzation – Part 5

Debugging & Monitoring

To monitor DirSync output, you can use the server console or the server log.nsf.
This in general lets you identify possible errors during DirSync processing.

If you need a more verbose output, or you want to dig deeper into DirSync functionallity, use the following notes.ini variable to create some kind of trace mode.

set con DIRSYNC_DEFAULT_ARGS=-v

You do not need to restart the DirSync task to switch verbose logging on / off.

Instead of just the summary line

[1730:0004-0BE0] 20.01.2020 12:13:56   DIRSYNC From Active Directory (AD) - Summary (0.003 sec, Start=234796, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234795)

by setting the parameter, you will get a more verbose output.

[1730:0004-0BE0] DirSync  ResyncAll by CheckBox: 0
[1730:0004-0BE0] DirSync  Preview:        0
[1730:0004-0BE0] DirSync  Level:          16
[1730:0004-0BE0] DirSync  SyncFlows:      2
[1730:0004-0BE0] DirSync  OnPremCookie:   
[1730:0004-0BE0] DirSync  UserDirCookie:  234795
[1730:0004-0BE0] DirSync  CSyncFromAD::SyncSpan (NAMEldap_search_ext_s call) : (&(&(|(objectClass=Group)(objectClass=Person))(|(mail=@brightside.)(mail=@darkside.)(mail=@msdn.)))(uSNChanged>=234796)) took 1 msec
[1730:0004-0BE0] 20.01.2020 12:14:47   DIRSYNC From Active Directory (AD) - Summary (0.001 sec, Start=234796, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234795)

With this parameter in place, you will also be able to monitor which attributes have been changed in Active Directory. 

[1428:0005-17F8] DirSync  Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box'
[1428:0005-17F8] DirSync  Entry with mail address 'j.kirk@brightside.org' - NoteID 10082 was found in the target directory.
[1428:0005-17F8] DirSync  
 DirSync  CSyncFromAD::DoModify(dn = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)
[1428:0005-17F8] DirSync  Modified MiddleInitial from '' to 'T'
[1428:0005-17F8] DirSync  Modified uSNChanged from '234775' to '234796'
[1428:0005-17F8] DirSync  'person' Document updated, UTF8 Name = 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box' 
[1428:0005-17F8] DirSync  CSyncFromAD::DoModify - Modified existing Note for 'CN=James Kirk,CN=Sync,DC=ad,DC=fritz,DC=box'
[1428:0005-17F8] DirSync  
[1428:0005-17F8] 20.01.2020 12:19:37   DIRSYNC From Active Directory (AD) - Summary (0.037 sec, Start=234796, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=234796)

The above output also indicates a possible bug in the DirSync task setting values on the Status tab of the configuration document.

While the LDAP change number corresponds to the End=234796 value in the summary record, the Last sync time (20.01.2020 12:19:37) entry is not updated.

Not sure, at what time this value is being set. I will keep an eye on it.

DirSync also collects several stats. You can access them either from the Admin Client.

or issuing a show stat DirSync command on the server console

show stat dirsync
[1CDC:0009-1EC8]   DirSync.AD.FromAD.Adds = 6
[1CDC:0009-1EC8]   DirSync.AD.FromAD.Deletes = 6
[1CDC:0009-1EC8]   DirSync.AD.FromAD.Millis = 18086
[1CDC:0009-1EC8]   DirSync.AD.FromAD.Modifies = 2
[1CDC:0009-1EC8]   DirSync.AD.FromAD.Skips = 9
[1CDC:0009-1EC8]   DirSync.MIDPOINTS.FromAD.Millis = 108
[1CDC:0009-1EC8]   DirSync.Totals.LatestAllDirSyncDocsMillis = 3
[1CDC:0009-1EC8]   DirSync.Totals.LongestAllDirSyncDocsMillis = 191
[1CDC:0009-1EC8]   DirSync.Totals.LongestSyncTimeMillis = 190
[1CDC:0009-1EC8]   DirSync.Totals.LongestSyncTimeNABName = names.nsf
[1CDC:0009-1EC8]   DirSync.Totals.NumADChangeQueriesSyncSpan = 1221
[1CDC:0009-1EC8]   DirSync.Totals.TimeADChangeQueriesSyncSpan = 15769
[1CDC:0009-1EC8]   DirSync.Totals.TotalDirSyncDocs = 2
[1CDC:0009-1EC8]   DirSync.Totals.TotalRequestDocs = 0
[1CDC:0009-1EC8]   DirSync.Totals.TotalSuccessfulNABSyncs = 30
[1CDC:0009-1EC8]   15 statistics found

In addition to the notes.ini parameter mentioned above, DirSync comes with a lot more notes.ini parameters. They are not documented and should only be used when support advices you to do so.

You can find a list of those parameters using the following command on the server console.

te dirsync show
[1730:0004-0BE0] DirSync> DIRSYNC_DEFAULT_ARGS=-v
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_STRICT_ASSERT=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_THREAD_TRACE_LEVEL=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_DISABLE_BG_THREADS=0
[1730:0004-0BE0] DirSync> DIRSYNC_THREADS=10
[1730:0004-0BE0] DirSync> DIRSYNC_BG_THREADS=10
[1730:0004-0BE0] DirSync> DIRSYNC_BG_THREADS_CUSTOMER_ALLOWED=3
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_STARTUP_DELAY=60000
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_STARTUP_THREAD_ABORT=10
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_DELAY=60000
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_FORCE_RUNMODE=1
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_REPLICATE=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_YELLOWZONE=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_MARK_INVALID_INTERVAL_MINUTES=60
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_CHANGELOG_TIMELIMIT=300
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_CHANGELOG_SIZELIMIT=10000
[1730:0004-0BE0] DirSync> DEBUG_IDRSYNC_CHANGELOG_CHANGETIME_LIMIT=10000
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_SKIPLOG_LIMIT=50
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_SERVERROLE_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_REPLICATION_SERVER_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_CONFLICT_CLEANUP=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_FIRSTSYNC_OPTIMIZATION=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_ACL_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_ECL_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_MAILHUBS_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_NO_DOMAINNAME_CHECK=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_ELSEWHERE_CHECK_INTERVAL_MINS=60
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_TRIANGULATION_INTERVAL_MINS=10
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_TRACE_NOTESDN=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_RESYNC_ONCE_NOTESDN=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_FLUSH_CONFIG_FREQUENTLY=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_CERTIFIER_BLACKLIST=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_CDIR_UPDATE_VIEWNAMES=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_HYGIENICRESTART_THRESHOLD=100000
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_EXCLUDE_CUSTOMERID=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_EXCLUDE_USERID=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_INCLUDE_ONLY_CUSTOMERID=
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_DISABLE_AUTO_SYNC_ALL=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_LEAKS=0
[1730:0004-0BE0] DirSync> DEBUG_MAX_CHANGELOG_RENAME_SEARCH_ITERATIONS=20
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_DONT_PANIC_ON_MAX_MEM_SEGMENTS=0
[1730:0004-0BE0] DirSync> DEBUG_INVALID_BBLOCK_IN_SYNCTHREAD=0
[1730:0004-0BE0] DirSync> DEBUG_SKIP_INVALID_BBLOCK_IN_SYNCTHREAD=0
[1730:0004-0BE0] DirSync> DEBUG_USE_OLD_RESYNCONCE_PROCESSING=0
[1730:0004-0BE0] DirSync> DEBUG_USE_DIRSYNC_RESPONSE_DOCS=0
[1730:0004-0BE0] DirSync> DEBUG_MULTI_BG_THREADS_TO_A_CUSTOMER=0
[1730:0004-0BE0] DirSync> DEBUG_DIRSYNC_MAX_REQUEST_ERRORS=0

Use / change this parameters only when told by HCL support.


HCL Domino V11 – Directory Synchronzation – Part 4

In this part of the tutorial about Domino V11 Directory Synchronization, we want to take a closer look at the actions that can be performed on DirSync configuration documents.

Enable Configuration

To enable a DirSync configuration, select it in the view and click the Enable button.
You will be presented a dialog box where you can select from 2 options.

Select Run in test mode to simulate the actions that Directory Sync would take but without changing any Domino® data. Make any adjustments needed to the Directory Sync configuration. When you are ready to enable synchronization for real, select Synchronize data.

Next, click OK to close the Activate Directory Sync dialog

DirSync will recognise the new configuration on the next scheduled run.

Disable configuration

To disable a DirSync configuration, select the document in the view and click the Disable button.

Next, click OK to close the Deactivate Directory Sync dialog

A “Disable” request document will be created.

DirSync will disable the configuration on next scheduled run and also delete the request document.

You also have to disable a Directory Sync configuration before changing it. You will get a warning message if you try to edit an enabled Directory Sync configuration.

Resync

You can resync all of the Active Directory data.Resync if you make changes to the Directory Sync Configuration document that affects which data is synced. Resyncing occurs through a Dirsync thread that runs in the background, in parallel with the usual incremental sync.

Next, click OK to close the Resynchronize Selected Directories dialog

A “Resync” request document will be created.

On the server console you will see the following entries when the DirSync task processes the resync request.

[1BE0:0004-1D10] DirSync  Updating SyncAll Request's DirSyncRequestState to 1
[1BE0:0004-1D10] 20.01.2020 06:56:19   DIRSYNC From Active Directory (AD) - Summary (0.001 sec, Start=234776, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234775)
[1BE0:0005-0284] DirSync  Sync all request calling SyncFromLDAPToNAB.
[1BE0:0005-0284] DirSync  resyncall - SyncFromLDAPToNAB completed in: 0.363 seconds
[1BE0:0005-0284] DirSync  Updating SyncAll Request's DirSyncRequestState to 2
[1BE0:0005-0284] 20.01.2020 06:56:26   DIRSYNC Full Resync From Active Directory (AD) - Summary (0.363 sec, Start=0, Adds=3, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234775)
[1BE0:0004-1D10] DirSync  Deleting SyncAll Request
[1BE0:0004-1D10] 20.01.2020 06:57:19   DIRSYNC From Active Directory (AD) - Summary (0.001 sec, Start=234776, Adds=0, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234775)

Resync Issue

There is a small issue with resync when you accidently flag a disabled DirSync configuration for resync.

After you confirm to resynchronize selected Directories, the configuration will be flagged for resync by setting the item DirSyncReset=”1″.

When you now enable the configuration, you would expect a resync of the selected configuration, right?
But that does not happen. The DirSync task starts as soon as it detects the new configuration, but it does neither perform the requested resync nor it resets the DirSyncReset item value.
Even trying to reinitiate the resync fails. You need to remove the DirSyncReset item value by either using an agent or another tool of your choice.

I have created a case with HCL for this (Case# CS0081445)

Issue with Domino Directory file name

If you see the following error message on the server console

[1BE0:0004-1D10] CSyncFromAD::ProcessEntry could not open customer directory -  reason File does not exist

check the Domino Directory file name item value in DirSync configuration. Most likely, the file name is misspelled or the file does not exist on the server. In the BETA version, this resulted in an enabled configuration to be prevented from being disabled. This has been tracked under SPR# MOBNBHUHGD and fixed in Domino V11 GA.