HP-UX Directory Server 8.1 administrator guide
to the Directory Server, and users/groups as they are created are synchronized to the Directory
Server.
Within the Windows subtree, only entries with user or group object classes can be
synchronized to Directory Server.
• On the Directory Server, only entries with the ntUser or ntGroup object classes and
attributes can be synchronized.
The placement of the sync agreement depends on what suffixes are synchronized; for a single
suffix, the sync agreement is made for that suffix alone; for multiple suffixes, the sync agreement
is made at a higher branch of the directory tree. To propagate Windows entries and updates
throughout the Directory Server deployment, make the agreement between a master in a
multi-master replication environment, and use that master to replicate the changes across the
Directory Server deployment, as shown in Figure 9-2 “Multi-master Directory Server - Windows
domain synchronization”.
CAUTION:
There can only be a single sync agreement between the Directory Server environment and the
Active Directory environment. Multiple sync agreements to the same Active Directory domain
can create entry conflicts.
Figure 9-2 Multi-master Directory Server - Windows domain synchronization
Directory Server passwords are synchronized along with other entry attributes because plain-text
passwords are retained in the Directory Server changelog. The Password Sync service is needed
to catch password changes made on Active Directory. Without the Password Sync service, it
would be impossible to have Windows passwords synchronized because passwords are hashed
in Active Directory, and the Windows hashing function is incompatible with the one used by
Directory Server.
9.2 Configuring Windows Sync
Configuring synchronization is very similar to configuring replication. It requires configuring
the database as a master with a changelog and creating an agreement to define synchronization.
9.2 Configuring Windows Sync 395