Syncing Groups only, in a Groups as Groups sync (DNHAshGen)

Default functionality for Group as Group sync is outlined in the How can I sync Groups as Groups (List Processing) article. Default Group as Group sync processing requires that you sync both Groups and member objects (Users and/or Contacts) in the same connection. This is required because the connection needs to know how to resolve the DNs of the Group members in order to sync group membership .

Occasionally, in certain circumstances, you may have a connection that needs to sync just Groups. Possibly a separate connection already syncs the Users/Contacts, or the Destination already contains the Users/Contacts (manually created). In these cases, you may implement this DNHashGen connection solution. This solution uses a Join connection between the source and destination, and builds a DNHash.txt file containing DN information for the source and destination member objects. This file is used by your Group sync connection so Group Membership can be resolved.

Connection 1 uses a special Destination sync engine of DNHASHGen. This connection should select Source Object Types of Users/Contacts only (not Groups). This connection uses Join query (on the Destination tab) to perform a Join identifying matching member objects between the source and destination directories. When the DNHashGen connection runs, the Join is performed, exporting a file, export.txt. This file contains a hash table identifying Source/Destination matches. Your Destination objects are not touched at this time.

Connection 2 syncs only source Groups, creating Destination Groups, using the export.txt file (renamed to dnhash.txt) to resolve membership.

The below examples uses an Active Directory (AD) Source and an AD Destination. You may use any supported Source type. The option selections may change slightly depending on your Source type. You must use the appropriate Join query depending on your source type.

To create Connection 1

• Click New.
• Give this connection a name like AD1_to_AD2_build_DNhash_file
  • Underscores in connection name are recommended to make scripting the connection easier.
• Select a Source map template of ActiveDir and Source engine of LDAP.
• Leave the default Destination map template and select a Destination engine of DNHASHGEN.
  • The exact Dest map template doesn’t matter because this connection isn’t actually creating anything.
• Fill in the Source tab to identify the Source AD as usual (IP/login/pw) .
• Select the Desired Source Object Types (Users/Contacts).
• Fill in the Destination tab to identify the destination AD as usual (IP/login/pw).
• On the Destination tab, select a sync mode of JOIN (the other modes are not valid for a DNHashGen connection).
• Fill in the Join with Existing Objects parameters:
  User(s) Query: (|(proxyaddresses=[proxyaddresses])(mail=^mail^))
  Contact(s) Query: (|(proxyaddresses=[proxyaddresses])(mail=^mail^))
• On the bottom of the Destination tab, select the desired DN Hash Generation format.
  • The most commonly used format is Source DN - Destination DN (DN Hash).
• Click Save.
• Run this connection, Discovery and Sync. Discovery reads the Source as usual. Sync performs the Join and outputs a file, export.txt. Nothing is added or changed on the Destination at this time. The export.txt file contains a list of Source and Destination DN’s. This information will allow Connection 2 to resolve the DN’s when syncing Groups as Groups.
• Review the results of the sync run:
  • Were the appropriate number of records exported?
  • Did you have any “Search Mode Non Match” warnings? This means a record exists on the Source, but no match was found on the Destination.
  • Any questions about these results, let us know.

To create Connection 2

• Click New
• Give this connection a name like “AD1_to_AD2_Group_Only_Sync”\ Underscores in connection name are recommended to make scripting the connection easier.
• This is a regular AD to AD connection. The source should ActiveDir/ldap. The Destination should be Active Dir/ldap. The exact destination map template doesn’t matter because this connection isn’t actually creating ‘person’ objects, only Groups. Fill in the Source/Dest tabs with IP/login/password as usual.
• On the Source tab of this connection, select only the ‘Group’ Object Type (Distribution Lists) and leave the others UNselected (i.e do not select any of the Person object types).
• On the Destination tab, select Create only. (It is not recommended you use a join to link to existing manually created destination Group objects when using a DNHashGen connection.)
• On the Destination tab, specify a Structure Name and/or Placement DN to identify where you want to create the new Group objects.
• On the Destination tab, specify the type of Group object to create by selecting a List Processing option (bottom of the Destination tab).
• Click Save.

Copy Export.txt to DNHash.txt and Run Connection 2.

• Copy the export.txt (created by connection 1) to the Connection 2 directory as dnhash.txt (i.e. Copy \UnitySync-v2\Connections\AD1 to \AD2 Group Only Sync\dnhash.txt)
• Run this connection, Discovery and Sync. Discovery reads the source as usual, pulling only Groups. Sync writes to the destination creating Groups and applying membership.
• Review the results of the sync run:
  • Were the appropriate number of Groups created?
  • Do the Groups have correct membership assigned?
  • Did the Sync throw any instances of error “Member not found”? This error indicates that some of the person objects could not be resolved. Contact support for further troubleshooting.

Note: If running this on an ongoing basis, you’ll want to always run both connections, copying the export.txt to DNHASH.txt in between the connection runs. Sync runs and copy of the export file can be automated via your usual sync script.

Sample Script:

shell "AD1_to_AD2 build_DNhash_file"
copy /y c:\UnitySync-v1.x\Connections\AD1_to_AD2_build_DNhash file\export.txt c:\UnitySync-v2\Connections\AD1_to_AD2_Group_Only_Sync\dnhash.txt
shell "Connection2"