GW2014 R2 SP1 Upgrade - Domain Synchronization Problem

I am upgrading from 14.0.2 to 14.2.1 (SLES 11 SP4) and have a problem when I import new accounts from AD.

I have a primary domain, PRIDOM, and a secondary domain, SECDOM1, both running on the same server. I have another secondary domain, SECDOM2, running on its own server. SECDOM1 has post office PO1 and SECDOM2 has post office PO2. My GW client (14.0.2) uses ngwnameserver with resolves to PO1 under SECDOM1.

When I import a new account, "fred", from AD into PO2, the GW client is unable to log in "fred", returning the error: "User ID "fred" is not found". If I change the GW client to point to PO2, "fred" is able to log in.

If I move "fred" from PO2 to PO1 and, then, back to PO2, "fred" is subsequently able to log in with the GW client pointing to ngwnameserver. When "fred" is imported into PO1, there are no problems.

We had no problems like this with 14.0.2.

My experience with GW is, regrettably, limited but it seems that PRIDOM is not being updated when I add an account in SECDOM2.

Any help or suggestions for additional troubleshooting is appreciated.

  • Hi CB,

    Sounds to me like Admin messages aren't flowing from SECDOM2 up to your Primary Domain being PRIDOM. If this flow of administrative message is somehow hampered than no other domain, and thus no other Post Office will know that the user exists.

    I would check the domain directories \wpcsin\2\ and \wpcsout\2\ for stuck messages. Take a look there and let us know if you see anything.

  • Hi Laura,

    Thank you for the suggestion! There were no stuck messages anywhere but you got me to looking around some more. The MTA log files show that "fred" was successfully added and replicated across all of the domains. Timestamps on the wpcsin\2 and wpcsout\ads\2 directories and wpdomain.db files seem to support that.

    The POA logs, however, turned up something interesting. First, let me amend and expand the description of my environment. PRIDOM, SECDOM1, SECDOM2 and PO2 are all 14.2.1. PO1 (in SECDOM1) is still 14.0.2. I have a 3rd secondary domain, SECDOM3 with PO3; are 14.2.1.

    When I add "fred" to PO2, I see the MTA logs show him being replicated across the domains. The POA logs for PO2 and PO3 show him being added: "Completed: Update object in post office". I do not see this message in PO1's log. If I delete "fred" for PO2, I see the message "Completed: Delete object from post office" in all three POA logs. There are no stuck messages in the wpcsin or wpcsout directories.

    So, it's beginning to look like SECDOM1 isn't adding "fred" to PO1. When I add "jane" to PO1, the POA logs show her added to all of the other POs.

    I plan to upgrade PO1 to 14.2.1 tomorrow a.m.

    Brilliant run by van Niekerk! Congrats to R.S.A.

  • Hi CB

    I'm going wait for you to complete your upgrade and then let us know if your issue persists before digging any deeper - if that's okay with you?

    Please do let us know how it goes.

    Yes, van Niekerk did very well. Thank you :)

  • Makes sense. I'll let you know how it goes. <fingers-crossed>
  • Good news! After I upgraded PO1 to 14.2.1, I can add "fred" to PO2 and he replicated to PO1.

    Some not so good news: "fred" was in PO2 before I upgraded PO1. After the upgrade, "fred" was still not visible in PO1; I had to delete him from and re-add him to PO2 in order to make him visible in PO1.

    Is there a way to "re-sync" a PO?

  • Hi,

    I'd start at the POA missing the entry for Fred and do a Rebuild of Indexes. If that doesn't grab it I'd move up the chain to the Domain owing the POA missing Fred and do a Rebuild of Indexes there and then move down the chain again. In my experience this has been sufficient to kick things lose.

  • O bother. That didn't work (but it's good to know about that tool. thx!). I have a few more 14.0.2 POs under SECDOM1. After I upgrade them, I'll run the re-index to if that solves the problem.

    I appreciate the assistance; learning more every day.

  • Hi,

    In my opinion a top-down rebuild could possibly be needed, but I'd leave that as a last resort. Please keep us updated.

  • Okay.... I upgraded all of my POs to 14.2.1. That fixed the problem of a new account not being propagated to a 14.0.2 PO under a 14.2.1 domain. Unfortunately, re-indexing the newly upgraded POs did not fix the visibility problems of accounts added while we were in a mixed 14.2.1 / 14.0.2.

    I found, however, that making a change to one of these accounts which GW propagates to the other POs fixed the problem on a case-by-case basis. Specifically, I changed the account's Visibility in the Admin Console from System to Post Office, saved it, changed the Visibility from Post Office back to System, and saved it. I could see where the changes were propagated in all of the PO logs. Unless fixing this on a case-by-case basis proves unwieldy (our exposure is only about 17 days), I think I'll pass on the top-down rebuild solution. seems there is a bug in 14.2.1 whereby a 14.0.2 PO does not successfully process some ADM changes sent to it from a 14.2.1 domain. There are no messages hung in the domain or PO wpcsin and wpcsout directories and the directory timestamps indicate that messages were, indeed, passed. The PO logs doesn't record any errors.

    Just my lucky week. Phew.
  • Hi CB,

    I honestly can't confirm whether this is a bug or not as I don't have a similar environment. If you are satisfied that all is working now then I am happy.

    Thanks for reporting back. I must admit that I've found your issues rather curious as I've never seen/heard of anything quite like it!

    Take care,