BOE-XI (R2) : Lost/Corrupted Synch to WinAD 3

[MJRBIM]

BOE-XI (R2)
_________________

Thought I would post this issue here before I have a long conversation with someone on the BOBJ support desk in Bangalore....

Sometime middle-to-late last week, we "lost" about 200 WinAD groups from our BOE-XI (R2) environment.

The groups remaining are all in alphabetical order from the start of the WinAD branch through to the failure point.

EXAMPLE ->

GROUP_AA
GROUP_AB
GROUP_AC
GROUP_AD
GROUP_AE
GROUP_AF
GROUP_AG
GROUP_AH

There are many more groups in WinAD (eg. GROUP_AI, GROUP_AJ, etc) - but they no longer appear in the GROUPS or AUTHENTICATION windows in CMC.

We think that there may have been a network issue at some-point while the CMC was in the middle of a synch with WinAD, and the rest of the WinAD groups were dropped.

Questions I would like to answer are -

1.) What happens if the CMC connection to WinAD is interrupted during an update? Does it revert back to last good settings, or just take what it has synched so far..?

2.) Does CMC auto-synch with WinAD at any time other than when the UPDATE button is clicked in the CMC AUTHENTICATION window? If so, what is the auto-synch cycle...?

3.) Are WinAD/CMC sychs or errors written anywhere in the error logs of the servers or into the AUDITOR database for BOE-XI?

4.) Is there any recovery method that retains previous WinAD Groups and Folder-Security rights if WinAD groups are dropped..?

Right now, we are manually reimporting and reassigning Folder rights.

Thanks is advance for the advice.

 

[malcolmt]

A long time ago I had a similar experience on a much smaller scale.

Can't offer you a reason or a fix for 1,2,3, but I can share what I did in respect to 4. to reduce the impact on your security model should it happen again.

For each WinAD group, create a corresponding Enterprise group and make the WinAD group a subgroup of the Enterprise group. Then grant all of your folder permisions only to the Enterprise group. Do not grant any folder permissions to WinAD groups. That way your folder security model is no longer dependent on the existence or integrity of the WinAD groups. If you ever lose a WinAD group, you then "only" need to get it back via CMC Authentication and reestablish it as a subgroup of your corresponding Enterprise group. The members of the WinAD group will then immediately have access to the correct folders again.

Malcolm.

 

[MJRBIM]

Thanks for the advice - that's what we are considering for moving forward after we get everyone restored.

We are about 1/2 way there....

 

[Turkbear]

Hi,
Great tip, malcolmt

That will solve an occasional issue we have when the AD admin changes the tree and removes a group we are using in BOE ( very rare and usually our fault for not updating the admin's info about the groups we create)

Another star for you...



To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[bleuys]

to 1) Don't know actually, but i think the process compares existing AD groups with groups in BOE step by step. So if the process is interrupted it will stop but the changes till that point will remain.

to2) yes. there is a registry key for that. HKEY_LOCAL_MACHINE\SOFTWARE\Crystal Decisions\9.0\Enterprise\Auth Plugins\secLDAP\GraphTimeout

Please set to 0 for unlimited. It is set to 15 minutes by default.

The only problem with setting this value to 0 is that you will have to manually update the system once a week (with the update button in LDAP authentication).

It is described for CE9 but should work for BOXI R2 , too.

to3) as far as I know there are entries in the errorlogs, but it's not easy to read the logs.

to4) only if you have an backup of your system (system DB and File Repository)

Greets
Bleuys

 

[MJRBIM]

Thanks Bleuys, better detail than I got from BOBJ Bangalore....

 

[pelajhia]

You can also run the 'createenterprisealiases' script to set up each user as both ad and enterprise, so they will not disappear if the mapped group disappears.