Analyzing information in Active Directory

One important way you can troubleshoot your environment is by running the Analyze command. The Analyze command enables you to selectively check the integrity of the information stored in Active Directory. With the Analyze wizard, you can check for a variety of potential problems, such as duplicate user IDs, duplicate groups, empty zones, orphaned data objects, or computers that have joined more than one zone.

Note:   When you run the Analyze command, only the zones that are open are checked.

To check for problems with information in the Active Directory forest:

  1. Open Access Manager.

    If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.

  2. In the console tree, select the Access Manager root node, right-click, then click Analyze.
  3. Select the types of checks you want to perform, then click Next to generate the report.

    Select this option To do this


    Perform all of the data integrity checks.

    Note If you do not register the administrative notification handler through the Setup Wizard or manually using ADSI, you should periodically run the Analyze command with All or Orphan UNIX data objects selected.

    Computers joined to multiple zones

    Check for computers that have joined the domain using more than one zone. Each UNIX computer should only reside in one zone, but if you run the join command more than once, it is possible to have the same computer in more than one zone. This option checks for this problem.

    Cyclic zone hierarchy

    Check for a circular zone hierarchy. The console prevents you from creating a circular zone hierarchy, but it is possible to do so inadvertently when using ADEdit.

    Duplicate groups in zones

    Check for duplicate UNIX group names or group identifiers (GIDs) in each open Centrify zone.

    Duplicate role assignment containers in computer

    Check for computers that have more than one location to store role assignment information.

    Duplicate service principal names in forest

    Check for duplicate service principal names across the entire forest. Service principal names are required to be unique within an Active Directory forest.

    Duplicate SFU zones

    Check for duplicate SFU zones that are set to manage the same NIS domain.

    Duplicate users in zones

    Check for duplicate UNIX user names or user identifiers (UIDs) in each open Centrify zone.

    Duplicate zone default container

    Check for duplicate Zones parent container objects in the Active Directory forest.

    Empty computer roles

    Check for computer roles that contain no computers or role assignments.

    Empty profiles in hierarchical zones

    Check for hierarchical zones that contain users or groups that have no profile data defined.

    Empty zones

    Check for zones that have no computers, users, or groups.

    Foreign Security Principal Clean Up

    Check for foreign security principal objects whose corresponding security principal has been removed.

    Incomplete user UNIX data

    Check for users with missing UNIX profile attributes or who are missing a primary profile. This analysis option checks the entire zone hierarchy for profiles with missing attributes and for users who have multiple profiles defined but don not have a primary profile. Users with an incomplete profile or a missing primary profile will not be able to log on even if they are assigned a role with login rights.

    Note that a profile can be incomplete at any level of the zone hierarchy as long as it is complete at the level where a computer is joined.

    Inconsistency in granting NIS server permissions

    Check that there is a zone_nis_servers group in each zone that supports agentless authentication and that the group contains all the NIS servers that have been defined for the zone.

    The zone_nis_servers group is required to assign permissions to managed computers that act as NIS servers, and should not be manually deleted or modified.

    This option checks that the group exists and includes all of the computers acting as NIS servers to ensure data integrity.

    Inconsistent computer object names

    Check for discrepancy between the DNS name for a computer in Active Directory and its Centrify computer profile name.

    Insufficient permission for agent version update

    Check whether the computer object in Active Directory has sufficient permission to update the version number property of the Centrify Agent for *NIX in the computer’s serviceConnectionPoint object.

    If the computer object does not have permission to change this property, the version number cannot be displayed.

    Insufficient permission for OS version update

    Check whether the computer object in Active Directory has sufficient permission to update the version number property of the operating system in the computer’s serviceConnectionPoint object.

    If the computer object does not have permission to change this property, the operating system version number cannot be displayed.

    Invalid right assignments

    Check whether an invalid right has been assigned to a role. This error occurs if a right has been added to a role and subsequently the right becomes invalid. Generally, a right becomes invalid if it is edited with a third-party tool, such as ADSI Edit, and an attribute is set to an invalid value.

    For example, Access Manager creates Active Directory objects of type msDS‑AZOperation for command- and PAM-application- rights, and assigns a HEX value to the msDS-AzOperationId attribute of these objects. The range of reserved values for this attribute is as follows:

    • Command: (HEX) 0500,0000 – 05FF,FFFF
    • PAM application: (HEX) 0200,0000 – 02FF,FFFF

    If this attribute is set to a value that is out of the reserved range, the right will be invalid and will no longer appear in Access Manager. If the right has been assigned to a role, the Analyze Invalid right assignment check returns an error.

    You can select the error in the Analysis Results node and use the Action menu to delete it from the role if you wish.

    Invalid role assignments

    Check whether invalid role assignments exist in the zone. In most cases, invalid role assignments occur when a role assignment is defined for a computer account and the computer leaves a zone without cleaning up role‑assignment objects.

    Invalid role assignments (DZ V2)

    Check for role assignments that contain multiple roles or multiple users.

    In most cases, this error only occurs if you are using third-party tools to edit role assignments. Centrify tools prevent you from creating invalid role assignments.

    Note that a role assignment consists of a single user and a single role. To assign multiple roles to a user, you create multiple role assignments, which are stored in the form of user@domain role/sourceZone; for example: login/engineering vi_power/engineering test/engineering

    Orphan child zones

    Check for child zones that have an invalid parent zone.

    The information identifying the parent-child zone relationship is stored in the child zone in the form of a HEX string and the name of the domain to which the parent zone belongs. If this identifier is deleted, or changed to an invalid format, or if the parent zone is deleted but the child zone remains in the domain, Analyze (Orphan child zones) returns an error.

    Note that this error typically occurs only if you use third-party tools to edit zone objects in Active Directory. If you delete a parent zone using Centrify tools, child zones are deleted as well.

    Orphan role assignments

    Check for role assignments that consist of a non-existent role or user, or that do not contain a role or user.

    In most cases, this error only occurs if you are using third-party tools to edit Centrify objects in Active Directory. If you delete a role or user using Centrify tools or using Active Directory Users and Computers, the role assignment will be deleted as well (the change will be visible after you refresh the display) and Analyze will not return an error.

    Orphan zone data objects and invalid data links

    Check for zone data that have no corresponding Active Directory objects or have invalid links to Active Directory objects. For example, if you delete an Active Directory user but do not remove the profile for this user in a zone, the zone profile becomes an orphan and is flagged as such by this option.

    Restricted roles

    Check for roles that have been assigned commands that cannot be executed.

    When rights are created, they can be defined to run in a restricted-shell role, in an enhanced role (with dzdo), or with both. If a command that has not been defined to run in a restricted-shell is added to a restricted-shell role, this check returns an error.

    Zone created under another zone

    Check for zone information created in another zone’s parent container.

    Note that this check does not look at hierarchical zones because it is expected that child zones are physically contained in their parent zone.

    Zone information in old format

    Check for zone information stored in an obsolete Centrify zone format.

    Zoneless computers

    Check for computers that do not belong to any zone.

  4. Review the result summary, then click Finish.
  5. If the result summary indicates any issues, you can view the details by selecting Analysis Results in the console tree and viewing the information listed in the right pane. For example:

    For additional information, select the warning or error, right-click, then select Properties. For example: