I'm trying to sync some AD groups that have other groups as members. So far I've tried many combinations but could not find a way to do the sync without errors.
The structure looks similar to this:
OU=MyVRAGroups:
AD-Group-VRA-Users
|
|--->AD-Group-Members1
|
|--->MemberA
|--->MemberB
|--->AD-Group-Members2
|
|--->MemberC
|--->MemberD
vRA directory type: Active Directory over LDAP.
All groups belong to the same domain. Base DN ist the root of the domain, Bind DN is an account that has read permissions on all objects.
In the sync settings I input the OU LDAP path that includes the AD-Group-VRA-Users DN as the Group and User DN.
When trying to start the sync I get the errors:
While verifying the directory configuration, the following errors occurred. You might want to resolve these errors before syncing to the directory:
Directory object not found: OU=MyVRAGroups,DC=domain,DC=local.
While verifying the directory configuration, the following warnings occurred. You might want to resolve these errors before syncing to the directory:
Missing group (CN=AD-Group-Members1,OU=MyVRAGroups,DC=domain,DC=local) referenced by user.
Missing group (CN=AD-Group-Members2,OU=MyVRAGroups,DC=domain,DC=local) referenced by user.
The sync can be run, however only the user objects are synced and the one "top" level group AD-Group-VRA-Users, not the nested groups objects. After the sync is finished, there is a success message, but there are still Alerts with the same warnings about "Missing group referenced by user".
So in vRA, for example under business group members, I can add the synced users as members, but not the synced groups.
Are there any guidlines on how to properly configure AD object for the vRA directory sync? So far my deployment has been a failure because of that.
Additionally, the appliance does not seem to be able to sync a big number of (nested) groups above a certain treshold and just throws errors about problems with the connector in the sync log.