Default Data Flow for Active Directory
You can modify default driver settings when you first configure the driver or later if your business policies or data exchange requirements change.
During driver configuration, you specify whether Active Directory or eDirectory will be the authoritative source for object data. You can also choose to make both systems equally responsible for object data by specifying bi-directional synchronization as shown in the following illustration:
Figure 4
Default Data Flow for Active Directory
How the events in one directory are handled in the other directory depends on which system you designate as the authoritative source.
If you specify Active Directory as the authoritative source, any Active Directory add, delete, and modify events are synchronized to eDirectory; eDirectory events are not synchronized back to Active Directory. This means that an object deletion in Active Directory results in an object deletion in eDirectory, but an object deletion in eDirectory does not have any impact on the associated Active Directory object. Further, the next time that the Active Directory object is modified, it is re-created in eDirectory.
If you specify eDirectory as the authoritative source, any eDirectory add, delete, and modify events are synchronized to Active Directory; Active Directory events are not synchronized back to eDirectory. This means that an object deletion in eDirectory results in an object deletion in Active Directory, but an object deletion in Active Directory does not have any impact on the associated eDirectory object. Further, the next time that eDirectory object is modified, it is re-created in Active Directory.
If you specify both directories as the authoritative source, any Active Directory add, delete, and modify events are synchronized to eDirectory, and any eDirectory add, delete, and modify events are synchronized to Active Directory. This means that an object deletion in Active Directory results in an object deletion in eDirectory, and an object deletion in eDirectory results in an object deletion in Active Directory.
You can customize rules and style sheets to specify that Active Directory is the authoritative source for specific events and specific attributes and that eDirectory is the authoritative source for other events and other attributes.
Active Directory users might log on with either a pre-Windows 2000 user logon name (the sAMAccountName) or a Windows 2000 logon name (the user principal name, UPN). User object names are generated as follows:
During configuration, you also specify object placement. For synchronization with Active Directory, you have the following placement options:
Mirrored: You specify a base container in the target directory, then the hierarchy from the source directory is mirrored inside the base container of the target directory. The structure of the synchronized object's source DN is reflected inside the base container in the target directory.
Flat: You specify a base container for User objects and a base container for Group objects. All synchronized User objects are placed directly in the base container for users, and all synchronized Group objects are placed directly in the base container for groups.
If these placement options don't meet the needs of your organization, you can create customized style sheets or rules to handle placement.
During driver configuration, you specify whether NT Domain or eDirectory will be the authoritative source for object data. You can also choose to make both systems equally responsible for object data by specifying bi-directional synchronization as shown in the following illustration:
Figure 5
Default Data Flow for NT Domain
How the events in one directory are handled in the other directory depends on which system you designate as the authoritative source.
If you specify NT as the authoritative source, any NT add, delete, and modify events are synchronized to eDirectory; eDirectory events are not synchronized back to NT. This means that an object deletion in NT results in an object deletion in eDirectory, but an object deletion in eDirectory does not have any impact on the associated NT object. Further, the next time that NT object is modified, it is re-created in eDirectory.
If you specify eDirectory as the authoritative source, any eDirectory add, delete, and modify events are synchronized to NT; NT events are not synchronized back to eDirectory. This means that an object deletion in eDirectory results in an object deletion in NT, but an object deletion in NT does not have any impact on the associated eDirectory object. Further, the next time that eDirectory object is modified, it is re-created in NT.
If you specify both directories as the authoritative source, any NT add, delete, and modify events are synchronized to eDirectory, and any eDirectory add, delete, and modify events are synchronized to NT. This means that an object deletion in NT results in an object deletion in eDirectory, and an object deletion in eDirectory results in an object deletion in NT.
You can customize rules and style sheets to specify that NT is the authoritative source for specific events and specific attributes and that eDirectory is the authoritative source for other events and other attributes.
NT Domain object data is stored in a flat database. eDirectory object data is stored in a hierarchical tree structure. The default configuration for NT specifies that new objects created in NT Domain and synchronized to eDirectory are placed in a single container that you specify during driver configuration; however, you can use customized style sheets to define hierarchical placement. Associated objects (existing objects found to be a match) retain their hierarchical placement in eDirectory.
The default driver filters for eDirectory allow for synchronization of a large number of attributes, regardless of their class. During driver configuration, you specify whether the local or remote tree is the authoritative source for object data. You can also choose to make both trees equally responsible for object data by specifying bi-directional synchronization as shown in the following illustration:
Figure 6
Default Data Flow for eDirectory
How the events in one directory are handled in the other directory depends on which system you designate as the authoritative source.
If you specify a single directory, such as Directory 1, as the authoritative source, any Directory 1 add, delete, and modify events are synchronized to Directory 2; Directory 2 events are not synchronized back to Directory 1. So an object deletion in Directory 1 results in an object deletion in Directory 2, but an object deletion in Directory 2 does not have any impact on the associated Directory 1 object. Further, the next time that Directory 1 object is modified, it is re-created in Directory 2.
The opposite would be true if you specify Directory 2 as the authoritative source.
If you specify both directories as the authoritative source, any add, delete, and modify events are synchronized in both directories. This means that an object deletion in Directory 1 results in an object deletion in Directory 2. An object deletion in Directory 2 results in an object deletion in Directory 1.
You can customize rules and style sheets to specify that NT is the authoritative source for specific events and specific attributes and that eDirectory is the authoritative source for other events and other attributes.
During configuration, you also specify object placement. For synchronization with eDirectory, you have the following placement options:
Mirrored: You specify a base container on the target tree, then the hierarchy from the source tree is mirrored inside the base container of the target tree. The structure of the synchronized object's source DN will be reflected inside the base container of the target tree.
Flat: You specify a base container for User objects and a base container for Group objects. All synchronized User objects are placed directly in the base container for users, and all synchronized Group objects are placed directly in the base container for groups.
Department: You specify a base container on the target tree, then a synchronized object and its parent OU object are synchronized to the target base container. For example, JBrown.Sales.Tree1Org would be synchronized into the target tree as JBrown.Sales.BaseContainer.Tree2Org.
The following examples illustrate the account management functionality provided by the DirXML Starter Pack. These examples are based on an installation configured to synchronize account data between eDirectory and Active Directory when both directories are considered authoritative.
An administrator creates a user account for John in Active Directory using a template that requires John to change his password when he logs in for the first time. Account creation is necessary only once.
DirXML creates an eDirectory account for John.
John's new assignment requires him to move from the Los Angeles office to the New York office. An administrator updates the contact information for John's user object in eDirectory.
Company policy dictates that passwords be changed every 90 days. Just days after John has settled into his new office, he is prompted to change his Active Directory password.
John takes a position in a partner company. The eDirectory administrator disables John's eDirectory account.