I have a PMDB and one of my subscribers is out of sync. What can I do ?

Document ID : KB000103386
Last Modified Date : 26/06/2018
Show Technical Document Details
Issue:
We are using CA PIM. We have a parent-children PMDB schema. We are not using Advanced Policy Management. One of the ControlMinder subscribers is out of sync. Running

sepmd -L My_PMDB

gives

mypim.mydomain.com  95215 Out of sync 0 ef /file/* defacc(chdir) owner(root)

How can we solve this?
Environment:
CA AC 12.8X, 12.9X and PAM SC 14.0
Resolution:
In what follows I will assume that the parent PMDB is called My_PMDB and that the endpoint having lost synchronization is mypim.mydomain.com

First of all it is always good to run 

sepmd -e My_PMDB

and look at the different possible errors. This may give back some clue as to the failures to synchronize. In absence of further information, there are several things we can try at the parent My_PMDB server:
  1. Run sepmd -R My_PMDB --> That should be sending immediate update of the offset 
  2. Run sepmd -r My_PMDB mypim.mydomain.com --> This will try to remove the subscriber from the list of unavailable and do a synchronization 
  3. Also sepmd -e My_PMDB will tell us if there are errors that may give us a clue if this does not work. 

If this still does not work, it is worth checking that the PIM database at the endpoint for possible errors. To do that go to the endpoint that fails to synchronize, mypim.mydomain.com and bring down Access Control (secons -S). Then change to the directory where the database is. For instance /opt/CA/AccessControl/seosdb, and run 

                     dbmgr -util -check 

and then 
dbmgr -util -build seos_cdf.dat 
dbmgr -util -build seos_odf.dat 
dbmgr -util -build seos_pdf.dat 
dbmgr -util -build seos_pvf.dat 

This will rebuild the indexes and clear possible corruptions on this side 

Then restart AC in this server and launch another sepmd -R My_PMDB in the master to see if it does the synchronization.

If this still fails we can try to unsynchronize and resynchronize the database between the master and the endpoint having lost synchronization. 
  1. Firstly clear the list of errors in the parent DB to capture eventual problems (make sure to save them directing sepmd -e My_PMDB to a file):
sepmd -e My_PMDB
  1. Now lets log in to the endpoint having the problems. First please check that name resolution and IP is correct from the parent pmdb to the subscriber and also that you can connect from selang. To do that do 
selang in the parent pmdb 
host mypim.mydomain.com

you should be able to access it and also to do some commands inside like sr FILE * or similar. This is just for sanity check, to make sure there is connectivity 
  1. Now log in to the endpoint having problems, mypim.mydomain.com and stop AccessControl there (secons -S) 
  2. Take a backup of the directory where the database is. This is to be on the safe side and to make sure all is good. We will unsubscribe now it from teh master database and resubscribe it 
  3. Now in the master database server, let's unsubscribe the machine that does not take the updates. Please save beforehand the subscribers.dat in the master database server. This is just in case something goes wrong. 
sepmd -u My_PMDB mypim.mydomain.com
Once unsubscribed, let's resubscribe it 
sepmd -s My_PMDB mypim.mydomain.com
 
If worse comes to worse we can always revert back with the copy of the database and the subscribers.dat which we have saved earlier. Synchronization should however be happening now
  1. If this does not help still, we can completely delete the database in the secondary, recreate it from scratch and rebuild it, unsubscribe and resubscribe. Since this is a more delicate operation we suggest to contact support to seek help.
Additional Information:
https://docops.ca.com/ca-privileged-identity-manager/14-0/en/reference/utilities/dbmgr-utility/dbmgr-util-function-manage-existing-database 
https://docops.ca.com/ca-privileged-identity-manager/12-9/EN/reference/reference-guide/sepmd-utility/sepmd-utility-administer-subscribers-and-the-update-file