HP-UX Directory Server 8.1 administrator guide
Figure 9-1 Active Directory - Directory Server synchronization process
Synchronization is configured and controlled by one or more synchronization agreements, which
establishes synchronization between sync peers, the directory servers being synchronized. These
are similar in purpose to replication agreements and contain a similar set of information, including
the host name and port number for Active Directory. The Directory Server connects to its peer
Windows server through LDAP/LDAPS to both send and receive updates.
LDAP, a standard connection, can be used for synchronizing user and group entries alone, but
to synchronize passwords, some sort of secure connection is required. If a secure connection is
not used, the Windows domain will not accept password changes from the Directory Server and
the Password Sync Service will not send passwords from the Active Directory domain to the
Directory Server. Windows Sync allows both LDAPS using TLS/SSL and Start TLS.
A single Active Directory subtree is synchronized with a single Directory Server subtree, and
vice versa. Unlike replication, which connects databases, synchronization is between suffixes,
parts of the directory tree structure. The synchronized Active Directory and Directory Server
suffixes are both specified in the sync agreement. All entries within the respective subtrees are
candidates for synchronization, including entries that are not immediate children of the specified
suffix DN.
NOTE:
Any descendant container entries need to be created separately in Active Directory by an
administrator; Windows Sync does not create container entries.
The Directory Server maintains a changelog, a database that records modifications that have
occurred. The changelog is used by Windows Sync to coordinate and send changes made to the
Active Directory peer. Changes to entries in Active Directory are found by using Active Directory's
Dirsync search feature. The Dirsync search is issued periodically, every five minutes, to check
for changes on the Active Directory server. Using Dirsync ensures that only those entries that
have changed since the previous search are retrieved.
In some situations, such as when synchronization is configured or there have been major changes
to directory data, a total update, or resynchronization, can be run. This examines every entry in
both synchronized peers and sends any modifications or missing entries. A full Dirsync search
is initiated whenever a total update is run. See “Sending synchronization updates” for more
information.
Windows Sync provides some control over which entries are synchronized to grant administrators
fine-grained control of the entries that are synchronized and to give sufficient flexibility to support
different deployment scenarios. This control is set through different configuration attributes set
in the Directory Server:
• When creating the sync agreement, there is an option to synchronizing new Windows entries
(nsDS7NewWinUserSyncEnabled and nsDS7NewWinGroupSyncEnabled) as they are
created. If these attributes are set to on, then existing Windows users/groups are synchronized
394 Synchronizing Directory Server with Microsoft Active Directory