How does the Active Directory Import Synchronization work?
Last Updated October 13, 2017
Question How does the Active Directory Import Synchronization (AD Sync) work?
Note: Most of this information was collected from the AD Connector Reference Guide. For the purposes of this article a "resource" is any object, such as a computer, user, OU or security group, that is available within the Active Directory.
Understanding the Directory Synchronization
This schedule removes any imported resources in the Notification Server that no longer exist in Active Directory. It also detects any resources, renamed or moved outside of the OU's they were initially imported from, and deletes them - provided that the resource is not managed and has a status of Active in Notification Server. (However for NS 6.0 see article TECH40081, "KNOWN ISSUE: Active Directory Sync removes managed computers from Notification Server).
To ensure the Altiris database has the most recent snapshot of Active Directory, run this schedule manually and then run your import rules. To run it manually, click Start on your desktop, select Programs > Accessories > System Tools > Scheduled Tasks, and run NS.Directory Resync Update Schedule Item.
Enabling the Directory Synchronization Schedule
In the Altiris Console, click the Configuration tab.
In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import.
In the Resource Import Rules list, select the Enabled check box of the import rule you want to run to a schedule.
In the right pane, select the Enable Schedule check box and then select a time period in the drop-down list.
Click Apply to save your changes.
- If you move a computer from a domain to a workgroup you must delete the computer's record from Active Directory to avoid duplication in the database. - A user Organizational Unit (OU) membership change in AD triggers user delete from CMDB during synchronization. This logic is scheduled to be changed starting from 8.1 RU4. The process should not delete the user, as he/she has never been deleted from AD, though OU membership has changed.
How AD Synchronization Schedule works.
There are some internal checks that will evaluate if a resource needs to be deleted or stay in the database:
If the resource is set to a status other than Active, it will not be removed.
If an imported resource is managed and set to a status other than Active then it will not be removed. (However for NS 6.0 see KB article ID TECH40081 "KNOWN ISSUE: Active Directory Sync removes managed computers from Notification Server").
If the resource was never imported by the Microsoft Active Directory Component it will not be removed. Wait for Purge Maintenance or manually delete the resource.
If the resource was created with an Import Rule that no longer exists then the resource will not be removed if it is deleted from Active Directory. Run the resolution in article TECH11961 to associate the computer with a current rule or delete it from the report.
If the resource shows that it has been deleted in the ItemResource table. Manually delete the computer from a report or collection.
Directory Synchronization does not remove resources that are managed; it lets Purge Maintenance take care of those resources. Wait for Purge Maintenance or manually delete the resources.
Preventing Moved resources from being deleted during Directory Synchronization
Use the following steps to prevent imported resources - which have been moved in AD - from being deleted.
Move the objects that you need to move in your Active Directory before the next step is scheduled.
Run (or schedule to run) your AD Import rules (either an Update or Full import will work). Ensure that you allow enough time for this step to complete before the next step is scheduled to run.
Run (or schedule to run) the AD Import Directory Synchronization.
Imported Document ID: HOWTO9154
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe