HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
The Password Sync Service must be installed on every Active Directory domain controller.
Figure 19 Active Directory - Directory Server synchronization process
Synchronization is configured and controlled by one or more synchronization agreements, which
establishes synchronization between sync peers, the directory servers being synchronized. These
are similar in purpose to replication agreements and contain a similar set of information, including
the host name and port number for Active Directory. The Directory Server connects to its peer
Windows server through LDAP/LDAPS to both send and receive updates.
LDAP, a standard connection, can be used for synchronizing user and group entries alone, but to
synchronize passwords, some sort of secure connection is required. If a secure connection is not
used, the Windows domain will not accept password changes from the Directory Server and the
Password Sync Service will not send passwords from the Active Directory domain to the Directory
Server. Windows Sync allows both LDAPS using TLS/SSL and Start TLS.
A single Active Directory subtree is synchronized with a single Directory Server subtree, and vice
versa. Unlike replication, which connects databases, synchronization is between suffixes, parts of
the directory tree structure. The synchronized Active Directory and Directory Server suffixes are
both specified in the sync agreement. All entries within the respective subtrees are candidates for
synchronization, including entries that are not immediate children of the specified suffix DN.
NOTE:
Any descendant container entries need to be created separately in Active Directory by an
administrator; Windows Sync does not create container entries.
The Directory Server maintains a changelog, a database that records modifications that have
occurred. The changelog is used by Windows Sync to coordinate and send changes made to the
Active Directory peer. Changes to entries in Active Directory are found by using Active Directory's
Dirsync search feature. The Dirsync search is issued periodically, every five minutes, to check for
changes on the Active Directory server. Using Dirsync ensures that only those entries that have
changed since the previous search are retrieved.
In some situations, such as when synchronization is configured or there have been major changes
to directory data, a total update, or resynchronization, can be run. This examines every entry in
both synchronized peers and sends any modifications or missing entries. A full Dirsync search is
initiated whenever a total update is run. See “Sending synchronization updates” (page 417) for
more information.
Windows Sync provides some control over which entries are synchronized to grant administrators
fine-grained control of the entries that are synchronized and to give sufficient flexibility to support
different deployment scenarios. This control is set through different configuration attributes set in
the Directory Server:
• When creating the sync agreement, there is an option to synchronizing new Windows entries
(nsDS7NewWinUserSyncEnabled and nsDS7NewWinGroupSyncEnabled) as they are
created. If these attributes are set to on, then existing Windows users/groups are synchronized
392 Synchronizing Directory Server with Microsoft Active Directory