if you run the query outside of bladelogic, using one of the users sepcified in the AP, what results to you get? do you get users from both domains ?
Additional disclosure, the two domains are part of a forest and have transitive and specific trusts setup. The AD instance is open to "read only" for all users.
If I run something like: dsquery group -name BLAdminGroup -d x.lab.com | dsget group -members
from domain X or domain Y's user, I get the same list of users and the global group as I listed above.
However, if I run a filtered query on the users, looking only for membership of BLAdminGroup, I only get the three in domain X.
Sounds like you need to change your query then.
Is there a log or some background on the way the method works or that tells me how BBSA structures its query?
To be sure, when I run my query, I get the answer I'm looking for -- 3 domain X users, 2 domain Y users, and a GG of domain X.
That is -- if I run a group membership query (i.e., name the group, list the users) from X\autoprincipalX, I get the same thing as if I run Y\autoprincipalY... 3 domain X users, 2 domain Y users, and a GG of Domain X.
If I run a "user query" where I filter on the group membership (i.e., filter users based on known membership) from domain X, I get only the 3 domain X users. If I run it from domain Y, I get nothing because, I assume, that user membership in external domains is not stored with the user in the current domain.
So -- if I have to change my query -- what then would the recommended query? I reckon that there isn't a straight LDAP Connection/Query/Group Mapping that would allow me to use my own query, eh?
are the users in domain Y directly in the group in domain X or are then in a group that's in the groupX ?
That is correct. So the X\BLAdminGroup is directly populated with 3 users from domain X, 2 users from domain Y, and 1 GG of domain X users.
When I run the synchronization job in the BBSA console, i get all the Domain X users -- even those in the GG that is nested inside, which I suspect is related to the way the group filter is executed. My concern is really about why the domain Y users are being ignored in all this -- or is the ldap query run by BBSA substandard in some way?
Unfortunately, I haven't put together the right set of keywords to find out any additional information about logs and/or figuring out what the system is doing on my behalf in these synchronizations. The closest I've gotten (i guess) is using BLCLI and updating the information in the blcli-log.cf file to give debug info -- but that lacks any sort of meat as to what the command is drawing in from its queries...