HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
attribute (even on an existing entry) signals to the syncrhonization plug-in to write the entry
over to the Active Directory server.
New users that are created on the Directory Server with the ntUser object class are
synchronized to the Windows machine at the next regular update, which is a standard poll
of entry. Existing users that have the ntUser object class added are synchronized at the next
total update, meaning the next time all entries are manually pushed to the Directory Server
(similar to re-initializing a consumer in replication).
All synchronized entries in the Directory Server, whether they originated in the Directory Server or
in Active Directory, have special synchronization attributes:
• ntUserDomainId
This corresponds to the sAMAccountName attribute for Active Directory entries.
• ntUniqueId
This contains the value of the objectGUID attribute for the corresponding Windows entry.
This attribute is set by the synchronization process and should not be set or modified manually.
• ntUserDeleteAccount
This attribute is set automatically when a Windows entry is synchronized over but must be set
manually for Directory Server entries. If ntUserDeleteAccount has the value true, the
corresponding Windows entry be deleted when the Directory Server entry is deleted. Otherwise,
the entry remains in Active Directory, but is removed from the Directory Server database if it
is deleted in the Directory Server.
Setting ntUserCreateNewAccount and ntUserDeleteNewAccount on Directory Server
entries allows the Directory Manager precise control over which users within the synchronized
subtree are synchronized on Active Directory.
9.3.1 User attributes synchronized between Directory Server and Active Directory
Only a subset of Directory Server and Active Directory attributes are synchronized. These attributes
are hard-coded and are defined regardless of which way the entry is being synchronized. Any
other attributes present in the entry, either in Directory Server or in Active Directory, remain
unaffected by synchronization.
Some attributes used in Directory Server and Active Directory are identical. These are usually
attributes defined in an LDAP standard, which are common among all LDAP services. These attributes
are synchronized to one another exactly. Table 45 (page 406) shows attributes that are the same
between the Directory Server and Windows servers.
Some attributes define the same information, but the names of the attributes or their schema
definitions are different. These attributes are mapped between Active Directory and Directory
Server, so that attribute A in one server is treated as attribute B in the other. For synchronization,
many of these attributes relate to Windows-specific information. Table 44 (page 405) shows the
attributes that are mapped between the Directory Server and Windows servers.
For more information on the differences in ways that Directory Server and Active Directory handle
some schema elements, see “User schema differences between Directory Server and Active
Directory” (page 406).
Table 44 User schema mapped between Directory Server and Active Directory
Active DirectoryDirectory Server
namecn
1
sAMAccountNamentUserDomainId
homeDirectoryntUserHomeDir
9.3 Synchronizing users 405