Hello,

A customer is running the following setup:

IdM 4.5.5 running on SLES 11 SP4.

AD driver version: 4.0.2.0

AD Domain functional level: 2008 R2
AD Forest functional level: 2008 R2

About 3 months ago, something strange started happening. Users are added as group members on groups in IdM. This part is fine, and i can also see in the AD driver trace, that the event is sent to AD and a success is received.

But, they are not added as members in AD. There is not error in the AD driver trace or the remote loader trace. There is no remove membership received by IdM (as in the users is removed as a member in AD).

The user is still a member in IdM, it is only in AD that the user is not a member.

This happens on different groups and with different users. There is no pattern. It is quite rare.

They have 3 DCs. I have connected to each of them to check if the users are members in the groups they should be. They are not a member on any of the DCs.

There is no errors in the event viewer.

The customer, to their knowledge, has not changed anything in their AD setup.

So what happens:

1. User is added to a group in IdM
2. Event is received by AD driver
3. RL trace shows that the user is added to the group, and success is received: log

Code:
DirXML: [02/01/18 09:42:51.93]: Loader: Received 'subscriber execute' document
DirXML: [02/01/18 09:42:51.93]: Loader: XML Document:
DirXML: [02/01/18 09:42:51.93]: <nds dtdversion="4.0" ndsversion="8.x">
	<source>
		<product edition="Advanced" version="4.5.5.0">DirXML</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<modify cached-time="20180201084247.678Z" class-name="group" event-id="idv01#20180201084247#1#4:99b9486f-8440-41a9-adb2-6f48b9994084" qualified-src-dn="O=top\OU=idv\OU=containments\OU=AD-groups\OU=Mailgrupper\CN=_Visitatorer" src-dn="\IDVTREE\top\idv\containments\AD-groups\Mailgrupper\_Visitatorer" src-entry-id="53478" timestamp="1517474567#21">
			<association state="associated">840dff6cfafecf4f859fa9167bf56190</association>
			<modify-attr attr-name="member">
				<add-value>
					<value timestamp="1517474567#21" type="dn">\IDVTREE\top\idv\entities\users\dg7382</value>
				</add-value>
			</modify-attr>
		</modify>
	</input>
</nds>
DirXML: [02/01/18 09:42:51.93]: Loader: Calling subscriptionShim->execute()
DirXML: [02/01/18 09:42:51.93]: Loader: XML Document:
DirXML: [02/01/18 09:42:51.93]: <nds dtdversion="4.0" ndsversion="8.x">
	<source>
		<product edition="Advanced" version="4.5.5.0">DirXML</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<modify cached-time="20180201084247.678Z" class-name="group" event-id="idv01#20180201084247#1#4:99b9486f-8440-41a9-adb2-6f48b9994084" qualified-src-dn="O=top\OU=idv\OU=containments\OU=AD-groups\OU=Mailgrupper\CN=_Visitatorer" src-dn="\IDVTREE\top\idv\containments\AD-groups\Mailgrupper\_Visitatorer" src-entry-id="53478" timestamp="1517474567#21">
			<association state="associated">840dff6cfafecf4f859fa9167bf56190</association>
			<modify-attr attr-name="member">
				<add-value>
					<value timestamp="1517474567#21" type="dn">\IDVTREE\top\idv\entities\users\dg7382</value>
				</add-value>
			</modify-attr>
		</modify>
	</input>
</nds>
DirXML: [02/01/18 09:42:51.93]: ADDriver: parse command

  className    group
  destDN       
  eventId      idv01#20180201084247#1#4:99b9486f-8440-41a9-adb2-6f48b9994084
  association  840dff6cfafecf4f859fa9167bf56190
DirXML: [02/01/18 09:42:51.93]: ADDriver: parse modify class = group
DirXML: [02/01/18 09:42:51.93]: ADDriver:   association
DirXML: [02/01/18 09:42:51.93]: ADDriver:     840dff6cfafecf4f859fa9167bf56190
DirXML: [02/01/18 09:42:51.93]: ADDriver:   modify-attr
DirXML: [02/01/18 09:42:51.93]: ADDriver:     add-value
DirXML: [02/01/18 09:42:51.93]: ADDriver:       value
DirXML: [02/01/18 09:42:51.93]: ADDriver:         \IDVTREE\top\idv\entities\users\dg7382
DirXML: [02/01/18 09:42:51.94]: ADDriver: ldap_modify group CN=_Visitatorer,OU=Mailgrupper,OU=Grupper,OU=Org,OU=480,DC=intern,DC=nordfynskommune,DC=dk
LDAPMod operations:
DirXML: [02/01/18 09:42:51.94]: Loader: subscriptionShim->execute() returned:
DirXML: [02/01/18 09:42:51.94]: Loader: XML Document:
DirXML: [02/01/18 09:42:51.94]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.0.2.0" asn1id="" build="20150918_120000" instance="\IDVTREE\top\system\IDMDriverSet01\ad01">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="idv01#20180201084247#1#4:99b9486f-8440-41a9-adb2-6f48b9994084"/>
	</output>
</nds>
DirXML: [02/01/18 09:42:51.94]: 
DirXML Log Event -------------------
    Driver  = \IDVTREE\top\system\IDMDriverSet01\ad01
    Thread  = Subscriber Channel
    Object  = \IDVTREE\top\idv\containments\AD-groups\Mailgrupper\_Visitatorer
    Level   = success
DirXML: [02/01/18 09:42:58.05]: Loader: Received 'subscriber execute' document
4. The user is NOT added as a member in AD
5. There is no event coming from AD saying that the user should be removed in IdM
6. User is still member in IdM

I have no idea how to troubleshoot this.

Any ideas?

Thanks in advance,

Jacob.