Using ntdsutil.exe to resolve AD aggregation exceptions
Using ntdsutil.exe to resolve AD aggregation exceptions
The IIQ aggregation operation features several hooks for running rules to process and to format the info into an identity-friendly resource object. As a side effect, each per-account processing takes some time and so the time per page grows directly with the number of accounts to aggregate. Under some conditions, the time to process a page of accounts exceeds the AD server's timeout settings. This results in a timeout exception when fetching the next page of accounts from the AD server.
To fix this scenario, either
1) rework the rules to shorten the processing;
2) redefine IIQ's application settings to fetch fewer accounts in a single page;
3) redefine IIQ's application settings to fetch the entire account list in a the initial page;
4) re-cfg the AD server to allow sufficient time to process a page of accounts.
While the IIQ UI provides fields to accomplish the first 3 options, yet the final option requires an AD admin tool. The "ntdsutil.exe" tool displays the AD policy settings. For example, this MS-Support link detail the tool/policy:
MaxConnIdleTime - The maximum time in seconds that the client can be idle before the LDAP server closes the connection. If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.
