HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
9 Synchronizing Directory Server with Microsoft Active
Directory
Windows Sync carries over changes in a directory — adds, deletes, and changes in groups, users,
and passwords — between Directory Server and Microsoft Active Directory. This makes it much
more efficient and effective to maintain consistent information across directories.
This chapter includes the following topics:
• “About Windows Sync” (page 391)
• “Configuring Windows Sync” (page 393)
• “Synchronizing users” (page 404)
• “Synchronizing groups” (page 411)
• “Deleting and resurrecting entries” (page 416)
• “Sending synchronization updates” (page 417)
• “Modifying the sync agreement” (page 419)
• “Configuring unidirectional synchronization” (page 424)
• “Password sync service” (page 425)
• “Troubleshooting synchronization problems” (page 425)
9.1 About Windows Sync
Synchronization allows the user and group entries in Active Directory to be matched with the entries
in the Directory Server. As entries are created, modified, or deleted, the corresponding change is
made to the synchronized peer server, allowing two-way synchronization of users, passwords,
and groups.
The synchronization process is analogous to the replication process: the synchronization is enabled
by a plug-in, configured and initiated through a synchronization agreement, and record of directory
changes is maintained and updates are sent according to that changelog. This synchronizes users
and groups between Directory Server and a Windows server.
Windows Sync has two parts is configured in two parts, one for user and group entries and the
other for passwords:
• Directory Server Windows Sync
Synchronization for user and group entries is configured in a synchronization agreement,
much like replication is configured in a replication agreement. A sync agreement defines what
kinds of entries are synchronized (users, groups, or both) and which direction changes are
synchronized (from the Directory Server to Active Directory, from Active Directory to Directory
Server, or both).
The Directory Server relies on the Multi-Master Replication Plug-in to synchronize user and
group entries. The same changelog that is used for multi-master replication is also used to
send updates from the Directory Server to Active Directory as LDAP operations. The server
also performs LDAP search operations against its Windows server to synchronize changes
made to Windows entries to the corresponding Directory Server entry.
• Password Sync Service
Password changes made on Directory Server are automatically synchronized over to Active
Directory, but there must be a special hook to recognize and transmit password changes on
Active Directory over to Directory Server. This is done by the Password Sync Service. This
application captures password changes on the Windows machines and send them to the
Directory Server over LDAPS.
9.1 About Windows Sync 391