This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple AD Integration Question

Jump to solution
rclark0
By
Level 6

We have two AD integrations currently and an issue we are seeing is that there are some overlapping names in each AD instance which causes Flexnet to overwrite the data. Has anyone experienced this issue in the past and if so, what did you do to fix it? Thanks in advance. 

‎Jan 28, 2020 07:26 AM

0 Kudos
(1) Solution

Jump to solution
erwinlindemann
By Level 9 Champion
Level 9 Champion
In response to rclark0

Hi rclark0,

For Active Directory (AD) users, you would typically use the 'distinguishedName' user property.

The 'distinguishedName' attribute value for any AD user will typically have the following format:

    CN=<sAMAccountName>,CN=Users,DC=<domain>,DC=<domain-ending>

As you are interested in <domain>.<domain-ending> for matching  this user property to the 'Qualified Name' Windows domain property only, you can use data transformation features in the Business Adapter configuration when populating the "Qualified Name" field.

This is shown in the screenshot attached to this post.

View solution in original post

‎Jan 28, 2020 02:00 PM

Preview file
239 KB
(8) Replies

Jump to solution
mfranz
By Level 17 Champion
Level 17 Champion

Hi,

Could you please specific on:

  • How did you notice the overlap?
  • What data is overwritten?
  • To which object does it belong, e.g. user?
  • Can you tell any details on how this is happening? Is is happening as part of the inventory import?
  • Is the data changing back and forth?

Best regards,

Markward

‎Jan 28, 2020 12:01 PM

0 Kudos

Jump to solution
rclark0
By
Level 6
In response to mfranz

We noticed the overlap when going to license a user and noticed that the account name didn't match the users name. 

The users data from AD is changing back in forth each time the AD inventory import occurs. That information includes location, name, phone #, address, ect....

A quick example of exactly what is happening would be that the first AD integration runs and updates info for account name ABC123, the 2nd AD intergration runs but also has a user ABC123 and now updates all the user info from the 2nd intergration. 

 

 

‎Jan 28, 2020 12:13 PM

0 Kudos

Jump to solution
erwinlindemann
By Level 9 Champion
Level 9 Champion
In response to rclark0

As the standard FNMS AD interface does not import location, phone # etc, this sounds as if you did configure your own Active Directory integration using a Business Adapter (MGSBI).

When configuring the AD integration (see attached screenshot)

  1. You import an object of type "Compliance Domain" before importing the "User" type object
  2. For the user object, you populate at least both the "Account Name" as well as the "Domain ID" property
  3. For the value for the "Domain ID", you use the "Domain_ID" value that is populated from the "Domain" object that you imported previously.
  4. For both the "Account Name" property as well as for the "Domain ID" property, the checkbox "Use this property for matching existing data" needs to be checked.

This configuration will prevent AD users having the same sAMAccountName but coming from different Windows domains from overwriting their user properties, as both sAMAccountName as well as the name of the Domain need to match.

‎Jan 28, 2020 12:35 PM

Preview file
216 KB

Jump to solution
rclark0
By
Level 6
In response to erwinlindemann
Do you know what the AD attributes are to bring in the domain information? Thank you

‎Jan 28, 2020 12:42 PM

0 Kudos

Jump to solution
erwinlindemann
By Level 9 Champion
Level 9 Champion
In response to rclark0

Hi rclark0,

For Active Directory (AD) users, you would typically use the 'distinguishedName' user property.

The 'distinguishedName' attribute value for any AD user will typically have the following format:

    CN=<sAMAccountName>,CN=Users,DC=<domain>,DC=<domain-ending>

As you are interested in <domain>.<domain-ending> for matching  this user property to the 'Qualified Name' Windows domain property only, you can use data transformation features in the Business Adapter configuration when populating the "Qualified Name" field.

This is shown in the screenshot attached to this post.

‎Jan 28, 2020 02:00 PM

Preview file
239 KB

Jump to solution
rclark0
By
Level 6
In response to erwinlindemann
Thank you for all of your help.

‎Jan 28, 2020 02:16 PM

0 Kudos

Jump to solution
erwinlindemann
By Level 9 Champion
Level 9 Champion

Hi rclark0,

Are you using the standard FNMS Active Directory (AD) interface where the export is configured on the "Active Directory" page on a Beacon, or did you configure your own integration using a Business Adapter (MGSBI)? Which release of FNMS do you use?

Also, can you clarify please if in the Active Directory instances that you are importing data from:

  • There are users having identical sAMAccountName and different Windows domains, or
  • There are users having identical sAMAccountName and identical Windows domain names

If you have sampe AD users with overlapping names from different AD sources, could you check in the [FNMSCompliance] database in the [ImportedActiveDirectoryUser], [ActiveDirectoryUser]
as well as in the [ComplianceUser] views if these users are distinct, please?

 

‎Jan 28, 2020 12:13 PM

Jump to solution
rclark0
By
Level 6
In response to erwinlindemann

We are using the standard AD integration from the Active Directory import on the beacon. These users have the same sAMAccountName but are on two different domains.

‎Jan 28, 2020 12:17 PM

0 Kudos