limitedsynccheck
Use the limitedsynccheck program to check the consistency of a limited subset of tables across all nodes. This program can only serve as a starting point, and you should further investigate any potential problems.
The limitedsynccheck program is not a general-purpose health checker and should not be run on a nightly basis. It does not guarantee that all possible types of desynchronizations will be caught. It does not attempt to fix anything. It cannot and does not try to handle normal desynchronizations resulting from replication delay.
This program can check:
The absence/presence of objects
The consistency of a very specific number of important fields
A predefined list of object types
For example, it does not check that target system descriptions are synchronized; it checks their absence/presence, address, and platform. Similarly, it does not check anything about import rule configuration (other than managed system policy assignments, which is only indirectly related).
The program should be run as a sanity check when reasonable. For example:
Immediately after performing a resynchronization operation. If
limitedsynccheckreports any desynchronizations after such an operation, then the operation was not successful.Prior to going live. If
limitedsynccheckreports any desynchronizations, resolve them before going live.If you suspect that there is a problem caused by a major desynchronization, to quickly gather troubleshooting information. Review the output with a critical eye as some results may not be cause for concern. It might be valuable to run the program a few days in a row and compare what it reports on each day to filter out such things.
The limitedsynccheck program can be run from any node as long as the Database service (iddb) is running on all nodes.
Usage
limitedsynccheck [-<table>...]
Run with no parameters to check all object types. This may be slow if there are a lot of objects. You can specify any number of object types to check.
Argument | Description |
|---|---|
-account | Check accounts. This may be slow . |
-acl | Check access controls |
-attribute | Check attribute definitions |
-attributegroup | Check attribute group definitions |
-msp | Check managed system policies |
-mspacctassign | Check managed system policy account assignment. Note that if accounts are not in sync, then their assignments will not be either. This may be slow. |
-mspwstnassign | Check managed system policy managed system assignment. This may be slow . |
-prequest | Check pre-defined requests |
-prequestmember | Check pre-defined request members |
-prequestwizard | Check pre-defined request wizard configuration |
-rbacrole | Check RBAC roles |
-rbacsod | Check RBAC segregation of duties rules |
-resgroup | Check resource groups |
-resmember | Check resource group members |
-sysvar | Check system variables |
-target | Check target systems |
-template | Check account templates |
-userclass | Check user class |
-userclassactor | Check user class actors |
-userclassdefattr | Check user class attribute definitions |
-userclassdefgroup | Check user class group definitions |
-userclassdefpslang | Check user class PSLang definitions |
-userclasspoint | Check user class points |
-userclasspointactor | Check user class point actors |
Examples
To check if target systems are synchronized (not missing or surplus) across all nodes:
limitedsynccheck -target
To check if attributes and attribute groups are synchronized across all nodes:
limitedsynccheck -attribute -attributegroup