Category:Group as Group Sync
Last Updated:2011-08-18
Default functionality for Group as Group sync is outlined in the How can I sync Groups as Groups (List Processing) article. Default Group as Group sync processing requires that you sync both Groups AND member objects (Users/Contacts). This is required because the connection needs to know how to resolve the DNs of the Group members in order to sync group membership .
Occasionally, in certain circumstances, you may have a connection that needs to sync Users and Groups in separate connections. In this cases, you may implement this DNHashGen connection solution. This solution uses a Join connection between the source and destination, and builds a DNHash.txt file containing DN information for the source and destination member objects. This file is used by your Group sync connection so Group Membership can be resolved.
Connection 1 is a standard ldap-ldap connection that syncs only Users/Contacts.
Connection 2 is a special connection which uses a destination Sync Engine of DNHashGen. This connection uses Source/Dest indexes to perform a JOIN identifying matching member objects between the source and destination directories. Suggested indexes may be Mail/Mail, or some other set of unique index attributes. The source/dest IPs are the same as those in Connection 1. When the DNHashGen connection runs, the JOIN is performed, exporting a file, export.txt. This file contains a hash table identifying source/destination matches. (Your destination objects are not touched.)
Connection 3 is a standard ldap-ldap connection that syncs only Groups. This connection will be configure to create Destination Group objects (with membership). This connection uses export.txt created by connection 2 (renamed to DNHash.txt) to resolve DNs of Group membership.
The below examples uses an AD source (AD1) and an AD destination (AD2), and uses Source/Dest indexes of Mail/Mail.
To create Connection 1: "AD1 to AD2 Person Sync"
1) Create a standard AD to AD connection.
2) On the Source tab, identify your source IP/ID/password.
3) On the Source tab, select Object Types of Contacts and/or Users only (not Groups).
4) On the Destination tab, identify your destination IP/ID/password.
5) Configure the Create Objects parameters to identify the container to sync to.
6) Click Apply.
7) When you run this connection, Contacts and/or Users will be synced.
To create Connection 2: "AD1 to AD2 DNHashGen Sync"
1) Click Connection > New > Connection
2) Give this connection a name i.e. "AD1 to AD2 DNHashGen Sync"
3) Select a source map template of ActiveDir and source engine of LDAP.
4) Leave the default destination map template and select a destination engine of *DNHASHGEN*.
(The exact dest map template doesn't matter because this connection isn't really creating anything.)
5) Fill in the Source tab to identify AD1, the same as Connection1.
6) On the Destination tab, there should be NOT be a 'Create Objects' section.. if there IS, you have not properly selected the DNHashGen sync engine. Delete this connection and start again.
7) Fill in the Destination tab to identify the AD2 destination, the same as Connection1.
8) On the Destination tab, fill in the Join with Existing Objects parameters:
Source Index: mail
Dest Index: mail
9) Click APPLY
10) Run Discovery and Sync. Discovery reads the source, Sync performs the JOIN and outputs a file, export.txt. (Nothing is added or changed on the destination.)
To create Connection 3: "AD1 to AD2 Group Sync"
1) Create a standard AD to AD connection, just like Connection 1 (You may chose to use the Right Click Copy function to copy Connection 1 to create Connection 3).
2) On the Source tab, identify your source IP/ID/password.
3) On the Source tab, select Object Types of GROUPS only (NOT Contacts or Users).
4) On the Destination tab, identify your destination IP/ID/password.
5) On the Destination tab, configure the Create Objects parameters to identify the container to sync to. (This may be the same or different than where you sync person objects in Connection 1.)
4) On the Destination tab, specify the type of Group object to create by selecting a List Processing option.
5) Copy the export.txt (created by connection 1) to the Connection 3 directory as dnhash.txt
i.e. \UnitySync-v1.x\Connections\AD1 to AD2 Group Sync\dnhash.txt
6) Click APPLY.
7) Run this connection, Discovery and Sync. Discovery reads the source, Sync writes to the destination, creating GROUPS on the destination, and applying membership.
8) Review the results of the sync run... were the appropriate number of GROUPS created? Do they have correct membership assigned? Were any Member Not Found warnings logged at Sync time
Note: If running this on an ongoing basis, you'll want to always run all three connections, copying the export.txt to DNHASH.txt in between the connection runs. Sync runs and copy of the export file can be automated via a typical batch script run by a scheduler service.
Example AutoSync.cmd
c:
\UnitySync-v1.x\Programs
shell "AD1 to AD2 Person Sync"
shell "AD1 to AD2 DNHashGen Sync"
copy /y c:\UnitySync-v1.x\Connections\AD1 to AD2 DNHashGen Sync\export.txt c:\UnitySync-v1.x\Connections\AD1 to AD2 Group Sync\dnhash.txt
shell "AD1 to AD2 Group Sync"