HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
cn=mapping tree, cn=config
changetype: modify
replace: nsds7NewWinUserSyncEnabled
nsds7NewWinUserSyncEnabled: on
To disable user synchronization, set nsds7NewWinUserSyncEnabled: off.
9.4 Synchronizing groups
Like user entries, groups are not automatically synchronized between Directory Server and Active
Directory. Synchronization both directions has to be configured:
• Groups in the Active Directory domain are synchronized if it is configured in the synchronization
agreement by selecting the Sync New Windows Groups option. All the Windows groups are
copied to the Directory Server when synchronization is initiated then new groups are
synchronized over as they are created.
• A Directory Server group account is synchronized to Active Directory through specific attributes
that are present on the Directory Server entry. Any Directory Server entry must have the
ntGroup object class and the ntGroupCreateNewAccount attribute; the
ntGroupCreateNewAccount attribute (even on an existing entry) signals to the
synchronization plug-in to write the entry over to the Active Directory server.
New groups that are created on the Directory Server with the ntGroup object class are
synchronized to the Windows machine at the next regular update, which is a standard poll
of entry. Existing groups that have the ntGroup object class added are synchronized at the
next total update, meaning the next time all entries are manually pushed to the Directory Server
(similar to re-initializing a consumer in replication).
IMPORTANT:
When a group is synchronized, the list of all its members is also synchronized. However, the
member entries themselves are not synchronized unless user synchronization is enabled and applies
to those entries.
Additionally, groups have a few other common attributes:
• Two attributes control whether Directory Server groups are created and deleted on Active
Directory, ntGroupCreateNewAccount and ntGroupDeleteAccount.
ntGroupCreateNewAccount is required to synchronize Directory Server groups over to
Active Directory.
• ntUserDomainId contains the unique ID for the entry on the Active Directory domain. This
is the only required attribute for the ntGroup object class.
• ntGroupType is the type of Windows group. Windows group types are global/security,
domain local/security, global/distribution, or domain local/distribution. This is set automatically
for Windows groups that are synchronized over, but this attribute must be set manually on
Directory Server entries before they can be synchronized.
9.4.1 Group attributes synchronized between Directory Server and Active Directory
Only a subset of Directory Server and Active Directory attributes are synchronized. These attributes
are hard-coded and are defined regardless of which way the entry is being synchronized. Any
other attributes present in the entry, either in Directory Server or in Active Directory, remain
unaffected by synchronization.
Some attributes used in Directory Server and Active Directory group entries are identical. These
are usually attributes defined in an LDAP standard, which are common among all LDAP services.
These attributes are synchronized to one another exactly. Table 47 (page 412) shows attributes that
are the same between the Directory Server and Windows servers.
9.4 Synchronizing groups 411