Red Hat Directory Server 8.0 Administrator's Guide

• When creating the sync agreement, there is an option to synchronizing new Windows entries

(nsDS7NewWinUserSync and nsDS7NewWinGroupSync) as they are created. If these attributes

are set to on, then existing Windows users/groups are synchronized to the Directory Server,

and users/groups as they are created are synchronized to the Directory Server.

Within the Windows subtree, only entries with user or group object classes can be

synchronized to Directory Server.

• On the Directory Server, only entries with the ntUser or ntGroup object classes and

attributes can be synchronized.

See Section 3, “Using Windows Sync” for more information on creating user and group

entries.

The placement of the sync agreement depends on what suffixes are synchronized; for a single

suffix, the sync agreement is made for that suffix alone; for multiple suffixes, the sync

agreement is made at a higher branch of the directory tree. To propagate Windows entries and

updates throughout the Directory Server deployment, make the agreement between a master in

a multi-master replication environment, and use that master to replicate the changes across the

Directory Server deployment, as shown in Figure 19.2, “Multi-Master Directory Server -

Windows Domain Synchronization”.

CAUTION

There can only be a single sync agreement between the Directory Server

environment and the Active Directory environment. Multiple sync agreements to

the same Active Directory domain can create entry conflicts.

About Windows Sync

517