Troubleshoot integration issues in the OCI IAM Microsoft Active Directory Bridge

November 30, 2023 | 3 minute read
Ranjini Rajendran
Senior Cloud Engineer
Text Size 100%:

Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) offers a Microsoft Active Directory (AD) bridge that enables organizations to maintain AD as the authoritative source for identities, while allowing those identities to access systems and applications that are not integrated with AD directly. The bridge establishes a connection between on-premises AD environment and OCI IAM. This connection enables synchronizing any changes made to user or group records in AD, including additions, updates, or deletions to an OCI IAM identity domain.

The most typical errors encountered during initial setup of the Microsoft AD Bridge are related to synchronization. This blog post provides essential information, tips, and useful links to help you establish successful connections to your source and target endpoints. Before proceeding, we recommend that you review the guidelines provided in About the Microsoft Active Directory (AD) Bridge to set up the AD bridge connection.

Use Case 1: Groups aren't synchronizing

One potential synchronization issue is where users synchronize, but the corresponding groups don’t. In these cases, the logs might display an error such as "ERROR IDBridge - GetResponseAsync: The server cannot handle directory requests". Use any of the following troubleshooting methods to determine the cause.

  • On the Directory Integrations page, look over the Organizational Unit configuration. The OUs for users and groups must be chosen independently. Make different selections for groups and users, even if they are in the same OU. After making the necessary adjustments, remember to save the configuration page.
  • Verify the user/group filter that is being used on the configuration page. Use PowerShell to execute the filter and check whether your users are visible there.
  • Check the network connectivity from host where AD bridge is installed and configured to the Active Directory.
  • Ensure that the Active Directory administator is having access to every OU.
  • Ensure that the AD Bridge is using the latest version. If not, upgrade it accordingly.

Use Case 2: Network-level segregation of Active Directory Domain

In certain cases, the on-premises environment might consist of a single AD domain, while different environments, such as developer, QA, and production, are segregated at the network level. Each of these environments has its own set of users and groups that need to be synchronized. However, if the requirement is to have separate AD bridge connectors for each environment, it’s not feasible in this scenario. The AD bridge can only recognize the domain name, which remains the same across all environments. So, you can only establish one AD bridge connection.

Use Case 3: Hierarchical Active Directory structure

If you have a hierarchical Active Directory structure with a root AD domain and child domains, and you have configured an AD bridge in the root domain, it may not work as expected if you're hoping to retrieve users and groups from the child domains. To synchronize those users, you must configure an AD bridge separately for each child domain.

A graphic depicting the architecture for  a deployment with a root domain and separate child domains.

Use case 4: Configure high availability for AD bridge

The primary objective is to enable high availability for the AD bridge configuration in the production environment. You must set up an AD bridge on two distinct Windows machines and submit a service request with Oracle support to activate the high availability feature. Even with high availability enabled, you don’t have automatic domain discovery to connect to the other node if one domain controller becomes unreachable. In such cases, you can initiate manual discovery by utilizing the Detect Domain Controller button in the AD bridge connector agent.

 

A screenshot of the AD bridge connector agent screen showing the Test Success window with the Detect Domain Controller button highlighted.

Conclusion

These examples represent a few possible scenarios that you might encounter when configuring the Oracle Cloud Infrastructure IAM Microsoft AD bridge. We hope that these scenarios are useful during troubleshooting. If you refer to the AD bridge installation documentation and follow the instructions provided, you can successfully establish a synchronization process. To learn more, visit the Oracle Identity Cloud Service documentation.

Ranjini Rajendran

Senior Cloud Engineer

Ranjini Rajendran is a senior cloud engineer with good experience in OCI. The expert area covers Identity and Access Management, Security, Federation with IDCS/Identity Domain for enabling single sign on, automatic user provisioning and has knowledge on OCI infrastrucutre, Terraform, python and OCI CLI.


Previous Post

Simplifying the migration of OCI compute and volumes across tenancies using Python

Meghashree N | 4 min read

Next Post


OCI Observability and Management for Multi-Cloud Database: Amazon RDS