Active Directory collection taking time
I have integrated AD with RSA IGL, I noticed during AD IDC/ADC it is taking time.
e.g. for collection total 18 users (1 new user with other no changes) only it took 6 min.
I have to collect around 25K user/accounts from AD, I am not sure how much time it is going to take.
Note: ping response from IGL to AD is 2-4 ms
Any suggestion how AD collection can be improved ? also how the AD collector works , will it iterate all the users/account in AD or only changed one.
- Community Thread
- Data Collection
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
That response time from your AD Domain Controller seems pretty high, which would explain the high collection times.
Are there other domain controllers within your Active Domain environment you could test to see if you are seeing similar response times?
There are multiple reasons why you may be experiencing these response times such as DNS config or even just physical distance between the servers. I had a customer with IGL server based in the UK trying to retrieve data from a DC in the US and the collection times were reduced massively by using a DC in the UK. I would troubleshoot this with your network guys first to try and get those ping times down and you will see a massive drop in collection time. 25k accounts will be no problem for IGL.
Regarding the AD Collector and collectors in general: All collectors collect ALL accounts and permissions, not changes/deltas and AD works via LDAP.
Can you ask them to be more specific in exactly what it is they are looking for when they say data flow?
The AD collector is using basic LDAP queries to return data on users and groups. The exact filter on the query will be in the collector config and will be behaving no differently to running these queries using something like LDAP Browser to query the DC.
This feels like a secondary issue - if they don't resolve the fact ping responses between the app server and the DC are 2-3 mins then it doesn't matter how simple or complex the LDAP query is.
Thanks sure, but i dont think that is going to help them.
Anyways, Any idea how much time it generally take to collect 20K account and 200 Group + their members in RSA ?
What are you using for your User Base DN? If you are pointing this to the root of the directory you may be asking AD to search through millions of records to find the 18 users.
The User Base DN should point to the object containing the users, and not the root of the server.
If you wish to collect from multiple containers you may need to use separate collectors.
You can also bind to the Global Catalog domain (with some limitations) to get AD users if you must collect across multiple domains and have no other solutions.
You can can see the actual response time from AD for the search query if you do a tcpdump packet capture (best done using non SSL mode) and inspecting the LDAP request and response.
You can also test this out of band using the ldapsearch command (installed on our appliances by default).
For example the following command emulates a typical search for 1000 users that would be generated by RSA IG&L.
ldapsearch -h 192.168.10.10 -p 389 -D '2k8r2-vcloud\administrator' -w password -z 1000 -b 'ou=vcloud users,dc=2k8r2-vcloud,dc=local' '(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=*))' mail givenName objectGUID sn department title sAMAccountName