HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
cn=mapping tree, cn=config
changetype: modify
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: on
To disable group synchronization, set nsds7NewWinGroupSyncEnabled: off.
9.5 Deleting and resurrecting entries
This section describes how enabling synchronization affects deleted entries on the synchonization
peers and how resurrected entries are handled.
9.5.1 Deleting entries
All changes on an Active Directory peers are always synchronized back to the Directory Server.
This means that when an Active Directory group or user account is deleted on the Active Directory
domain, the deletion is automatically synchronized back to the Directory Server synchronized peer
server.
On Directory Server, on the other hand, when a Directory Server account is deleted, the
corresponding entry on Active Directory is only deleted if the Directory Server entry has the
ntUserDeleteAccount or ntGroupDeleteAccount attribute set to true.
NOTE:
When a Directory Server entry is synchronized over to Active Directory for the first time, Active
Directory automatically assigns it a unique ID. At the next synchronization interval, the unique ID
is synchronized back to the Directory Server entry and stored as the ntUniqueId attribute. If the
Directory Server entry is deleted on Active Directory before the unique ID is synchronized back to
Directory Server, the entry will not be deleted on Directory Server. Directory Server uses the
ntUniqueId attribute to identify and synchronize changes made on Active Directory to the
corresponding Directory Server entry; without that attribute, Directory Server will not recognize the
deletion.
To delete the entry on Active Directory, then synchronize the deletion over to Directory Server, wait
the length of the winSyncInterval (by default, five minutes) after the entry is created before
deleting it so that the ntUniqueId attribute is synchronized.
9.5.2 Resurrecting entries
It is possible to add deleted entries back in Directory Server; the deleted entries are called tombstone
entries. When a deleted entry that was synchronized between Directory Server and Active Directory
is re-added to Directory Server, the resurrected Directory Server entry has all its original attributes
and values. This is called tombstone reanimation. The resurrected entry includes the original
ntUniqueId attribute that was used to synchronize the entries, which signals to the Active Directory
server that this new entry is a tombstone entry.
The way that tombstone entries are handled is different between Windows Server 2000 and
Windows Server 2003:
• On Windows 2000, Active Directory creates a new entry with a new unique ID; this new ID
is synchronized back to the Directory Server entry.
• On Windows 2003, Active Directory resurrects the old entry and preserves the original unique
ID for the entry.
For Active Directory entries on both on Windows 2000 and 2003, when the tombstone entry is
resurrected on Directory Server, all the attributes of the original Directory Server are retained and
are still included in the resurrected Active Directory entry.
416 Synchronizing Directory Server with Microsoft Active Directory