Can security role memberships be synchronized during hierarchy replication?
Security role memberships can now be synchronized during hierarchy replication.
Security Role Membership is not stored in the Symantec_CMDB, but is retrieved from the Windows SAM (Security Accounts Manager) database on the source server during replication.
You can now allow security role replication to synchronize role membership on child Notification Servers with the membership of the corresponding role on the parent. You control this feature via the CoreSettings.config file, in the SyncRoleMembershipExactlyDuringReplication setting.
When this setting is true, security role memberships are synchronized during hierarchy replication. If a member is removed from a security role on the parent Notification Server, the same member is removed from the corresponding role on all child Notification Servers.
Previously, if a security role member was removed at the parent, it was not removed from any child Notification Servers during hierarchy replication. You had to remove the member from the child Notification Server manually.
Warning: Use this feature with care. If this option is selected, and role membership at the parent is unable to be mapped at the child (because of lack of domain trust or other reasons), then the existing membership of the role will be deleted on the child, but the parent membership will not be added. This can result in replicated roles having no membership whatsoever at the child. This may be a significant issue if it occurs for the Symantec Administrator role.