• Ensure that the TLS security update for RM Unify AD Sync has been installed on your AD Sync server. Please see NWS9587409 in the Other Useful Articles section below.
• Check that the prerequisite .NET Framework v3.5 SP1 is installed.
• Ensure that the RM Unify AD Sync Service can be stopped and started without error (select Stop and then Start, not Restart).
• Check that the RM Unify AD Sync Service is configured to use the identitysyncservice user. The C:\Program Files (x86)\RM\RM Unify AD sync location has permissions specifically for this user, so using another user will cause issues.

If the RM Unify AD Sync Service starts successfully, look in Event Viewer, 'Application log' for any underlying errors that may have occurred but have not been displayed on the desktop. If this is the first attempt at uploading any users to RM Unify, it can take up to one hour to start seeing users being synchronised with RM Unify. If you have previously uploaded users, then ensure 25 minutes have elapsed since the start of the RM Unify AD Sync Service. This is the combined maximum default wait time (ten minutes to refresh the cached group membership + 15 minutes to scan the frequency for the Active Directory (AD) filter).

1. Open Active Directory Users and Computers and view the properties of affected user accounts. Ensure the accounts are enabled and have an expiry date in future or are set to never expire.
2. Open the RM Unify AD Sync Configuration tool (refer to the Possible Issues section below), expand Domains and click your domain.
3. Ensure the User Check box is ticked to enable uploads.
4. Expand RM Unify Registration and select your registration.
5. Ensure your establishment has been registered. You can double check this by clicking the Register button. There is no need to generate a new registration code.
6. Check if the Enabled box is ticked to confirm your registration is enabled.
7. Expand your registration and click your establishment.
8. Check if the Enabled box is ticked to confirm the establishment is enabled.
9. Under AD Filters, check each AD filter.
   • Ensure users are located in the Active Directory (AD) container that has been selected. If an incorrect container has been selected, do not click Browse to change the existing filter. Delete the filter and create a new one.
   • You can create a maximum of two AD filters per container per establishment. 
   • If an optional group has also been configured, ensure users are a member of that AD security group. Nested group membership is supported in RM Unify AD Sync.
   • Ensure the Enabled box is ticked.
   • The Users folder under each AD filter is only populated with users when they have been successfully uploaded to RM Unify.
10. Ensure that your users have role mappings configured, they will not be provisioned otherwise. Under Role Mappings, check each role mapping:
    • Ensure users match to one of the role mappings. For example, if you have selected a mapping type of 'Profile path', ensure users have a profile in the Profile Path Share name configured.
    • The Users folder under each establishment is only populated with users when they have been successfully uploaded to RM Unify.
11. If your users match an AD filter and a role mapping, initiate a manual AD filter scan and upload of users:
    • Under AD filters, click the AD filter and click Check Now. This sets the 'Next check' field to the current date/time. Wait a couple of minutes to allow the scan to complete and then click Upload Now.
12. Click the main Users container on the left-hand side of the RM Unify AD Sync Configuration tool and filter by Uploaded Users and Not Uploaded Users.
    • Check if your missing users are listed in Not Uploaded Users. This means the users have been detected but have failed to match an AD filter and a role mapping
13. From the drop-down menu, click Service, Settings:
    • Confirm your proxy settings are correct and match what is needed to allow the server to connect to the Internet. Depending on your network setup, you may or may not need values in the Web Proxy Settings.
    • Open an Internet browser on your server and browse to https://api.platform.rmunify.com. Confirm you see a page "Server Error 403 - Forbidden: Access is denied". This is expected behaviour and confirms a successful connection. If you are presented with a warning page "There is a problem with this website's security certificate" then you have a root certificate issue that requires resolution. For more information refer to TEC3340337 in the Other Useful Articles section below.
14. Check the C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue folder. If it has numerous .json and\or .bin files which do not disappear after 1 minute it could be the case that the AD Sync service has exhausted resources trying, and failing, to process those files, thereby preventing any other processing (such as user provisioning or sync) from completing. Delete all .json and .bin files (leaving the RMUnifyADSyncCert.cer file) and restart the RM Unify AD Sync service.
15. Check that the log level has not been left accidentally at LOG (verbose) level, which can also cause consume resources and impact sync, processing etc. Set the log level to ERROR.
16. Check the AD Sync logs for any errors. These are located in C:\Program Files\RM\RM Unify AD sync\LogFiles. Also search the log files for a username that has not been uploaded. By default, the log files are only set to log errors (log level ERROR) so if you find the log files are not being written to it is not necessarily indicative of an issue - there are just no errors to log.
17. If none of the above resolve the issue then increase the logging level to LOG, restart the RM Unify AD Sync Service and wait 25 minutes before checking the log files again for more detailed errors or messages. The log level is changed by clicking Service, Settings and amending the setting in the Logging section.

If you have completed the above checks and are still encountering issues with provisioning it may be quicker and easier to simply reinstall RM Unify AD Sync, which should take around 15-20 minutes for a single establishment installation.

Reinstalling AD Sync will not affect your existing RM Unify users and will not require them to change their passwords.

Please follow the exact procedure in this help article to resolve your issue.