Active Directory synchronization does not recognize changes on user attributes when Domain Controller fails over or load balancing is used
Am I affected?
All 126.96.36.19910 and later installations are affected where failover or load balancing is configured for the Domain Controllers.
The Verba system relies on the usnChanged attribute to identify if a user entry is changed and needs to be updated in the Verba database. This attribute is unique on all Domain Controllers but due to an issue in the Verba software, the system does not take into consideration the different usnChanged attributes and only uses the last one. In case of Domain Controller failover or in a load balancing configuration, the system might not recognize if the user is updated, because it validates the usnChanged attribute of another Domain Controller which was previously used during the AD synchronization (and not for the one which is currently connected to). Since the issue prevents the system to recognize user configuration changes, which can include recorded extension configuration, the system does not synchronize the latest information from the AD and this could lead to configuration issues and eventually data loss. The problem does not occur if the system is always connected to the same AD.
The system should be reconfigured to connect to a single Domain Controller temporarily and prevent failover or load balancing this way. This can be achieved by configuring the direct address of the Domain Controller.
Patches are now available to fix this issue for all affected versions. Please contact our support service at https://support.verba.com/ to get help for installing the update.