DCE unresponsive after adding a Remote User

DCIM_Support · ‎2020-07-02

After Adding a new remote user today DCE become unresponsive and had to be rebooted. This was caused because we have a missive number of users in the active directory OU that the authentication server search base points to. Even when trying to add a user the user list is slow to update and sometime hangs as well.

Would welcome feedback from other organizations with very large Active directory installations as to how we could overcome this issue.

DCIM_Support · ‎2020-07-02

HI Richard, There is a KBase FA158395, that gives tips in how to incorporate AD into DCE. Did you take a look at this KBase? It advises to reduce the search base or have more tightly defined search bases. Also multiple bind entries can be configured on DCE. Regards, Breda

DCIM_Support · ‎2020-07-02

Hello Richard,

Like Breda recommend, please navigate to the URL below and search the kbase ID FA158395

http://www.apc.com/site/support/us/en/faq/

Thank You

DCIM_Support · ‎2020-07-02

I have looked at the KBase and it states that Schneider tests up to 10,000 objects in AD. Looks like I'm in trouble as our lowest level OU will return 3-4 times the tested amount of objects hence why DCE crashes. At this stage I cannot see any way to refine the search base to reduce the number of users returned. For each DCE we already have to have multiple authentication servers configured to cover our 3 domains and different user OU's within each domain. Having to add more is not a perfect solution as every 90 days we have to change the bind password on every authentication server and every DCE appliance which starts to become an administrative issue which is what AD authentication should really eliminate not add to. Any further ideas would be greatly appreciated. Richard

DCIM_Support · ‎2020-07-02

I think I would need the option of adding a filter option to the search to maybe try and limit users by their country attribute. It would be much better if you could just add a single authentication server then add users through DCE and have them simply authenticated against AD rather than add them via AD. Similar to what you can achieve in DCO for authentication.

DCIM_Support · ‎2020-07-02

Customers in the past have created an additional OU to place DCE users within. This way DCE will not have to search within 10000+ objects in AD. Again, this is what customers have done in the past to circumvent the number of users within one container or OU.

DCIM_Support · ‎2020-07-02

Unfortunately I will not have the ability to change our global AD structure in any way to reduce the object count. Are there any plans to make improvements to AD authentication in future releases?

DCIM_Support · ‎2020-07-02

This is still an open issue as large companies do not always have the option of changing their AD structure just to suit one application. I would request that some investigation be done into how DCE can simply authenticate to AD similar to how it is done in DCO rather than having to return a list of every user in AD just to select one user.

DCIM_Support · ‎2020-07-02

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.