19.3. Using Windows Sync

19.3. Using Windows Sync

After the sync agreement is setup, synchronize the user and group entries on the Directory Server and Active Directory server.

19.3.1. Synchronizing Users

If Windows users are synchronized when the sync agreement was created, all the existing Windows users are synchronized to the Directory Server after the first total update (when synchronization begins). When a new Windows user account is created, a corresponding entry will automatically be created on the peer Directory Server. If an existing sync agreement is modified to begin synchronizing users, the Windows users will be added to the Directory Server after the next total update.

A new Directory Server user account is synchronized to a Windows server if the new Directory Server entry uses the ntUser object class and the ntUserCreateNewAccount attribute. New users that are created on the Directory Server with the ntUser object class are synced to the Windows machine at the next regular update; existing users that have the ntUser object class added are synchronized at the next total update.

Special schema are applied to synchronized user entries in the Directory Server. This schema are similar, but not identical, to that used by Netscape Directory Server 4.x NT Synchronization.

All synchronized entries in the Directory Server, whether they originated in the Directory Server or in Active Directory, have special synchronization attributes.

  • ntUniqueId. This contains the value of the objectGUID attribute for the corresponding Windows entry. This attribute is set by the synchronization process and should not be set or modified manually.

  • ntDomainUser. This corresponds to the samAccountName attribute for Active Directory entries.

  • ntUserDeleteAccount. This attribute is set automatically when a Windows entry is synced over but must be set manually for Directory Server entries. If ntUserDeleteAccount has the value true, the corresponding Windows entry be deleted when the Directory Server entry is deleted.

Setting ntUserCreateNewAccount and ntUserDeleteNewAccount on Directory Server entries allows the Directory Manager fine-grained control over which users within the synchronized subtree will be synched on Active Directory, similar to selecting in the sync agreement whether to synchronize new Windows users.

When creating a Directory Server user in the Console (see Section 2.1.2, “Creating Directory Entries”), there is an NT User tab in the New User dialog. Fill in this information to supply Windows attributes automatically.

Setting User Attributes
Figure 19.5. Setting User Attributes

Additional ntUser attributes can be created either by using the Advanced button in the Console or by using ldapmodify; see Section 2.2.4.2, “Modifying Entries Using ldapmodify”.

Table 19.1, “User Schema Mapped between Directory Server and Active Directory” shows the attributes that are mapped between the Directory Server and Windows servers, and Table 19.2, “User Schema That Are the Same in Directory Server and Windows Servers” shows the attributes that are the same between the Directory Server and Windows servers. For more information on the interaction between Directory Server and Windows schema, see Section 19.4, “Schema Differences”.

Directory Server Active Directory
cn name
ntUserDomainId sAMAccountName
ntUserHomeDir homeDirectory
ntUserScriptPath scriptPath
ntUserLastLogon lastLogon
ntUserLastLogoff lastLogoff
ntUserAcctExpires accountExpires
ntUserCodePage codePage
ntUserLogonHours logonHours
ntUserMaxStorage maxStorage
ntUserProfile profilePath
ntUserParms userParameters
ntUserWorkstations userWorkstations
Table 19.1. User Schema Mapped between Directory Server and Active Directory

cn

physicalDeliveryOfficeName

description

postOfficeBox

destinationIndicator

postalAddress

facsimileTelephoneNumber

postalCode

givenName

registeredAddress

homePhone

sn

homePostalAddress

st

initials

street

l

telephoneNumber

mail

teletexTerminalIdentifier

manager

telexNumber

mobile

title

o

userCertificate

ou

x121Address

pager

Table 19.2. User Schema That Are the Same in Directory Server and Windows Servers

19.3.2. Synchronizing Groups

All existing Windows groups are synchronized to the Directory Server during the first total update (when synchronization first begins). When a new Windows group is created, a corresponding entry is automatically created on the peer Directory Server if that option is selected in the sync agreement.

Similar to user entries, Directory Server group entries are synchronized if they have the ntGroup object class.

Like with Directory Server entries, there are two attributes that control creation and deletion of entries in Active Directory, ntGroupCreateNewAccount and ntGroupDeleteAccount.

Additionally, groups have the following two attributes:

  • ntUniqueId. This contains the value of the objectGUID attribute for the corresponding Windows entry. This attribute is set by the synchronization process and should not be set or modified manually.

  • ntGroupType. This is set automatically for Windows groups that are synchronized over, but this attribute must be set manually on Directory Server entries before they will be synched.

The membership of groups is synchronized with the constraint that only those members that are also within the scope of the agreement are propagated. Group members that are not within the scope of the agreement are left unchanged on both sides.

Table 19.3, “Group Entry Attribute Mapping between Directory Server and Active Directory” shows the attributes that are mapped between the Directory Server and Windows servers, and Table 19.4, “Group Entry Attributes That Are the Same between Directory Server and Active Directory” shows the attributes that are the same between the Directory Server and Windows servers.

Directory Server Active Directory
cn name
ntGroupAttributes groupAttributes
ntGroupId
cn
name
samAccountName
ntGroupType groupType
Table 19.3. Group Entry Attribute Mapping between Directory Server and Active Directory

cn member
description ou
l seeAlso
Table 19.4. Group Entry Attributes That Are the Same between Directory Server and Active Directory

19.3.3. Deleting Entries

An Active Directory group or user account is automatically deleted from the Directory Server sync peer server when entry is deleted. The same is true when a Directory Server account is deleted if the deleted entry has the ntUserDeleteAccount or ntGroupDeleteAccount attribute set to true.

NOTE

When a Directory Server entry is synchronized over to Active Directory for the first time, Active Directory automatically assigns it a unique ID. At the next synchronization interval, the unique ID is sychronized back to the Directory Server entry and stored as the ntUniqueId attribute. If the Directory Server entry is deleted on Active Directory before the unique ID is synchronized back to Directory Server, the entry will not be deleted on Directory Server. Directory Server uses the ntUniqueId attribute to identify and synchronize changes made on Active Directory to the corresponding Directory Server entry; without that attribute, Directory Server will not recognize the deletion.

To delete the entry on Active Directory and then synchronize the deletion over to Directory Server, wait five minutes so that the ntUniqueId attribute is synchronized, and then delete the entry.

19.3.4. Resurrecting Entries

It is possible to add deleted entries back in Directory Server; the deleted entries are called tombstone entries. When a deleted entry which was synched between Directory Server and Active Directory is re-added to Directory Server, the resurrected Directory Server has all of its original attributes and values. This is called tombstone reanimation. The resurrected entry includes the original ntUniqueId attribute which was used to synchronize the entries, which signals to the Active Directory server that this new entry is a tombstone entry. The way that tombstone entries are handled is different between Windows Server 2000 and Windows Server 2003:

  • On Windows 2000, Active Directory creates a new entry with a new unique ID; this new ID is synched back to the Directory Server entry.

  • On Windows 2003, Active Directory resurrects the old entry and preserves the original unique ID for the entry.

For Active Directory entries on both on Windows 2000 and 2003, when the tombstone entry is resurrected on Directory Server, all of the attributes of the original Directory Server are retained and are still included in the resurrected Active Directory entry.

19.3.5. Manually Updating and Resynchronizing Entries

Synchronization occurs every five minutes. However, an incremental update can be done manually if there are changes that need synchronized immediately.

To perform an incremental update manually:

  1. Go to the Configuration tab in the Console.

  2. Right-click on the synchronization agreement icon, and select Send and Receive Updates from the drop down menu.

During normal operations, all the updates made to entries in the Directory Server that need to be sent to Active Directory are collected the changelog and then replayed during an incremental update.

However, when the synchronization is initially configured, there have been major changes to data, or synchronization attributes are added to pre-existing Directory Server entries, it is necessary to initiate a resynchronization. Resynchronization is a total update; the entire contents of synchronized subtrees are examined and, if necessary, updated. Resynchronization is done without using the changelog.

To send a total update:

  1. Go to the Configuration tab in the Console.

  2. Right-click on the synchronization agreement icon, and select Initialize Re-synchronization from the drop down menu.

    This will not delete data on the sync peer; it will send and receive all updates and add any new or modified Directory Server entries; for example, it will add a pre-existing Directory Server user that had the ntUser object class added.

19.3.6. Checking Synchronization Status

Check synchronization status in the Replication tab in the Status of the Console. Highlight the synchronization agreement to monitor, and the relevant information should appear in the right-hand pane. The Status area shows whether the last incremental and total updates were successful and when they occurred.

19.3.7. Modifying the Sync Agreement

It is possible to modify parts of the synchronization agreement after it has been created.

In the Configuration>Replication tab of the Directory Server Console, select the sync agreement icon from beneath the database. There are two tabs, Summary and Connection.

  • The Summary tab allows the description of the agreement to be changed. This tab also shows the sync peer host and port information and synchronized subtrees.

  • The Connection tab allows the bind DN and bind credentials for the sync ID to be changed and shows whether Windows users and groups are synchronized. It also shows whether synchronization occurs over an SSL connection.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.