HP-UX Directory Server 8.1 administrator guide
cn=mapping tree, cn=config
changetype: modify
replace: nsds7NewWinUserSyncEnabled
nsds7NewWinUserSyncEnabled: on
To disable user synchronization, set nsds7NewWinUserSyncEnabled: off.
9.4 Synchronizing groups
Like user entries, groups are not automatically synchronized between Directory Server and
Active Directory. Synchronization both directions has to be configured:
• Groups in the Active Directory domain are synchronized if it is configured in the
synchronization agreement by selecting the Sync New Windows Groups option. All the
Windows groups are copied to the Directory Server when synchronization is initiated then
new groups are synchronized over as they are created.
• A Directory Server group account is synchronized to Active Directory through specific
attributes that are present on the Directory Server entry. Any Directory Server entry must
have the ntGroup object class and the ntGroupCreateNewAccount attribute; the
ntGroupCreateNewAccount attribute (even on an existing entry) signals to the
synchronization plug-in to write the entry over to the Active Directory server.
New groups that are created on the Directory Server with the ntGroup object class are
synchronized to the Windows machine at the next regular update, which is a standard poll
of entry. Existing groups that have the ntGroup object class added are synchronized at the
next total update, meaning the next time all entries are manually pushed to the Directory
Server (similar to re-initializing a consumer in replication).
IMPORTANT:
When a group is synchronized, the list of all its members is also synchronized. However, the
member entries themselves are not synchronized unless user synchronization is enabled and
applies to those entries.
Additionally, groups have a few other common attributes:
• Two attributes control whether Directory Server groups are created and deleted on Active
Directory, ntGroupCreateNewAccount and ntGroupDeleteAccount.
ntGroupCreateNewAccount is required to synchronize Directory Server groups over to
Active Directory.
• ntUserDomainId contains the unique ID for the entry on the Active Directory domain.
This is the only required attribute for the ntGroup object class.
• ntGroupType is the type of Windows group. Windows group types are global/security,
domain local/security, global/distribution, or domain local/distribution. This is set
automatically for Windows groups that are synchronized over, but this attribute must be
set manually on Directory Server entries before they can be synchronized.
9.4.1 Group attributes synchronized between Directory Server and Active Directory
Only a subset of Directory Server and Active Directory attributes are synchronized. These
attributes are hard-coded and are defined regardless of which way the entry is being synchronized.
Any other attributes present in the entry, either in Directory Server or in Active Directory, remain
unaffected by synchronization.
Some attributes used in Directory Server and Active Directory group entries are identical. These
are usually attributes defined in an LDAP standard, which are common among all LDAP services.
These attributes are synchronized to one another exactly. Table 9-5 “Group entry attributes that
are the same between Directory Server and Active Directory” shows attributes that are the same
between the Directory Server and Windows servers.
414 Synchronizing Directory Server with Microsoft Active Directory