Home General Discussion

AD Connector Limit

CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

Dear All,

Does anyone know if there is a limit on how many AD connectors you can have in SCSM before it starts to make SCSM slow?

Kind Regards

Daniel

«1

Answers

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    We attempted once to have a few to break apart the sync jobs. Ending killing the entire farm. There shouldn't be a need for more then one per domain.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    So having more than one will slow the system down? We do have different OU's with different accounts though. What do you think is best for this?

    Thank you for the response.

    Daniel

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    We have 97 different OU's and when we tried to break the connector out to a couple, we got SQL locks corrupting the entire system. So no slowness, it was a total rebuild. So one domain with different OU's the one connector and bring them all in.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Thank you for your advice. We have about 17 connectors AD Connectors and Email Connectors. AD Connectors approx 14. The reason we have so many connectors is to keep the user account CI down for licensing of Cireson / SCSM. I dont want to redesign our OU's but SQL is locking up like you had.

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    You are on danger-est ground with 14 AD connectors, we lost our entire farm due to that design it was around that number when it blew up. You can select specific assets in one AD connector by choosing specific OUs and LDAP queries. There is no user account licensing cost on both Cireson and SCSM so don't know what the is in play. For most enterprises I have seen everyone is running SA license for SCCM(MECM) and when you have that, it licenses the entire System Center suite. (I don't recall if Cireson had tiers on their license but don't think so unless it has changed)

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    We have 3, one for users, one for groups and one for certain computer objects. Everything is fine for us that way though.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    So we have approx 14 which are pulling in user accounts from different areas AD. Is there a better way to do this?

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    I have managed to consolidate them down to 10 AD connectors, 6 Exchange and 1 SCCM. Any advice is appreciated. Getting a lot of errors:

    The database subscription query is longer than expected. Check the database or simplify the database subscription criteria.

     The following errors were encountered:

     Exception message: Subscription query is taking long.

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    You could break your user connectors down to one and just use an LDAP filter to accomplish what you want.

    But as we just import all users from our company (we only have one domain) I cannot help you in regards of LDAP

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Would disabling them for now help and does disabling AD connectors affect anything other than importing new users and groups? If I disable it shouldnt affect much, even if I do this for a week to give me some time?

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    AD Connectors not just import new objects, they also update existing ones. So this wouldn't happen neither if you disable them.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    So just checked in AD and the AD connectors are pointing to OU's with just users in. Do you know what the filter is for checking for just users and not computers?

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    we have it that way:


  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Thank you for the direction Simon, really appreciate it.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Just checking Simon, do you need to select box the users and or groups and enter what you put? Why is that greyed out (is it because the connector is already created and you cannot edit?)

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    Tbh I don't remember how we set it up. 🙈

    But I Guess you have to select the checkbox

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Thank you Simon you have been really helpful. Also thank you Brian.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Simon just to make you aware i created the ldap query like you have done above and its unchecked. When i created it, it was checked and after you cannot edit and greyed out. So you are spot on.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭
    edited April 2023

    Hi Simon again, do you have the filter syntax for groups? Is it just change user to group?

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭


    But I guess it should be possible to combine them

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Thank you Simon.

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    As a side note

    Exception message: Subscription query is taking long.

    This is not anything with the AD connector.

    This is the worfklow rules running taking longer then SCSM wants.

    We see these all the time, most common after a reboot while the workflows "catch up" or during an large import job overnight.

    As long as you are not seeing them all day long, the and your workflows are completing your fine.

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭

    This ldap filter catches both:

    (|(objectClass=user)(objectClass=group))

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    I have now got the connectors down to 9 and change connectors to use user filter against an OU. I have changed the group one to OU / group filter. At this moment seems better but will only know by tomorrow. Thank you everyone on here for the help so far.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭


    We are getting these through the day was every 30 seconds. I have made the changes to the connectors which have helped from here and also unchecked groups / null now.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Also we have changed from SAS 15K disk to SSD which has helped a bit and moving to local storage.

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    The performance really comes down to how well the SQL farm is configured.

    We are running internal SSDs for the databases. with the brokers enabled. Along with a 1 TB performance SSD for the temp db's. And even with that where the Disk response rate is less then 20ms still get some warnings about subscriptions taking too long. What you really need to monitor is how long the workflow is behind

    If you run this command against the SCSM databse it will show you your workflow performance. The column to review is Minutes behind.

     DECLARE @MaxState INT, @MaxStateDate Datetime, @Delta INT, @Language nvarchar(3)

     SET @Delta = 0

     SET @Language = 'ENU'

     SET @MaxState = (

        SELECT MAX(EntityTransactionLogId)

        FROM EntityChangeLog WITH(NOLOCK)

     )

     SET @MaxStateDate = (

        SELECT TimeAdded

        FROM EntityTransactionLog

        WHERE EntityTransactionLogId = @MaxState

    )


    SELECT

        LT.LTValue AS 'Display Name',

            S.State AS 'Current Workflow Watermark',

        @MaxState AS 'Current Transaction Log Watermark',

        DATEDIFF(mi,(SELECT TimeAdded

                        FROM EntityTransactionLog WITH(NOLOCK)

                        WHERE EntityTransactionLogId = S.State), @MaxStateDate) AS 'Minutes Behind',

        S.EventCount,

        S.LastNonZeroEventCount,

        R.RuleName AS 'MP Rule Name',

        MT.TypeName AS 'Source Class Name',

        S.LastModified AS 'Rule Last Modified',

        S.IsPeriodicQueryEvent AS 'Is Periodic Query Subscription', --Note: 1 means it is a periodic query subscription

        R.RuleEnabled AS 'Rule Enabled', -- Note: 4 means the rule is enabled

        R.RuleID

       

     FROM CmdbInstanceSubscriptionState AS S WITH(NOLOCK)

     LEFT OUTER JOIN Rules AS R

        ON S.RuleId = R.RuleId

     LEFT OUTER JOIN ManagedType AS MT

        ON S.TypeId = MT.ManagedTypeId

     LEFT OUTER JOIN LocalizedText AS LT

        ON R.RuleId = LT.MPElementId

     WHERE

        S.State <= @MaxState - @Delta

        AND R.RuleEnabled <> 0

        AND LT.LTStringType = 1

        AND LT.LanguageCode = @Language

        --AND S.IsPeriodicQueryEvent = 0

        /*Note: Uncomment this line and use this optional criteria if you want to

        look at a specific workflow that you know the display name of*/

        --AND LT.LTValue  LIKE '%Test%'

     ORDER BY S.State Asc

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    Thank you Brian, I will look into this. The SQL script has identified some work flows which are no longer needed too.

  • CaterhamITSupportCaterhamITSupport Member Advanced IT Monkey ✭✭✭

    I ran the following command also and the output has some failed jobs:

    Script:

    SELECT

      InternalJobHistoryId,

      Command,

      TimeStarted,

      timefinished,

      statuscode

    FROM InternalJobHistory WITH(NOLOCK)

    WHERE

      TimeFinished IS NULL AND

      StatusCode <> 1

    order by timestarted desc

    Exec dbo.p_GroomStagedChangeLogs 55270A70-AC47-C853-C617-236B0CFF9B4C, 0, , 1000

    Exec dbo.p_GroomTypeSpecificLogTables 

    Exec dbo.p_GroomPartitionedObjects and dbo.p_Grooming

    Time finished is Null

    Do I need to be concerned about this?

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭

    The script also help find your periodical notification subscriptions.

    (Ones where Curent workflow watermark is 0)

    Those are heavy hitters depending on your work item volumn in the live DB.

    We spent a good amount of effort changing those.

Sign In or Register to comment.