黑料海角91入口

Help Center Home > Active Directory > Troubleshoot: Active Directory Integration (ADI)

Troubleshoot: Active Directory Integration (ADI)

If you experience an issue when performing an Active Directory Integration (ADI) with 黑料海角91入口, review these common resolutions.

Where do I find the AD Import and Sync Agent logs and configuration files?
  • AD Import Agent:
    Log File Location:  C:\Windows\Temp\黑料海角91入口_AD_Integration.log
    Configuration File Location: C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json
  • AD Sync Agent: 
    Log File Location: C:\Program Files\黑料海角91入口\AD Sync\adsync.log
    Configuration Details Location: HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Sync

Here is an excellent reference for common LDAP Result Code error meanings.

Users added to the 黑料海角91入口 ADI Security Group in AD (or added to a Security Group which is memberOf the 黑料海角91入口 ADI Security Group) do not appear in User list in the 黑料海角91入口 tenant.
  1. Verify that the 黑料海角91入口 AD Import agent in ADI is active. A green indicator is active while yellow or red indicate that there is a problem. In the 黑料海角91入口 Admin Portal, go to Directory Integrations > Active Directory and select the AD Domain. 

  1. Verify that the Active Directory user account (often referred to as the service account) is utilized to connect to 黑料海角91入口:
    • The AD User Logon Name cannot be named 鈥満诹虾=91入口鈥.
    • Reset the service account password:
      1. Open AD Users & Computers, and manually set the password on the service account.
      2. On all DCs, open services.msc and stop the 黑料海角91入口 AD Bridge Agent service. 
      3. As an administrator on all DCs, edit the C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json file. Manually change the Password value to match the password set above. Your password should be bracketed by the existing quote marks. For example, 鈥淣ewPassword鈥.

        "SSLPort": 636,
        鈥淧ort": 389,
        "UserName": "contoso.org\JCimport",
        "Password":
      4. Start the黑料海角91入口 AD Bridge Agent service on all DCs.
      5. Delegate read-only rights to the specified Root User Container according to the To Delegate Read-Only Control for the AD Import Service Account section in Configure the Active Directory Integration. Then restart the 黑料海角91入口 AD Bridge Agent service on all DCs. 

Note:

The password listed in the adint.config.json will likely be a secure hash, enter the new password between quotes.

After the service has started, the password will be re-hashed in the .json file.

  1. Verify that the Root User Container is configured properly:
    1. All users or security groups added to the 黑料海角91入口 ADI Security Group must be located in the organizational unit (OU) specified as your Root User Container as defined in Configure the Active Directory Integration. They can also be located within a child OU of the Root User Container.
    2. An integration specific Security Group has been created and is located in the Root User Container.
    3. The CN value in the AD import configuration file, C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json, matches the name of the 黑料海角91入口 ADI security group you created.
  1. Verify that the information in the JSON file is correct.

Tip:

The separator for DN is a semicolon and not a comma.  For example, CN=Users;DC=contoso;DC=com.

The Import agent is invalid (red) in the Active Directory Integration section of the Admin Portal.
  1. On all DCs, start services.msc and verify that the 黑料海角91入口 AD Bridge Agent service is started.
  2. The password has changed for the service account which was used when setting up Import Agent on DC. Follow the steps to Reset service account password:
    • Open AD Users & Computers, and manually set the password on the service account.
    • On all DCs, open services.msc and stop the 黑料海角91入口 AD Bridge Agent service. 
    • As an administrator on all DCs, edit the C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json file. Manually change the Password value to match the password set above. Your password should be bracketed by the existing quote marks. For example, 鈥淣ewPassword鈥.

      "SSLPort": 636,
      鈥淧ort": 389,
      "UserName": "contoso.org\JCimport",
      "Password":
    • Start the黑料海角91入口 AD Bridge Agent service on all DCs.
    • Delegate read-only rights to the specified Root User Container according to the To Delegate Read-Only Control for the AD Import Service Account section in Configure the Active Directory Integration. Then restart the 黑料海角91入口 AD Bridge Agent service on all DCs. 
  3. Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.
  4. The Admin Portal account used to set up the ADI import has been removed from your account. This action invalidates the API key. Create a unique or dedicated Admin account specifically for ADI. Use an API key from this newly created Admin account in C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json on all AD DCs.

Note:

The API key used to configure AD Import is rotated.

As in the previous step, if the API key associated with a 黑料海角91入口 administrator used to set up AD Import is rotated, or the admin is deleted, the import service will stop working. This means password changes and new user imports will no longer work as expected.

See Rotate the AD Import API Key for steps on how to update the API key in the AD Import configuration.

The Sync agent is invalid (red) in the Active Directory Integration section of the Admin Portal.

RESOLUTION 1:

  1. On DCs, start services.msc and verify that the 黑料海角91入口 AD Integration Sync Agent service started.
  2. Reset service account password.
    1. Stop the 黑料海角91入口 AD Integration Sync Agent service.
    2. Open AD Users & Computers, and manually set the password on the service account.
    3. Open the regedit.exe file.
    4. Browse to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Sync\ldap.
    5. Add a new String Value entry called bind_password.
    6. Edit the key, and add the password to the value data field.
    7. Start the 黑料海角91入口 AD Integration Sync Agent service.

Note:

Starting the service will update the bind_pw_encrypted hash and remove the bind_password key.

  1. Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.

RESOLUTION 2: Error:agent no longer registered, Please uninstall and re-install with a valid connect key

  1. From the 黑料海角91入口 Admin Console:
    1. Browse to the Domain Agents section in your Active Directory configuration. If it exists, delete the non-functioning Sync Agent.
    2. Under the Details section, click Install a new Sync Agent. Copy the new Connect Key.
  2. On the Domain Controller:
    1. Delete the contents of the following folder: C:\Program Files\黑料海角91入口\AD Sync\cfg\
    2. Open regedit.exe
    3. Browse to 鈥楥omputer\HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Sync鈥
    4. Edit the 鈥榗onnect_key鈥 registry entry and replace the current value with the new connect key you just generated.
    5. Start the 黑料海角91入口 AD Integration Sync Agent service.

New users are added to AD and appear in 黑料海角91入口 Admin Portal, but passwords are invalid (yellow) because passwords are not synchronizing from AD to 黑料海角91入口.
  1. When adding new users to Active Directory 黑料海角91入口 ADI Security Group (or added to a Security Group which is memberOf the 黑料海角91入口 ADI Security Group), verify that the 黑料海角91入口 AD Bridge Agent is running (green) in the  Admin Portal.
  2. Users created before the installation of the 黑料海角91入口 AD Bridge Agent will require a password change in order to update 黑料海角91入口 with the corresponding password from the AD User Account.

Tip:

If users were created after the AD Import Agent鈥檚 install, then no password change is required by that AD User. The password is immediately exported to 黑料海角91入口. 

  1. Password changes from Active Directory-bound resources, like Windows devices, will not update consistently to 黑料海角91入口 if there are any DCs in the environment that do not currently have the 黑料海角91入口 AD Bridge Agent installed and running.
  2. Verify that password complexity requirements between AD and JC match exactly.

Users or passwords are not synchronizing from 黑料海角91入口 to Active Directory.
  1. Verify that the 黑料海角91入口 AD Integration Sync Agent is installed and running properly. If not, see Sync agent showing red in AD Integration side of JC Admin Portal.
  2. Verify the username of the user in 黑料海角91入口 is 20 characters or less.
  3. Verify that the users are added to an AD-bound group in the 黑料海角91入口 Admin Portal.
  4. Verify that the 黑料海角91入口 AD Integration Sync Agent Root User container is configured correctly.
    1. Open the file "C:\Program Files\黑料海角91入口 AD Bridge\adint.config.json" and make note of the DN field.
    2. Open the Windows registry and browse to HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Sync\ldap
    3. Compare the user_root_dn value and confirm it matches what is configured within the highlighted section of the file above.

Warning:

Ensure the use of semicolons to separate the DN fields. Using commas will result in the application failing to sync.

  1. Verify that the service account used for the 黑料海角91入口 AD Integration Sync Agent has been delegated the proper rights to the Root User Container:
    1. Stop the 黑料海角91入口 AD Integration Sync Agent service from services.msc.
    2. Delegate the following rights to the 黑料海角91入口 AD Integration Sync Agent service account user for the appropriate target (OU or CN=Users, depending on your AD Import Configuration).
  1. Start the AD Sync Service from services.msc. 

After removing Active Directory Integration from 黑料海角91入口, 黑料海角91入口 users still appear with AD icon and are externally managed by the nonexistent Active Directory.

See the article Convert AD-managed User Accounts.

After rebooting the Domain Controller, the Import or Sync agent services do not start automatically.

This can be due to the default service timeout being too short.

  1. Launch Windows Registry Editor.
  2. Locate this registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
  3. Right-click this key and select New > DWORD (32-bit) Value. A new value named New Value #1 appears on the right.
  4. Change the name of this new value to ServicesPipeTimeout.
  5. Right-click the ServicesPipeTimeout value you created, and choose Modify. The Edit DWORD Value window opens.
  6. Change Base to Decimal
  7. For Value, type 180000 service to start, then click OK.

AD users losing sudo permissions.

If you are using 黑料海角91入口 with your Active Directory server, leveraging the 黑料海角91入口 ADI, you may find that sudo/administrator permissions are periodically lost after you set them within 黑料海角91入口. The AD Import agent controls user attributes and membership in 黑料海角91入口 via AD security groups, and this is the case for the sudo/admin user setting.

When using the 黑料海角91入口 AD Import agent, there are two AD security groups that you use to control behavior in 黑料海角91入口. Both need to be created in the Users OU.

  1. An integration specific security group - any user or group (or group of groups) placed in this group will be sync'd into 黑料海角91入口. 
  2. 黑料海角91入口 Admins - any user or group (or group of groups) placed in this group will set sudo/administrator permissions on the user in 黑料海角91入口.

Important:

The 黑料海角91入口 Admins group must be a member of the 黑料海角91入口 ADI security group.

By adding user admins to the "黑料海角91入口 Admins" group, the AD Bridge will automatically set and maintain the sudo permissions on the user from that point forward.

Random issues with users’ passwords not syncing after they change them.

Check the password complexity settings in JC match those set in AD.聽 This can happen when the user sets the password in JC with different complexity settings, and then it is rejected in AD due to it not meeting the AD's password complexity settings.

Back to Top

Notebook IconLearn More

Get Started: ADI

Configure Active Directory Integration (ADI)

Use and Manage the Active Directory Integration (ADI)

Advanced Configurations for the Active Directory Import Agent

Advanced Configurations for Active Directory Sync

Enable Debug Logging for the ADI

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case