The Active Directory (AD) system built into the WEM Administration Console and WEM Infrastructure Server has been refactored in WEM 4.6 to improve performance and stability.
Although AD searches performed by the WEM Console and WEM Infrastructure server in previous WEM versions have typically returned results quickly, many customer environments consist of multiple AD forests or AD domains. The Active Directory improvements introduced in WEM 4.6 are designed to improve performance and stability; particularly for multi-forest/domain environments.
Active Directory improvements in WEM 4.6
Global Catalog (GC) mechanism: AD searches are initiated against the AD forest’s Global Catalogue Server (GC) instead of searching against each of the forest’s Domain Controllers in turn.
Asynchronous search mechanism: AD searches are performed on all forests (GC servers or domains) at the same time, instead of searching one by one.
AD search timeout mechanism: If the AD User or Machine object lookup points to a forest or domain that is currently unavailable, a configurable timeout been introduced to prevent prolonged searching. The timeout value is set through the WEM Administration Console (Active Directory Objects => Advanced => Active Directory search timeout (msec)), as shown below:
The default value is 1 second (1000 msec). The value set here affects AD searches for both the WEM Administration Console and the WEM Infrastructure Server. If an AD search time exceeds the value specified in this field, AD searching will stop.
This can be configured with a preferred value based on real environment conditions. In large environments or in cases where there are dead forest entries, having a higher value, could also cause issues such as an unresponsive/black screen when logging in, since the AD search will continue to run depending on the timeout value set. It is recommended to remove the dead forest’s trust relationship with current forest to avoid the time consuming queries. If this cannot be done, there will be an enhancement coming soon which will greatly decrease the query frequency and made blacklist for dead forests in codes automatically.
NOTE: Citrix recommends using a timeout value of at least 1000 msec to avoid a timeout before the AD search completes.
Troubleshooting Active Directory searches in WEM
If AD searches are failing:
- Check that the Active Directory search timeout (msec) is appropriate for the environment. This means that there is no specific value to recommend. Consideration needs to be given if the environment includes multiple AD forests or AD domains.
- Generate WEM Administration Console and WEM Infrastructure Server debug logs that capture the failed AD search occurrences. In the logs, Active Directory-related entries are marked as AD: in the header of the body, right after the function name:
