Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADSI Account Incremental Import Job takes very long time

Go to solution
binoy
New Contributor III
New Contributor III

‎01/16/2024 10:08 PM

Hi team,

We have an Active Directory environment with 50k accounts and 10k entitlements. There are two trusted domains which is why we used the ADSI Connector. Both the ADSI Account Incremental Job and Full Import Job takes almost half an hour.

The ADSI Connector documentation mentions "To store the cookie information for each domain, specify the value of the IMPORTDATACOOKIES parameter. It is a hidden parameter and is used for incremental imports."

We checked the ADSI Connection config, ADSI and Saviynt logs and can see the domain cookie information read and updated correctly for Incremental Import. We can also see in the logs that only a few AD accounts are read and processed with a few minutes as part of adsi.AdsiImportService. But the Job still runs for half an hour, which defeats the purpose of quick incremental imports.

Labels:
0 Kudos
7 REPLIES 7

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎01/17/2024 08:00 PM - edited ‎01/17/2024 08:02 PM

Hello @binoy,

Can you verify whether the data was successfully imported during the execution of the incremental job? The current concern is that the job is running, but it's taking an extended amount of time to complete.

Could you provide your observance from the ECM logs and ADSI agent logs?
To do so, enable the request and response verbose mode, setting it to "1" in the web.config file on the IIS Server.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III

‎01/18/2024 07:30 PM

Hi @sudeshjaiswal 

For ADSI agent log, you asked to "enable the request and response verbose mode, setting it to "1" in the web.config file on the IIS Server". Do you have an example of this? I've not seen any such example. This is what we have, in the web.config and ADSI logs have debug statements.

I've attached the ECM and ADSI logs in the support ticket.

Thanks

Preview file
58 KB
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/18/2024 07:36 PM

To enable request and response verbose mode with a setting of "1" in the web.config file on the IIS (Internet Information Services) Server, you can follow these steps:

1. **Locate your web.config file:**
- Navigate to the root directory of your web application where the web.config file is located.

2. **Open the web.config file in a text editor:**
- Use a text editor (e.g., Notepad, Visual Studio Code) to open the web.config file.

3. **Add or modify the following settings:**
- Inside the `<system.web>` or `<configuration>` section, add or modify the following settings to enable verbose mode:

```xml
<system.web>
<!-- Other settings may be present -->

<trace enabled="true" requestLimit="40" pageOutput="true" traceMode="SortByTime" localOnly="false"/>
<customErrors mode="Off"/>
</system.web>
```

Ensure that the `enabled` attribute is set to "true" in the `<trace>` element.

4. **Save the changes:**
- Save the web.config file after making the modifications.

5. **Restart IIS:**
- After saving the changes, restart the IIS server to apply the new configuration.

You can do this by opening a command prompt and running the following command:

```bash
iisreset
```

Please note that enabling verbose mode in a production environment may expose sensitive information and should be done with caution. Additionally, make sure to test the changes in a development or staging environment before applying them to a production server.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III

‎01/19/2024 12:48 AM

I've uploaded the ADSI agent logs as well. It is evident that the ADSI agent returns the response within a minute. But the Job still takes a long time.

0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III

‎01/23/2024 02:40 PM

Hi team,

Any update on this one please?

Thanks

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/23/2024 07:07 PM

For an incremental account import, the UPDATEDATE attribute of the connector (specified in ACCOUNT_ATTRIBUTE) looks for the maximum value of the Active Directory whenChanged account attribute.

For an incremental group import, the incrementalTimeField attribute of the connector (specified in groupImportMapping) look


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III

‎01/29/2024 09:14 PM

Saviynt Support discovered that this issue was because there were 40K uncorrelated accounts which took 15 minutes to check for correlation even during the incremental job.

Thanks.

0 Kudos
Copyright © 2024 Khoros, LLC