HP-UX Directory Server 8.1 administrator guide
dn: cn=exampleSyncAgreement, cn=userRoot, cn="dc=example, dc=com",
cn=mapping tree, cn=config
changetype: modify
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: on
To disable group synchronization, set nsds7NewWinGroupSyncEnabled: off.
9.5 Deleting and resurrecting entries
This section describes how enabling synchronization affects deleted entries on the synchonization
peers and how resurrected entries are handled.
9.5.1 Deleting entries
All changes on an Active Directory peers are always synchronized back to the Directory Server.
This means that when an Active Directory group or user account is deleted on the Active Directory
domain, the deletion is automatically synchronized back to the Directory Server synchronized
peer server.
On Directory Server, on the other hand, when a Directory Server account is deleted, the
corresponding entry on Active Directory is only deleted if the Directory Server entry has the
ntUserDeleteAccount or ntGroupDeleteAccount attribute set to true.
NOTE:
When a Directory Server entry is synchronized over to Active Directory for the first time, Active
Directory automatically assigns it a unique ID. At the next synchronization interval, the unique
ID is synchronized back to the Directory Server entry and stored as the ntUniqueId attribute.
If the Directory Server entry is deleted on Active Directory before the unique ID is synchronized
back to Directory Server, the entry will not be deleted on Directory Server. Directory Server uses
the ntUniqueId attribute to identify and synchronize changes made on Active Directory to the
corresponding Directory Server entry; without that attribute, Directory Server will not recognize
the deletion.
To delete the entry on Active Directory, then synchronize the deletion over to Directory Server,
wait the length of the winSyncInterval (by default, five minutes) after the entry is created
before deleting it so that the ntUniqueId attribute is synchronized.
9.5.2 Resurrecting entries
It is possible to add deleted entries back in Directory Server; the deleted entries are called
tombstone entries. When a deleted entry that was synchronized between Directory Server and
Active Directory is re-added to Directory Server, the resurrected Directory Server entry has all
its original attributes and values. This is called tombstone reanimation. The resurrected entry
includes the original ntUniqueId attribute that was used to synchronize the entries, which
signals to the Active Directory server that this new entry is a tombstone entry.
The way that tombstone entries are handled is different between Windows Server 2000 and
Windows Server 2003:
• On Windows 2000, Active Directory creates a new entry with a new unique ID; this new ID
is synchronized back to the Directory Server entry.
• On Windows 2003, Active Directory resurrects the old entry and preserves the original
unique ID for the entry.
For Active Directory entries on both on Windows 2000 and 2003, when the tombstone entry is
resurrected on Directory Server, all the attributes of the original Directory Server are retained
and are still included in the resurrected Active Directory entry.
9.5 Deleting and resurrecting entries 419