Is there a Best Practice on where to implement AD Import rules in a Hierarchy? Should be this done on the Parent SMP or Child SMPs?
There is not a written "best practice" per se but the general practice and common sense has usually lined to the following:
In a hierarchy environments recommended approach is to have AD Import to be run on the Tier 1 NS only (Parent SMP). There are some misconception on how all these resources are send between the Parent and Child SMPs:
Parent never sends down computer resources.
Computer resources are replicated(not relocated) from Child to Parent.
However if it is needed to replicate some imported data DOWN(e.g. Users), then there should be custom hierarchy rule for that resource type.
Keep in mind that some resources(which are included into default rules) can replicate imported data by default, because imported resource can become dependent item of some existing resource(e.g. Computer can replicate User with it ).
There are a lot of hierarchy rules which replicate resources in UP direction.
So it also should be checked that new custom hierarchy rule which will replicate resource in DOWN direction should not have a duplicate which will replicate same resources in UP direction.
If there will be 2 rules for same resources and different direction then it will be impossible to find real “source of truth”.
In that case if it is needed to replicate imported from AD resource in DOWN direction, but there is already default rule which replicates such resources in UP direction, then it will be needed to decide:
Disable hierarchy rule which replicated such resources in UP direction(for some cases it can be acceptable)
Prepare AD import on Child and let default hierarchy rule to replicate such resource to Parent(if it is needed)
Note that starting from IT Management Suite 8.1 RU5, the following new features are available for replicating AD import data:
A new default hierarchy replication rule AD import Replication replicates data for users and computers that are imported from Active Directory. By default, this rule is disabled.
The Replication mode option lets you configure what kind of data the hierarchy replication rule should replicate. For example, if you replicate Active Directory (AD) import data from parent Notification Server to its children, you can either replicate missing data for the resources that exist on child Notification Servers or replicate the resources that are not present on child Notification Servers.
Subscribing will provide email updates when this Article is updated. Login is required.