9 Replies Latest reply on Mar 29, 2018 3:05 PM by Recursion

    How quickly should LDAP changes show up in LDMS query?

    bdwest Apprentice

      We prefer to deploy software based on AD security groups.  Ideally, we put a machine into a security group, then within a few hours LDMS installs the software associated with that group.  But I can't figure out exactly what mechanism tells a client, and thus the core server, what security groups a system is in, or when that mechanism runs.  I put a machine in a security group, did a hardware inventory, a hardware-and-software inventory, a Full Sync inventory, ran gpupdate /force on the system and ran all three different inventories, rebooted and did the inventories, then even did a vulscan (though I don't think there's any connection there).  The system would not recognize the new membership in that security group until sometime last night.  I'd like to know how a system recognizes the new membership so I can "nudge" a given system to help it install software faster.  I would think this is in the User Guide somewhere, but I've looked and looked and haven't found it anywhere.



        • 1. Re: How quickly should LDAP changes show up in LDMS query?
          carlos Expert

          Depending on your environment, changes to AD are usually instant IF the machine is in the same group/subnet/etc if not you have to wait for the ADs to sync before you see those changes propagated. You can force a sync between ADs if you need to.


          • 2. Re: How quickly should LDAP changes show up in LDMS query?

            Hi bdwest,


            For anything that uses the scheduler, such as software packages targeted to LDAP expressions, the scheduler evaluates LDAP objects daily. This is done overnight.


            You can change this setting under Configure > Services > Scheduler. There are settings for LDMS query evaluations and for LDAP query/object evaluations.


            For anything using inventory itself, such as an LDMS query (i.e. shows under "Queries" and not "LDAP queries"), the client will update that information when the ldapwhoami.exe process runs. This is generally run when policysync runs. On older versions such as 2016.3, this is also run as part of Inventory.


            After that runs, the next Inventory Scan on the client would contain that data. This is generally user specific data though, and some computer membership info.

            • 3. Re: How quickly should LDAP changes show up in LDMS query?
              bdwest Apprentice

              I took the beginning Boot Camp last May.  In reviewing my notes from that class I realize where I got my expectations set.  Here's what I have in my notes about this:


              "Local scheduler retains some 'intelligence', but in general the IEM agent is 'dumb.'  For example, if a computer gets added to an AD security group, the server checks in with AD (how often? Goes by MS default for how often external entities can talk to AD--teacher says less than 90 seconds), recognizes change, then takes an action based on that change.  The agent has no independent knowledge of AD or the if/thens stored in the Core Server."


              This is more consistent with what carlos wrote above.  But my actual experience is more like what Ryan said.  We have a small population (~8-900 systems), so I set the "Interval between query evaluations" in the Scheduler tab of the "Configure LANDESK Software Services" window to 20 minutes, hoping that would improve the dynamism and response time of LDAP-based software deployments.  But if I understand Ryan correctly, the agent on an individual system is what feeds the Core Server's database the specific information about that system's AD group membership?


              Thanks for the replies, but I'm still confused.

              • 4. Re: How quickly should LDAP changes show up in LDMS query?
                carlos Expert

                No matter how often the core/agent check, they will not reflect any change until the DC that your core is connected to does.

                • 5. Re: How quickly should LDAP changes show up in LDMS query?

                  So you're mixing LDAP and Inventory.


                  The agent is responsible for sending back Inventory data. Inventory does contain some ldap information.


                  However, targeting an LDAP Query is not the same as targeting an LDMS (inventory based) query.


                  I.E. there are 2 ways to use ldap data in EPM, and which one you use determines how the data is updated and handled. The scheduler setting is for LDAP, not Inventory.

                  • 6. Re: How quickly should LDAP changes show up in LDMS query?
                    bdwest Apprentice

                    Okay.  We only have two DCs, on the same local network, so there shouldn't be much lag between one getting the change and the other getting it.  Maybe a few minutes, at most.  So...

                    1. I make the change in AD on one of the DCs.
                    2. The DCs sync up.
                    3. Then what?  What mechanism is most likely next to check AD and store the change?  Where does it store the change?


                    If the ultimate goal is to have membership in an AD group trigger software installation, should I just set our expectations that it won't be triggered until the Core Server does its update in the middle of the night?

                    • 7. Re: How quickly should LDAP changes show up in LDMS query?
                      carlos Expert

                      Let's analyse what you are trying to do, if we understand correctly, you want to:


                      1. Deploy software based on AD security groups (and to any new devices added to its corresponding SG). 

                      This is easy enough, however we need to understand the steps.

                      The deployment happens according to your distribution settings (schedule and network LAN or WAN, PUSH or POLICY) however the tricky part, as I understand where you are having problems, that when a new device is added to a Security group, the task is not being run as soon as you would like.

                      For this we have to consider the following:

                      • a) The scheduled task needs to have visibility of the targets (query or any other means), meaning that it knows that the new devices has been added to a new Security group, this will not happen until (as I mentioned above) all replication of the AD settings has been completed across the domain/forest, specifically if the core and new device are controlled by separate DCs) Looks like you have already covered this, and you are positive that the change is "visible" form the core.
                      • b) Once the above is done, then it is upto the task to work, but it will not work (push the task) unless it is scheduled to do so. New devices added to a query will not automatically start any task unless the task is triggered against those new devices, manually or via a recurring task, after the task has been triggered then the corresponding schedule cycles will apply, and the task should complete. If this is not the case then something in this chain of events is not happening or you have a bigger problem with Software Distribution.


                      I hope this helps.

                      1 of 1 people found this helpful
                      • 8. Re: How quickly should LDAP changes show up in LDMS query?
                        bdwest Apprentice

                        Thanks for your patience in explaining this.  I think we're closer to a solution (regardless of how foolish I may appear by the end of it all).  I'll pick the most recent Scheduled Task as a guinea pig and describe my current setup.


                        I want to deploy Software X to all systems in an AD security group named "Software X Systems".  I have a query named "Software X Systems ADSG" with one line:

                        "Computer"."LDAP Groups"."Machine"."Display Name" = "Software X Systems"


                        My understanding is that this field will be populated when the local agent on a given computer runs ldapwhoami.exe, and from that sees what security group(s) the computer is a member of.  Secondarily, something I read somewhere indicated that ldapwhoami.exe only polls the OS for this, not AD directly.  So if the OS hasn't run a gpupdate or been rebooted lately, the OS won't have an up-to-the-minute list of its group memberships, either.  Is that true?


                        In any case, that field gets updated, so that query newly shows the system I added.


                        The Schedule Task that I intend to deploy the software is:

                        • a policy-supported push
                        • Action type: Run automatically (do not display in client portal)
                        • Frequency: Run once.
                        • Accelerated push is checked, but no other Additional Push options
                        • Download options is set for Download and execute.
                        • Under Targets I have the "Software X Systems ADSG" Targeted query.
                        • Under Schedule task I have selected "Leave unscheduled (do not reschedule task)".


                        As I remember, I set it to "Leave unscheduled" because I was under the impression that scheduling the task restricted it to essentially a single use.  I want these to be always available. So when I think of it, I right-click the Scheduled Task and click "Start now\Devices that did not succeed".  When there's no time pressure, this seems to have an ongoing effect of running the task on systems newly added to the security group.


                        So now, based on what you've said, here's what I'm guessing may be the issue.  The way I'm setting these up, the only time these tasks are run is when the query is re-evaluated by the Core, which is once a day, usually at night.  So if I'm not watching a task like a hawk, having it be done by the next day is fine.  But this isn't sufficient for tasks that I need to be running in something closer to real-time.


                        Is the solution to change the Frequency to Run hourly?  Or do I need to totally rethink how I'm setting up these tasks?


                        Thanks again for your help.

                        • 9. Re: How quickly should LDAP changes show up in LDMS query?

                          I would consider using an LDAP query rather than an LDMS query. That way the Core can query your domain controller directly, rather than waiting for inventory to come in once a day for updated LDAP info.


                          You can target the query to that AD security group and change the LDAP object evaluation interval to a shorter time period.


                          That said, having the task run hourly works as well. Make sure you set it to run on clients that haven't been attempted yet, and not "All", or you'll end up with machines running it over and over.