Applies to: Centrify Zone Provisioning Agent on DirectControl 5.0.0 and above
The Zone Provisioning Agent may sometimes give unexpected results, such as users/groups not being added to the Zone.
What can be done to troubleshoot such issues?
- The ZPA monitored container is set to the entire domain by default. However, if a specific container is defined for Zone Provisioning Agent instead; make sure it is set to the container ABOVE the Zone to be auto-provisioning and nothing else (i.e. It should not be an AD group). See the screenshot below for the steps on how to do so:
- If nothing appears in "Groups" even after enabling auto-provisioning for group profiles, make sure the source group is set to the AD group that contains the list for group profiles.
E.g. AD group "CheeseBurger" is a member of AD group "Burgers". To have "CheeseBurger" in the group list of the auto-provisioned Zone, put "Burgers" as the source group as seen from the screenshot below:
- If an Active Directory group for "Primary group" is defined under "Enable auto-provisioning for user profiles", make sure that the group is included in the "Groups" list for that Zone (Take a look at the screenshot below for more information).
If the group does not appear in the list, add the target group manually by right-clicking "Groups" after disabling auto-provisioning on that Zone. Re-enable auto-provisioning after adding the group.
- If you cannot add a user and the console keeps telling you that a user name with that UNIX name already exists, make sure there are no orphaned UNIX objects in the zone:
- If the user’s Unix login name automatically truncates itself to 8 characters:
This was a known issue with older versions of Centrify
- If you keep getting the error message “Server is NOT operational”:
Set up DNS correctly:
- If ZPA stopped provisioning user with error “The group’s SID couldn’t be resolved”:
Make sure there are no users/groups with unresolvable SIDs