Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 7010 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory not keeping in Sync with Enterprise Console.

ChrisSnape

Hi all,

Using Enterprise Console 5.2.2 with approx 200 managed devices.

Anyone know of sync issues between AD and the console? What is the best practice to stop issues where renaming of devices and/or removing from the domain causing it to go out of sync with the Console? We have a few devices now showing in Unassigned and then a greyed out duplicate in the correct OU within the sync folders? Very frustrating. Doesn't stop it from working but more difficult to manage.

Regards,



This thread was automatically locked due to age.
  • 0

    Hello ChrisSnape,

    most issues are unexpected consequences of the design and its limitations. I'll try to give you a short overview, hopefully it's of some help in your situation.

    AD sync mirrors the containers creating the equivalent subgroups in SEC or deleting those subgroups which no longer have an AD counterpart. It compares the computer objects in the relevant AD OUs with the computers in the relevant SEC groups. From AD it considers just (pre-W2k) name and OS (if set), but not a possible disabled attribute. The considered attributes in SEC are name, OS/SP, Domain/workgroup and the managed flag.
    For AD computers which do not exist in the SEC group sync searches all SEC groups, if a match is found (Sophos already installed, managed, correct domain) it is moved to the appropriate SEC group, otherwise an unmanaged entry is created.
    Computers in a synced SEC group without a matching AD object are move to the Unassigned group.

    Thus if an endpoint in a sync'ed group is unjoined (it's still managed but now reports a workgroup) but the AD object is not deleted it's move to Unassigned and an unmanaged computer is created in the synced group. If an AD computer object is moved to an OU outside the sync scope the SEC computer is also moved to Unassigned. A local rename of an endpoint should eventually be reflected in AD but it can take some time until everything is in sync again.      

    The logic has been revised several times (read: there were issues and I won't rule out that certain sequences still could cause inconsistencies) and seems to do what it should (at least for Windows endpoints).

    Christian

Unfiltered HTML