This section explains the synchronizing processes, describes the proper syntax for using the idsync resync subcommand, and explains how to verify that the processes completed successfully. The information is organized as follows:
You need to resynchronize the user entries when two directory sources become out of sync. Use the idsync resync command to create users, user groups, and synchronize user and user group attributes in two directory sources. Specifically, you can use the idsync resync command to populate an empty Directory Server with the existing Active Directory or Windows NT SAM domain users.
The idsync resync command can be used in any of the following ways:
If there are users that exist on Directory Server and Windows, you must run the idsync resync command to synchronize those users.
If you do not want to synchronize existing users to Directory Server, then run idsync resync with the -u argument, which updates the object cache only and does not synchronize the Windows’ entries to Directory Server.
If you have existing Windows users and do not run idsync resync, then changes to these users may or may not be propagated; and depending on flow settings, these users might even be automatically created in Directory Server. You must run idsync resync again, even if you have already run the command.
You cannot use the idsync resync command to synchronize passwords (except to invalidate Directory Server passwords to force on-demand password synchronization in an Active Directory environment).
When the Group Synchronization feature is enabled, both the users as well as the groups associated with the users are synchronized between the data sources configured. No additional options are required while using the resync command for Group Synchronization.
After populating Active Directory and Directory Server with users and installing the Active Directory and Directory Server Connectors (before starting synchronization), you must use the idsync resync command to ensure that all existing users are linked in the two directory sources.
What is linking? Identity Synchronization for Windows correlates the same user on Directory Server and on Windows by storing the following unique, immutable identifiers:
The dspswuserlink attribute of each Directory Server user entry
A combination of the domain name and the RID for each Windows NT SAM user
Storing this immutable identifier allows Identity Synchronization for Windows to synchronize other key identifiers, such as uid and cn. The dspswuserlink attribute is populated when:
Identity Synchronization for Windows creates a new user in Directory Server (after a new user is synchronized from Windows or by runningidsync resync -c)
Identity Synchronization for Windows creates a new user on Windows (after synchronizing a new user from Directory Server or by running idsync resync -c -o Sun)
You run idsync resync -c -f to link entries that already exist on Directory Server and Windows as described in this chapter.
To link existing users, you must provide rules for matching users between the two directories. For example, to link a user entry in two directories, both the first names and last names must match in both directory entries.
Linking user entries and resolving data conflicts could be described as more art than science. There are many reasons why the idsync resync subcommand might fail to link two users in opposing directory sources and depends to a large extent on the consistency of the data in the linked directories.
One strategy for using idsync resync is to use the -n argument, which runs the operation in “ safe mode” so you can preview the effects of an operation with no actual changes. Running in safe mode allows you to refine the linking criteria gradually until you find an optimum set of user matching criteria.
However, you should be aware that there is a balance to be achieved through linkage accuracy and linkage coverage.
For example, if both directory sources contain an employee ID or social security number, you might begin with linking criteria that includes this number only. You might think that to improve linkage accuracy, you should include a last name attribute in the criteria as well. However, you could lose linkages because entries that would have matched on ID alone did not match because there were inconsistent last name values in the data. You will have to go through a data cleansing process for entries that fail to link.
If Group Synchronization is enabled then the groups are linked in the same way as the users are linked.
The idsync resync command accepts the following options.
Table 6–2 idsync resync UsageTable 6–3 Will idsync resync invalidate the user’s password on Directory Server?
User has an entry on Active Directory and on Directory Server that is linked. |
User has an entry on Active Directory and on Directory Server that are not linked. |
User has an entry on Active Directory, but not on Directory Server. |
|
---|---|---|---|
-i ALL_USERS |
Yes |
Yes |
Yes |
-i NEW_USERS |
No |
No |
Yes |
No -i value |
No |
No |
No |
The following table provides examples to illustrate the results of combining different arguments (The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).
Table 6–4 idsync resync Usage Samples
When you use idsync resync to link users, be aware that you should use indexes for the operation. Non-indexes can affect performance.
If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there are no indexes in UserMatchingCriteria, then performance will be unacceptable with a large directory.