Enterprise Vault (EV) Compliance Accelerator (CA) or Discovery Accelerator (DA) produces errors or warnings when attempting to synchronize users who no longer exist in Active Directory.

book

Article ID: 100017455

calendar_today

Updated On:

Description

Error Message

Type:  Warning
Source:  Accelerator AD Synchronizer
Category: None
Event ID: 27
Description:
APP AT - Customer ID: 1 - Could not find EVLab\tuser02, the user may have been deleted. System.Runtime.InteropServices.COMException (0x80072116): Name translation: Could not find the name or insufficient right to see name. (Exception from HRESULT: 0x80072116)
   at ActiveDs.NameTranslateClass.Set(Int32 lnSetType, String bstrADsPath)
   at KVS.Accelerator.Common.ADConnection.GetEntry(String principalLogin, String guid, String& modifiedLogin)
   at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.SynchroniseADEmployeeProfile(ProfileRow profileRow, StringCollection& allEmailAddresses, StringCollection& allDisplayNameAddresses, PropertyCollection& ADUserProps, String& ADSyncError)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

V-437-27

Type:  Warning
Source:  Accelerator AD Synchronizer
Category: None
Event ID: 27
Description:
APP AT - Customer ID: 1 - Could not find EVLab\tuser02, the user may have been deleted. System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
   at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.UpdateProfileRowFromDirEntry(DirectoryEntry entry, ProfileRow& profileRow, StringCollection& emailAddresses, StringCollection& allDisplayNameAddresses, String userLogin)
   at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.SynchroniseADEmployeeProfile(ProfileRow profileRow, StringCollection& allEmailAddresses, StringCollection& allDisplayNameAddresses, PropertyCollection& ADUserProps, String& ADSyncError)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

V-437-27

Type:  Error
Source:  Accelerator AD Synchronizer
Category: None
Event ID: 35
Description:
APP AT - Customer ID: 12 - An error occured while synchronising employee details for 'EVLab\tuser02'.
 System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
 at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
 at System.DirectoryServices.DirectoryEntry.Bind()
 at System.DirectoryServices.DirectoryEntry.get_AdsObject()
 at System.DirectoryServices.PropertyValueCollection.PopulateList()
 at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
 at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
 at KVS.Accelerator.Server.CentralProfileSynchroniser.SynchroniseAttributes(SyncProfileDS profileDS, Property Collection ADUserProps, ResultPropertyCollection DominoUserProps, Dictionary`2 adPropValues)
 at KVS.Accelerator.Server.CentralProfileSynchroniser.SynchroniseEmployeeProfile(SyncProfileDS profileDS, Dictionary`2 adPropValues)

V-437-35

 

Cause

Warning Event ID 27 or Error Event ID 35 in CA/VAS or DA appearing in the CA/VAS/DA Server's Enterprise Vault Event Log can be caused by the deletion of users from Active Directory (AD) or Lotus Domino Directory and CA/VAS or DA's subsequent inability to synchronize with them.  Within CA/VAS, these employees can be Monitored Employees or assigned some Application or Department level Role.  Within DA, these employees are typically assigned some Application or Case level Role, but they could also be configured in Custodian Manager as Custodians.

 

Resolution

The problem can be corrected by 

  1. for non-role assignment caused errors
    1. accessing the DA Custodian Manager site or launching the CA/VAS Client and deselecting the option to Automatically Synchronize Properties for each affected user, or
    2. accessing the DA Custodian Manager site or launching the CA/VAS Client and turning off the option to automatically detect and deactivate accounts
  2. for role assignment caused errors
    1. launching the CA/VAS or DA Client and accessing the Role Assignment option for the Application and each CA/VAS Department and DA Case, then removing any Roles listed for the affected user(s).

  

1.a.  Stopping synchronization of individual CA Monitored Employees

  1. Launch the CA/VAS Client using an account with Manage Employees application level permission, such as the Vault Service Account (VSA).
  2. Click on the Employees tab.
  3. Locate and select the affected Monitored Employee.
  4. Clear the check mark from the Automatically synchronize check box in the Windows account (or Domino account, if appropriate) section.
  5. Click the Save button in the lower right of the page.
 1.a. Stopping synchronization of individual DA Custodians
  1. Open a web browser session to the Custodian Manager home page (i.e., https://AcceleratorServer/CustodianManager ) as the VSA.
  2. Click on the Manage or Create Custodians link.
  3. Click the individual Custodian who has been deleted from AD (these will be noted with a red exclamation mark in the right-most column).
  4. Remove the check mark from the check box for the Automatically Synchronize Active Directory Properties option near the middle of the page.
  5. Click the OK button at the bottom of the page to save the change.

The display will return to the listing of Custodians, showing no check mark in the Synchronize column for each Custodian that has been removed from synchronization.  The web browser session may now be closed as needed.

Notes:

  1. Clicking on the Deactivate button at the bottom of the Custodian's page, followed by clicking the Yes button in the confirmation pop-up box that will follow, will also remove the Custodian from synchronizing with AD and remove the Custodian as a potential Target for any DA search with a search date range set to begin after the account was deactivated.
  2. Custodians that synchronize with Active Directory accounts that have those AD accounts deleted will automatically be deactivated in Custodian Manager.  These accounts are not allowed to be reactivated and their properties cannot be modified through the above steps.
1.b.  Stopping the automatic deactivation of CA/VAS Monitored Employees
 
CA/VAS has a configurable, built-in feature that will automatically remove an account's synchronization.  Three configuration options work together to determine when a profile will be deactivated to allow for synchronization to be stopped.  Those options are:
   a. Automatically detect deleted profiles and mark them as deactivated - this is a check box that is checked by default to enable this feature.
   b. Minimum days to wait before profiles are deactivated - this is set to 30 days by default.  This setting controls how many days must pass before a Monitored Employee's profile can be deactivated after the associated AD account has been deleted.
   c. Minimum number of failed synchronizations before deactivating profiles - this is set to 30 by default.  This setting controls how many times a Monitored Employee's synchronization must fail before the profile can be deactivated.
 
These three settings control the conditions that must be met before a Monitored Employee's CA/VAS profile will automatically be deactivated.  For example, using the default values, a Monitored Employee's profile will be deactivated when 30 synchronization attempts fail within a 30-day consecutive period.

To delay when the automatic deactivation occurs, adjust the Minimum days to wait before profiles are deactivated and Minimum number of failed synchronizations before deactivating profiles options to increase the values from the default of 30 to appropriate values up to 1024.
  1. Launch the CA/VAS Client using an account with the Manage System Configuration application level permissions, such as the VSA.
  2. Click on the Configuration tab.
  3. Click on the Settings sub-tab.
  4. Expand the Profile Synchronization folder.
  5. Locate and select either of the options.
  6. Modify the Value column entry for the option to increase the value as appropriate.
  7. Locate and select the other option.
  8. Modify the Value column entry to increase the value as appropriate.
  9. Click the Save button in the lower right of the page.
  10. Click the OK button in the pop-up dialog box to acknowledge the requirement to restart the Customer Background Tasks.
  11. Close the CA/VAS Client.
  12. Restart the Customer Background Tasks by either
    1. restarting the Enterprise Vault Accelerator Manager Service (EVAMS), or
    2. restarting the Customer Background Tasks through the EVBAAdmin site on the CA server.

 1.b.  Stopping the automatic deactivation of DA Custodians

DA has the same configurable, built-in feature that will automatically remove an account's synchronization.  The same three configuration options work together to determine when a profile will be deactivated to allow for synchronization to be stopped.  Note: These 3 configuration options are only valid for Lotus Domino Directory synchronized Custodians.

To delay the automatic deactivation, adjust the Minimum days to wait before profiles are deactivated and Minimum number of failed synchronizations before deactivating profiles options to increase the values from the default of 30 to appropriate values up to 1024.

  1. Log onto the DA server as the VSA.
  2. Launch a web browser (MS Edge or Google Chrome) to the Custodian Manager web site (i.e., https://AcceleratorServer/CustodianManager ).
  3. Click on the Settings link in the View Application Settings line.
  4. Click on the down arrow next to General in the Settings for option box..
  5. Select the Profile Synchronization option.
  6. Locate the Minimum days to wait before profiles are deactivated option.
  7. Click on the Edit link to the right of this option.
  8. Modify the Value column entry for the option to increase the value as appropriate (for example, increase from the default of 30 to the maximum of 1024).
  9. Click the OK link to the right of this option.
  10. Locate the Minimum number of failed synchronizations before deactivating profiles option (may be immediately below the other option).
  11. Click on the Edit link to the right of this option.
  12. Modify the Value column entry for the option to increase the value as appropriate (for example, increase from the default of 30 to the maximum of 1024).
  13. Click the OK link to the right of this option.
  14. Click on the Apply or OK button in the lower right of the page.
  15. Click on the OK button in the pop-up dialog box to acknowledge the requirement to restart the Customer Background Tasks.
  16. Click on the Close button to close the Settings page and return to the Custodian Manager home page.
  17. {Optional step} Close the web browser.
  18. Restart the Customer Background Tasks by either
    1. restarting EVAMS, or
    2. restarting the Customer Background Tasks through the EVBAAdmin site on the DA server.

  

Removing CA/DA Role Assignments

Refer to the appropriate product's Administrator's Guide:

  1. Veritas Enterprise Vault™ Compliance Accelerator Administrator's Guide | Assigning Compliance Accelerator roles to employees or groups | Click Remove to remove the selected role.
  2. Enterprise Vault™ Discovery Accelerator Administrator's Guide | Assigning Discovery Accelerator roles to users | Click Remove to remove the selected role.

 

 

 

 

Issue/Introduction

Enterprise Vault (EV) Compliance Accelerator (CA)/Veritas Advanced Supervision (VAS) or Discovery Accelerator (DA) produces errors or warnings when attempting to synchronize users who no longer exist in Active Directory.
Powered by Wolken Software