Please view the information below. Please note that the screenshots and videos will reference AD sync v2.0. If you have not already switched over (and are on at least version 13.5+ of the intranet), please contact support@icthrive.com for instructions.
Why are users missing?
Missing users from your sync? Check if they are seen in the scope of your AD target:
Things to check:
If the employee is not appearing in the list when using the object preview, there could be a few things to check in AD:
- Does the employee have a First name, Last name, and pre windows 2k username in AD?
- Are they within the same OU as others in the sync?
- If you have a filter applied, are they a member of this group?
- Are you using LDAPS? (connecting on port 636)
- Have you recently renewed or changed your LDAP Certificate? If so, add the certificate to Lucee Server
- Does the missing user(s) have the following attributes filled in Active Directory
- First name
- Last name
- Username
The user is in the right target but they still won't sync
- Check to see if there is someone with the same username currently disabled in the software > navigate to Admin > Find logins (check the box next to disabled logins):
- If you are currently using a service account in the administrator field, please temporarily switch to an administrative account (with accompanying password), save and resync
- How many users and groups do you have synching over currently (approximately)?
- Did this user's username recently change? If so, check to see if their old username is still active/disabled in the intranet
- On the admin page > click Scheduled Tasks > has the scheduled task run recently? (last ten minutes) If there was an error, please provide the application log from Admin > Errors and Logging > Download Application Log
- Navigate to Admin > Errors & Logging > Download the AD log and provide it to our support team (support@icthrive.com)
AD Synchronization v1.0 - object limits
If you're using AD Synchronization v1.0 but not all your users appear to be synchronizing with the Intranet (i.e. either you can’t find all your users or they aren’t updating), this could be due to the limitation on the number of objects. If you're unable to switch to v2.0 of AD sync, please try the following:
When you use AD Sync, the program is limited to the number of objects specified in the MaxPageSize which defaults to 1000 objects. Microsoft provides instructions on increasing this setting in its article How to view and set LDAP policy in Active Directory.
To resolve this:
- Go to the domain controller that we’re connecting to for the sync
- Find the file ntdsutil.exe (most likely under c:\windows\system32 or c:\winnt\system32
- Run the ntdsutil.exe
- Type “ldap policies” and enter
- Type "connections" and enter
- Type "Connect to server [YourDCName]" and enter
- Type "q" and enter
- Type "Show Values" to see the current settings
- Type “Set MaxPageSize to 2000” and enter
- Type “Commit Changes” and enter
- Type “Show Values” and enter
You should see the number set to 2000 now. If you need a larger value to accommodate your user base, you can adjust this. You should now be able to run your AD Sync again. (uncheck the 'enable sync' button, save the changes and then re-enable the sync).