Daily Journal – Apr 6, 2017

Today is the fourth day and wow, time sure flies.

So what did I do today?

For starters, I actually went to update the Installation of Password Synchronization Agent Guide to include the steps to prevent Windows from loading the agent’s dll and attaching it to the lsass module.

Next, I spent quite a fair bit of time trying to troubleshoot and understand why the Password Synchronization didn’t work. I did the troubleshooting in my company’s lab environment and had to do a lot of reading up. I was also spending quite sometime staring at the logs before I understood what was going on.

Apparently, there was an issue with the Notification Queue. The Identity Manager was unable to process the notifications and synchronize the changes made to the Provisioning Directory triggered by the Provisioning Server.

So I tried to clear as many failing Notification Objects as possible by using a LDAP explorer. However, it soon became obvious that deleting problematic notifications one by one isn’t going to help. Put it this way, at first, I didn’t want to nuke the whole Notification Queue because I wasn’t sure what’s the effect were. But I relent in the end. I stopped all CA-related Windows Services and then I execute the empty database command on the Notification Queue. In case you are wondering, the Notification Queue is basically a LDAP-compliant Directory.

Then I start up the services again and attempt to do a Password Reset for a correlated user account in the Active Directory.

And it works!

The user account in the Identity Manager was updated with the new password. I also see the Password Reset event in the event listing.

Then I switched focus to discuss with my colleague on the project that needed Kong. As described in yesterday’s journal, Kong appended a “/“ at the back and I was asking him if the upstream applications is able to handle the additional “/“ leniently. I know some system see the ending slash as an indication that the client is requesting for a directory instead of a file. It’s particularly problematic for RestFUL API over HTTP. But my colleague said he will have to review the code for the main application which so happen is the intended upstream system.

By then, it was about 2.30pm already. So I decided to join my other colleague, also manager, for a meeting at the customer’s office building on a change request. During the meeting, I wasn’t especially focus on what they were saying. Rather I was focused on creating a JIRA ticket and updating it with as much information as I can about the Password Synchronization failure and the Notification Queue.

Then after the meeting, I went up to the main office area, took the SIT laptop and connect back to servers where I can replicate the actions that I took. However, since the customer’s Active Directory person isn’t there, there is no way we could test the password synchronization in the actual environment. It’s a bumper but at least we got that queue issue out of the way.

Then on the way home, I also shared with my colleague on my discovery of Kong and my thoughts.

With that, upon reaching home I got down to catch up on some TV series while also preparing the guide on how to resolve the issue with the notification queue. As of this moment, I’m still preparing the guide.

Here I conclude my journal for today.