HP-UX Directory Server 8.1 administrator guide
Some attributes define the same information, but the names of the attributes or their schema
definitions are different. These attributes are mapped between Active Directory and Directory
Server, so that attribute A in one server is treated as attribute B in the other. For synchronization,
many of these attributes relate to Windows-specific information. Table 9-4 “Group entry attribute
mapping between Directory Server and Active Directory” shows the attributes that are mapped
between the Directory Server and Windows servers.
For more information on the differences in ways that Directory Server and Active Directory
handle some schema elements, see “Group schema differences between Directory Server and
Active Directory”.
Table 9-4 Group entry attribute mapping between Directory Server and Active Directory
Active DirectoryDirectory Server
namecn
namentGroupDomainID
groupTypentGroupType
Member
1
uniqueMember
member
1
The Member attribute in Active Directory is synchronized to the uniqueMember attribute in Directory Server.
Table 9-5 Group entry attributes that are the same between Directory Server and Active Directory
Active DirectoryDirectory Server
ocn
oudescription
seeAlsol
mail
9.4.2 Group schema differences between Directory Server and Active Directory
Although Active Directory supports the same basic X.500 object classes as Directory Server, there
are a few incompatibilities of which administrators should be aware.
Nested groups (where a group contains another group as a member) are supported and for
Windows Sync are synchronized. However, Active Directory imposes certain constraints as to
the composition of nested groups. For example, a global group contain a domain local group as
a member. Directory Server has no concept of local and global groups, and, therefore, it is possible
to create entries on the Directory Server side that violate Active Directory's constraints when
synchronized.
9.4.3 Configuring group sync for Directory Server groups
For Directory Server groups to be synchronized over to Active Directory, the group entries must
have the appropriate sync attributes set.
9.4.3.1 Configuring group sync in the console
1. In the Directory Server Console, select the Directory tab.
2. Right-click the group entry, and click Advanced to open the advanced property editor for
the entry. All the sync-related attributes must be added manually, so only the advanced
property editor can set the attributes.
3. Click the objectClasses field, then click the Add Value button.
4. Select the ntGroup object class.
9.4 Synchronizing groups 415