Problem
The AD Connector Rules were sporadically creating the Email Address (which was getting created through Another PowerShell Script) for 70% of identities and for remaining 30%, it was not doing it.
Diagnosis
Post initial analysis and RCA, we found that there was no enough sleep time written in the connector rule, also, provisioningTimeOut was not enough, the loggers were getting written in a file but was getting locked out.
Solution
- Make sure that actual operations in AD are called through Child PowerShell Scripts which led to Asynchronous call as per SailPoint Recommendations. DO NOT WRITE THE LOGIC DIRECTLY IN THE AD CONNECTOR RULES
- Some sleep time should be added before and after calling the Child PowerShell Script
- The Overall Provisioning Timeout should be increased and should be as per below recommendations.
Calculate the total Sleep Period you have included in your CONNECTOR RULE as well as in you child PowerShell scripts and increase the provisioning timeout accordingly. Always consider some Buffer Time as well. If total amount of sleep is of 95 seconds, then, consider 120 seconds as provisioning timeout
- When you are writing the logs into a text or log file, make sure you are using -Force option in it. Example.
