Question
How does the Active Directory Import Synchronization (AD Sync) work?

ITMS 8.x

Note: Most of this information was collected from the AD Connector Reference Guide.  For the purposes of this article, a "resource" is any object, such as a computer, user, OU, or security group, that is available within the Active Directory.
 

1. Understanding the Directory Synchronization
   
   This schedule removes any imported resources in the Symantec Management Platform (aka SMP or Notification Server) that no longer exist in Active Directory. It also detects any resources, renamed or moved outside of the OU's they were initially imported from and deletes them - provided that the resource is not managed and has a status of Active in Notification Server. 
   
   To ensure the Altiris database has the most recent snapshot of Active Directory, run this schedule manually and then run your import rules. To run it manually, click Start on your SMP Server, select Programs > Accessories > System Tools > Scheduled Tasks, and run NS.Directory Resync Update Schedule Item.
    
2. Enabling the Directory Synchronization Schedule
    
   1. In the SMP Console, click Actions tab > Discover > Import Microsoft Active Directory.
   2. In the Resource Import Rules list, select the import rule you want to run to a schedule.
   3. In the right pane, select the Enable Schedule icon and then select a time period.
   4. Click OK to save your changes.
      
      Please refer to 193879 "ITMS 8.0 HF1 - What has changed in the Symantec Management Console, on the Microsoft Active Directory Import page?" for more details on how to use the Import Microsoft Active Directory page.
       
3. Caveats
   
   - If you move a computer from a domain to a workgroup you must delete the computer's record from Active Directory to avoid duplication in the database.
   - A user Organizational Unit (OU) membership change in AD triggers user delete from CMDB during synchronization. This logic was changed starting from 8.1 RU4. The process should not delete the user, as he/she has never been deleted from AD, though OU membership has changed. 
    
4. How AD Synchronization Schedule works.
   
   There are some internal checks that will evaluate if a resource needs to be deleted or stay in the database:
   1. If the resource is set to a status other than Active, it will not be removed. 
   2. If an imported resource is managed and set to a status other than Active then it will not be removed. 
   3. If the resource was never imported by the Microsoft Active Directory Component it will not be removed. Wait for Purge Maintenance or manually delete the resource.
   4. If the resource was created with an Import Rule that no longer exists then the resource will not be removed if it is deleted from Active Directory. Run the resolution in the article,  Cleaning up Active Directory (AD) imported computer accounts created by deleted AD import rules, to associate the computer with a current rule or delete it from the report.
   5. If the resource shows that it has been deleted in the ItemResource table. Manually delete the computer from a report or collection.
   6. Directory Synchronization does not remove resources that are managed; it lets Purge Maintenance take care of those resources. Wait for Purge Maintenance or manually delete the resources.
       
5. Preventing Moved resources from being deleted during Directory Synchronization
   
   Use the following steps to prevent imported resources - which have been moved in AD - from being deleted.
   1. Move the objects that you need to move in your Active Directory before the next step is scheduled.
   2. Run (or schedule to run) your AD Import rules (either an Update or Full import will work). Ensure that you allow enough time for this step to complete before the next step is scheduled to run.
   3. Run (or schedule to run) the AD Import Directory Synchronization. If needed, see "How to find the Active Directory Synchronization schedule in 8.x" 

REFERENCE ID : : 4129090