Hello,

We are suffering from very bad performance when exporting updates from metaverse to AD.
The AD management agent takes among one minute per updated account(several days if we have an update on all accounts).
However the synchronization step is quite fast (among a few minutes).

In order to identify the source of the problem, we tried to made an update on all accounts with a VB.NET script.
We have executed this script localy (on the FIM synchronization service server) and it takes only several minutes.
This is why we are convinced that this issue is not relative to AD configuration.

Then, we have made several checks on the database configuration but we didn't find any problem in particulary, regarding the points below.
- table size
- cpu / memory / disk space shortage
- no dead lock
- queries execution time lower than one second

We would be grateful for any help, advice or feedback on the subject

Regards,

Serge Bouchut

My first suspect would be network, infrastructure and AD configuration:

- AD - DNS : check if all names resolves correctly and DNS works as expected

- Check which DC is used by your FIM. Your AD MA uses DC Locator to find a DC. If AD configuration will point it out to some remote location round trip might be a long one 

Second: Are you using it t provision Exchange - if yes it is doing a call to Exchange after every export operation. This might be a suspect. 

For all above - doing network trace will tell you what's wrong right away. 

BTW - synchronization is process which is being done only within FIM service and database so time of its execution is irrelevant for network operations.

Hello Tomasz,

Thank your for your answer. I will investiguate all this points and made a feedback later. :)

Regards,

Also, you could pinpoint AD management agent to communicate with a specific DC. It was the case in my recent Galsync scenario at customer test lab site. Export speed went up from 5 objects/minute to 1200/minute.

I was going to make the second of Tomasz' recommendations - my first thought is Exchange.  If this turns out to be the problem, and you do need to provision Exchange mailboxes, try turning off the Exchange settings on the MA and use a post-export PowerShell script to check for AD accounts missing their mailboxes, calling the Enable-Mailbox for each user object returned.

Thank you all for your replies. After desactivated exchange provisioning in AD MA, the connector performed 100 updates in 9 seconds (instead of more than 1h with the provisioning).

Do we have alternatives to the "post export powershell" way?

Regards,

Serge

• Edited by Serge_B Wednesday, January 15, 2014 12:21 PM

Only alternatives that come to mind are an ECMA or a PowerShell MA.