Analyzing information in Active Directory
One important way you can troubleshoot your environment is by running the Analyze command. The Analyze command enables you to selectively check the integrity of the information stored in Active Directory. With the Analyze wizard, you can check for a variety of potential problems, such as duplicate user IDs, duplicate groups, empty zones, orphaned data objects, or computers that have joined more than one zone.
When you run the Analyze command, only the zones that are open are
checked.
To check for problems with information in the Active Directory forest:
-
Open Access Manager.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
-
In the console tree, select the Access Manager root node, right-click, then click Analyze.
-
Select the types of checks you want to perform, then click Next to generate the report.
| Select this option | To do this |
|---|---|
| All | Perform all of the data integrity checks. Note If you do not register the administrative notification handler through the Setup Wizard or manually using ADSI, you should periodically run the Analyze command with All or Orphan UNIX data objects selected. |
| Computers joined to multiple zones | Check for computers that have joined the domain using more than one zone. Each UNIX computer should only reside in one zone, but if you run the join command more than once, it is possible to have the same computer in more than one zone. This option checks for this problem. |
| Cyclic zone hierarchy | Check for a circular zone hierarchy. The console prevents you from creating a circular zone hierarchy, but it is possible to do so inadvertently when using ADEdit. |
| Duplicate groups in zones | Check for duplicate UNIX group names or group identifiers (GIDs) in each open Centrify zone. |
| Duplicate role assignment containers in computer | Check for computers that have more than one location to store role assignment information. |
| Duplicate service principal names in forest | Check for duplicate service principal names across the entire forest. Service principal names are required to be unique within an Active Directory forest. |
| Duplicate SFU zones | Check for duplicate SFU zones that are set to manage the same NIS domain. |
| Duplicate users in zones | Check for duplicate UNIX user names or user identifiers (UIDs) in each open Centrify zone. |
| Duplicate zone default container | Check for duplicate Zones parent container objects in the Active Directory forest. |
| Empty computer roles | Check for computer roles that contain no computers or role assignments. |
| Empty profiles in hierarchical zones | Check for hierarchical zones that contain users or groups that have no profile data defined. |
| Empty zones | Check for zones that have no computers, users, or groups. |
| Foreign Security Principal Clean Up | Check for foreign security principal objects whose corresponding security principal has been removed. |
| Incomplete user UNIX data | Check for users with missing UNIX profile attributes or who are missing a primary profile. This analysis option checks the entire zone hierarchy for profiles with missing attributes and for users who have multiple profiles defined but don not have a primary profile. Users with an incomplete profile or a missing primary profile will not be able to log on even if they are assigned a role with login rights. Note that a profile can be incomplete at any level of the zone hierarchy as long as it is complete at the level where a computer is joined. |
| Inconsistency in granting NIS server permissions | Check that there is a zone_nis_servers group in each zone that supports agentless authentication and that the group contains all the NIS servers that have been defined for the zone. The zone_nis_servers group is required to assign permissions to managed computers that act as NIS servers, and should not be manually deleted or modified. This option checks that the group exists and includes all of the computers acting as NIS servers to ensure data integrity. |
| Inconsistent computer object names | Check for discrepancy between the DNS name for a computer in Active Directory and its Centrify computer profile name. |
| Insufficient permission for agent version update | Check whether the computer object in Active Directory has sufficient permission to update the version number property of the Centrify Agent for *NIX in the computer’s serviceConnectionPoint object. If the computer object does not have permission to change this property, the version number cannot be displayed. |
| Insufficient permission for OS version update | Check whether the computer object in Active Directory has sufficient permission to update the version number property of the operating system in the computer’s serviceConnectionPoint object. If the computer object does not have permission to change this property, the operating system version number cannot be displayed. |
| Invalid right assignments | Check whether an invalid right has been assigned to a role. This error occurs if a right has been added to a role and subsequently the right becomes invalid. Generally, a right becomes invalid if it is edited with a third-party tool, such as ADSI Edit, and an attribute is set to an invalid value. For example, Access Manager creates Active Directory objects of type msDSAZOperation for command- and PAM-application- rights, and assigns a HEX value to the msDS-AzOperationId attribute of these objects. The range of reserved values for this attribute is as follows: Command: (HEX) 0500,0000 – 05FF,FFFF PAM application: (HEX) 0200,0000 – 02FF,FFFF If this attribute is set to a value that is out of the reserved range, the right will be invalid and will no longer appear in Access Manager. If the right has been assigned to a role, the Analyze Invalid right assignment check returns an error. You can select the error in the Analysis Results node and use the Action menu to delete it from the role if you wish. |
| Invalid role assignments | Check whether invalid role assignments exist in the zone. In most cases, invalid role assignments occur when a role assignment is defined for a computer account and the computer leaves a zone without cleaning up roleassignment objects. |
| Invalid role assignments (DZ V2) | Check for role assignments that contain multiple roles or multiple users. In most cases, this error only occurs if you are using third-party tools to edit role assignments. Centrify tools prevent you from creating invalid role assignments. Note that a role assignment consists of a single user and a single role. To assign multiple roles to a user, you create multiple role assignments, which are stored in the form of user@domain role/sourceZone; for example: qa1@acme.com login/engineering qa1@acme.com vi_power/engineering qa1@acme.com test/engineering |
| Orphan child zones | Check for child zones that have an invalid parent zone. The information identifying the parent-child zone relationship is stored in the child zone in the form of a HEX string and the name of the domain to which the parent zone belongs. If this identifier is deleted, or changed to an invalid format, or if the parent zone is deleted but the child zone remains in the domain, Analyze (Orphan child zones) returns an error. Note that this error typically occurs only if you use third-party tools to edit zone objects in Active Directory. If you delete a parent zone using Centrify tools, child zones are deleted as well. |
| Orphan role assignments | Check for role assignments that consist of a non-existent role or user, or that do not contain a role or user. In most cases, this error only occurs if you are using third-party tools to edit Centrify objects in Active Directory. If you delete a role or user using Centrify tools or using Active Directory Users and Computers, the role assignment will be deleted as well (the change will be visible after you refresh the display) and Analyze will not return an error. |
| Orphan zone data objects and invalid data links | Check for zone data that have no corresponding Active Directory objects or have invalid links to Active Directory objects. For example, if you delete an Active Directory user but do not remove the profile for this user in a zone, the zone profile becomes an orphan and is flagged as such by this option. |
| Restricted roles | Check for roles that have been assigned commands that cannot be executed. When rights are created, they can be defined to run in a restricted-shell role, in an enhanced role (with dzdo), or with both. If a command that has not been defined to run in a restricted-shell is added to a restricted-shell role, this check returns an error. |
| Zone created under another zone | Check for zone information created in another zone’s parent container. Note that this check does not look at hierarchical zones because it is expected that child zones are physically contained in their parent zone. |
| Zone information in old format | Check for zone information stored in an obsolete Centrify zone format. |
| Zoneless computers | Check for computers that do not belong to any zone. |
-
Review the result summary, then click Finish.
-
If the result summary indicates any issues, you can view the details by selecting Analysis Results in the console tree and viewing the information listed in the right pane. For example:
For additional information, select the warning or error, right-click, then select Properties. For example:
Common scenarios that generate analysis results
For most organizations, it is appropriate to check the data integrity of the Active Directory forest on a regular basis. Although running the Analyze command frequently may not be necessary for small networks with few domain controllers, there are several common scenarios that you should consider to determine how often you should check the forest for potential problems. The most likely reasons for data integrity issues stem from:
-
Multiple administrators performing concurrent operations.
-
Administrators using different domain controllers to perform a single operation.
-
Replication delays that allow duplicate or conflicting information to be saved in Active Directory.
-
Insufficient permissions that prevent an operation from being successfully completed.
-
Network problems that prevent an operation from being successfully completed.
-
Partial or incomplete upgrades that result in inconsistency of the information stored in Active Directory.
-
Using ADEdit rather than the Console to create, modify, or delete zone objects, which may lead to problems, such as inadvertently creating a circular zone structure or an empty profile.
-
Using third-party tools, such as ADSI Edit, to edit objects directly in Active Directory, which may lead to corrupted or invalid zone objects.
Running Analyze periodically helps to ensure the issues these scenarios can cause are reported in the Analysis Results, so you can take corrective action.
Responding to analysis results
Depending on the type of warning or error generated in the Analysis Results, you might be able to take corrective action or access additional information by right-clicking a result, then selecting an appropriate action. For example, if a computer account lacks the permission required to update Active Directory with the operating system version currently installed, you can right-click the warning in the Analysis Result then select Grant computer the rights to modify operating system properties.
If right-clicking a result does not provide a responsive action, you should use Access Manager or ADEdit to correct the issue.
The following table describes the warnings and errors you may see in the Analysis Results after running the Analyze wizard and how to resolve potential issues.
| Result | Responsive action |
|---|---|
| If there are any computers joined to multiple zones, an error is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if an administrator runs adleave with the --force option then runs adjoin to join the computer to a different domain without removing the old computer profile from Active Directory. You should identify the appropriate zone for the computer, then use the Access Manager console to delete the computer profile from any additional zones. |
| If the parent-child relationship of any zones is circular, an error is displayed. | Break the circular relationship. |
| If there are any duplicate groups in a zone, a warning is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate group profile to be added to a zone. For example, if two administrators add the same group to a zone using different domain controllers, there will be duplicate group profiles after the domain controllers complete replication. You should use the Access Manager console or ADSI Editor to delete the duplicate group profiles from the zone. |
| If any duplicate service principal names (SPNs) are found for users or computers in the forest, a warning is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. Right-click the warning and click Properties to identify the duplicate SPN. Open the account properties for the user or computer and modify or remove the duplicate servicePrincipalName value. Alternatively, run the adjoin command with the -d or --forceDeleteObjWithDupSpn option. See the adjoin man page for additional information. |
| If there are any duplicate users in a zone, a warning is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate user profile to be added to a zone. For example, if two administrators add the same user to a zone using different domain controllers, there will be duplicate user profiles after the domain controllers complete replication. You should use the Access Manager console or ADSI Editor to delete the duplicate user profiles from the zone. |
| If more than one Centrify SFU zone is found in the forest, a warning is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. Because an SFU zone is associated with an Active Directory SFU schema extension, there should be a maximum of one SFU zone in an Active Directory forest. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate. You should use the Access Manager console or ADSI Editor to delete any duplicate SFU zones. |
| If a duplicate default parent container for zones is found, a warning is displayed. | No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate default container for new zones. Having more than one default parent container for zones can result in an unexpected default value in the Create New Zone wizard. You should use the ADSI Editor to delete any duplicate Zones parent containers from the forest. |
| If a computer role does not have any member computers or role assignments, a warning is displayed. | If the computer role has no member computers, right-click the warning in the Analysis Results, then select Add computers to add computers, or Delete Computer Role to remove the computer role. If a computer role has computer members but no role assignments, the only available response from the Analysis Results zone is to delete the computer role. You can, however, select the computer role in the Console, and add role assignments to its Role Assignments node. |
| If a user or group profile has been added to a zone but has no attributes defined, an error message is displayed. | Right-click the warning in the Analysis Results, then select Delete empty profile to delete the profile from the zone, or Modify profile to define one or more attributes for the user or group. |
| If any zone does not contain users, groups, or computers, a warning is displayed for each type of object. For example, if a zone has computers and groups, but no users, only the user warning is displayed for that zone. | No responsive action can be taken directly within the Analysis Results for these issues. In general, this issue occurs early in a deployment before you have populated zones. You should use the Access Manager console to add missing objects to the zone. If the empty zone is not a valid zone, right-click the zone and select Delete. |
| If one or more secondary profiles are found for a user but no primary profile is found, a warning message is displayed. | Right-click the warning in the Analysis Results, then select Promote secondary profile to primary to select a secondary profile you want to make the primary profile for the user. |
| If a user’s UNIX profile is incomplete in the entire zone hierarchy, a warning message is displayed. | Right-click the warning in the Analysis Results, then select Modify zone profile to define additional attributes to complete the user’s profile. |
| If the Active Directory group zone_nis_servers is not found in a zone configured for agentless authentication, an error is displayed. | Right-click the error in the Analysis Results, then select Create NIS servers group to create the zone_nis_servers group for agentless authentication. Note that your account must have permission to create this object for the operation to be successful. |
| If the membership of the zone_nis_servers group is not consistent with the computers authorized as NIS servers, a “Membership inconsistent” error is displayed. | Right-click the error in the Analysis Results, then select Fix group membership to modify the membership list for the zone_nis_servers group. |
| If a zone is configured to support agentless authentication and the zone_nis_servers group exists but does not contain all computers in the zone, an informational alert is displayed. | No responsive action can be taken directly within the Analysis Results for these issues. You should verify that all of the computers you want to use as NIS servers in the zone are configured to allow agentless authentication. |
| If there is a discrepancy between the DNS name in AD and the Centrify computer profile name, a warning message is displayed. | Right-click the error in the Analysis Results, then select Fix group membership to |
| If a computer account does not have permission to write to the keywords attribute, an error is displayed. | Right-click the error in the Analysis Results, then select Grant permission to computer account to update the permissions on the computer account object. |
| If a computer account does not have permission to modify operating system properties, a warning is displayed. | Right-click the error in the Analysis Results, then select Grant computer permission to modify operating system properties to update the permissions on the computer account object. |
| If a right for a role is invalid, a warning message is displayed. | Right-click the error in the Analysis Results, then select Delete Right to delete the right from the role. |
| If a role assignment is invalid, a warning message is displayed. | |
| If multiple roles are assigned to a user, a warning message is displayed. | |
| If a child zone has an invalid parent zone, an error message is displayed. | |
| If an object has no parent object, a warning message is displayed. | |
| If a restricted-shell role is assigned a right that cannot be run in a restricted shell, a warning message is displayed. | Right-click the error in the Analysis Results, then select Delete Commands to remove the commands from the role, or select Allow running in restricted role to allow running the command in the restricted role. |
| If a zone was created using the version 2.x console and includes a Private Groups container, a warning is displayed. | If any computers in the zone are running version 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove privateGroupCreation attribute to update the zone format. |
| If a computer profile was created using the version 2.x console, the warning “Unix computer is in old format” is displayed. | If any computers in the zone are running version 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and unix_enabled attribute to update the computer profile in the zone. |
| If a group profile was created using the version 2.x console, the warning “Unix group is in old format” is displayed. | If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy attribute to update the group profile in the zone. |
| If a user profile was created using the version 2.x console, the warning “Unix user is in old format” is displayed. | If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and app_enabled attribute to update the user profile in the zone. |
| If a computer, group, or user profile exists, but no corresponding Active Directory computer, group, or user object is found, the warning “Orphan UNIX data object” is displayed. | In general, this issue occurs if an administrator removes an Active Directory computer, group, or user object manually using ADSI Editor or Active Directory Users and Computers but the corresponding data is not removed for the UNIX profile. Right-click the warning in the Analysis Results, then select Remove orphan profile to remove all of the UNIX properties associated with the orphan profile. |
| If a computer, group, or user profile has inconsistent links, an informational “Inconsistent links” alert is displayed. | Computer, group, and user profiles are associated with Active Directory computer, group, and user objects through either the managedBy attribute (agent version 2.x) or a parentLink value in the keywords attribute (agent version 3.x and later). If the links refer to different Active Directory objects, you will see this alert. Right-click the alert in the Analysis Results, then select Overwrite with the active link to remove outdated links. |
| If a computer, group, or user profile does not have a parentLink value defined, a “Missing parentLink” warning is displayed. | Right-click the warning in the Analysis Results, then select Missing parentLink to add the parentLink value to the keywords attribute. |
| If the parent container for a zone is another zone object, an error is displayed. | No responsive action can be taken directly within the Analysis Results for these issues. You should move the zone to another parent container or delete and recreate the zone in a different location. |
| The computer ObjectName contains Centrify information but it is not in a zone. | Right-click the warning in the Analysis Results, then select Move to Zone to search for and select the zone you want to place the computer in. |
