Environment
Identity Manager 4.x
Identity Manager Driver - Active Directory
Situation
Driver stuck in loop trying to publish changes into the Identity Vault. -659
ERR_TIME_NOT_SYNCHRONIZED
<source>
<product edition="Standard" version="4.6.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="TestDomain domain##165a6630ae6##0" level="retry">Code(-9011) eDirectory returned an error indicating that the operation should be retried later: novell.jclient.JCException: modifyEntry -659 ERR_TIME_NOT_SYNCHRONIZED<application>DirXML</application>
<module>TestDomain domain</module>
<object-dn>CN=User1,CN=Users,DC=TestDomain,DC=NetIQ,DC=com (mountain\users\User1)</object-dn>
<component>Publisher</component>
</status>
</output>
</nds>
-------------trace snip-it from publisher channel--------------
<source>
<product edition="Standard" version="4.6.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="TestDomain domain##165a6630ae6##0" level="retry">Code(-9011) eDirectory returned an error indicating that the operation should be retried later: novell.jclient.JCException: modifyEntry -659 ERR_TIME_NOT_SYNCHRONIZED<application>DirXML</application>
<module>TestDomain domain</module>
<object-dn>CN=User1,CN=Users,DC=TestDomain,DC=NetIQ,DC=com (mountain\users\User1)</object-dn>
<component>Publisher</component>
</status>
</output>
</nds>
-------------end trace snip-it from publisher channel--------------
Resolution
1, Using iMonitor look at the modification time stamp on the object specified in the error message.
(iMonitor: https://IPAddressOfServer:8030/nds)
In this case the user is: mountain\users\User1
Browse down to the user and look at the modification time stamp on the user.
The modification time stamp should be in the future. If it is, then you have the following options to resolve the issue.
1. First verify time is correct (date) and in sync (ndsrepair -T) on ALL servers in your Identity Vault tree.
2. Once time is correct and synchronized, then you have the following options.
A. Wait for the time to pass the future modification time stamp on the object in the error message.
B. "Repair time stamps and declare a new epoch" for the partition(s) affected by the future time stamp(s). Note: Details on how to "repair times stamps and declare a new epoch" is not provided here as it can potentially damaging to your eDirectory tree if not done properly.
The procedure invalidates all replicas, but he master replica, time stamps all objects, then sends them back out to the other replica holders. It is advised you open a service request with the eDirectory support team if you need to perform a "repair times stamps and declare a new epoch" on your partitions.
Preferably use Option A above instead.
(iMonitor: https://IPAddressOfServer:8030/nds)
In this case the user is: mountain\users\User1
Browse down to the user and look at the modification time stamp on the user.
The modification time stamp should be in the future. If it is, then you have the following options to resolve the issue.
1. First verify time is correct (date) and in sync (ndsrepair -T) on ALL servers in your Identity Vault tree.
2. Once time is correct and synchronized, then you have the following options.
A. Wait for the time to pass the future modification time stamp on the object in the error message.
B. "Repair time stamps and declare a new epoch" for the partition(s) affected by the future time stamp(s). Note: Details on how to "repair times stamps and declare a new epoch" is not provided here as it can potentially damaging to your eDirectory tree if not done properly.
The procedure invalidates all replicas, but he master replica, time stamps all objects, then sends them back out to the other replica holders. It is advised you open a service request with the eDirectory support team if you need to perform a "repair times stamps and declare a new epoch" on your partitions.
Preferably use Option A above instead.
Cause
Future time stamp on object will not allow modification of that object until that date / time has past.