Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
531532533534535536537538539540
Figure 19.1. Active Directory - Directory Server Synchronization Process
Password Sync Service. This application captures password changes for Windows users and
relays those changes back to the Directory Server over LDAPS. It must be installed on the
Active Directory machine. This is done separately from the Windows Sync service to
accommodate password encryption.
Synchronization is configured and controlled by one or more synchronization agreements, which
establishes synchronization between sync peers, the directory servers being synced. These are
similar in purpose to replication agreements and contain a similar set of information, including
the hostname and port number for Active Directory. The Directory Server connects to its peer
Windows server via LDAP/LDAPS to both send and receive updates.
A single Active Directory subtree is synchronized with a single Directory Server subtree, and
vice versa. Unlike replication, which connects databases, synchronization is between suffixes,
parts of the directory tree structure. The synced Active Directory and Directory Server suffixes
are both specified in the sync agreement. All entries within the respective subtrees are
candidates for synchronization, including entries that are not immediate children of the specified
suffix DN.
NOTE
Any descendant container entries need to be created separately in Active
Directory by an administrator; Windows Sync does not create container entries.
The Directory Server maintains a changelog, a database that records modifications that have
occurred. The changelog is used by Windows Sync to coordinate and send changes made to
the Active Directory peer. Changes to entries in Active Directory are found by using Active
Directory's Dirsync search feature. Because there is no changelog on the Active Directory side,
the Dirsync search is issued periodically, every five minutes. Using Dirsync ensures that only
those entries that have changed since the previous search are retrieved.
In some situations, such as when synchronization is configured or there have been major
changes to directory data, a total update, or resynchronization, can be run. This examines every
entry in both sync peers and sends any modifications or missing entries. A full Dirsync search is
initiated whenever a total update is run. See Section 3.5, “Manually Updating and
Resynchronizing Entries” for more information.
Windows Sync provides some control over which entries are synchronized to grant
administrators fine-grained control of the entries that are synchronized and to give sufficient
flexibility to support different deployment scenarios. This control is set through different
configuration attributes set in the Directory Server:
Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory
516