Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » adamsync against users and groups
adamsync against users and groups [message #159767] Thu, 06 August 2009 13:10 Go to next message
daulphin  is currently offline daulphin  United States
Messages: 2
Registered: August 2009
Junior Member
Curious, how are some of you guys syncing ADAM against AD for users
while getting their group memberships. I'm working under this idea.
i'm trynig to achieve the following: sync only user objects and groups
along with memberships.

The problem i'm finding is that to achieve this is a two step process,
sync user objects, then sync groups. I have two seperate configs for
this, but I can only have one config loaded at a time as they both are
aiming at the same AD root.

Thoughs? I've searched and can't seem to find a solution. Much help
appreciated.

Thanks.
RE: adamsync against users and groups [message #159799 is a reply to message #159767] Sun, 09 August 2009 08:43 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi Daulphin

PS: Another link at the end of my message for MIIS/Group management exists

http://support.microsoft.com/kb/840001 Will explain forward and backlink
attributes in AD (ADAM is also an AD ESE storage database with same
constraints).

A User object is a has a backlink to the memberof attribute. The group on
the other hand as a forwardlink to the members attribute. Each DC is
responsible for maintaining their own backlinks, (They are not replicated
values, they are generated by the creation of the forward link). This is why
when a user is deleted, and was a member of a group/groups, then 1 restore is
needed to recover the user object, then (the require reboot), then another
restore of groups to recreate the forward link to replicate out to all dc's
to recreate their backlinks. (New ways exist since SP1 for Win2003 AD via
scripting backlinks with ntdsutil, to use with LDIFDE), but the same
underlying principal exists. ADAM will also require the security principals
IE Users, before groups.

Maybe have a read on MIIS automated group management (Group populator) ways
at http://207.46.16.252/en-us/magazine/2006.07.automate.aspx

Most of all, advise if I understood you incorrectly


--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"daulphin" wrote:

> Curious, how are some of you guys syncing ADAM against AD for users
> while getting their group memberships. I'm working under this idea.
> i'm trynig to achieve the following: sync only user objects and groups
> along with memberships.
>
> The problem i'm finding is that to achieve this is a two step process,
> sync user objects, then sync groups. I have two seperate configs for
> this, but I can only have one config loaded at a time as they both are
> aiming at the same AD root.
>
> Thoughs? I've searched and can't seem to find a solution. Much help
> appreciated.
>
> Thanks.
>
Re: adamsync against users and groups [message #159824 is a reply to message #159767] Mon, 10 August 2009 03:42 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi,

what object-filter elements do you have in your ADAMSync XML configuration
files?

Thanks
Lee Flight

"daulphin" <aristides.taveras@gmail.com> wrote in message
news:8f05f18e-7e45-4dca-b901-98d8d4f86b3a@j21g2000vbn.googlegroups.com...
> Curious, how are some of you guys syncing ADAM against AD for users
> while getting their group memberships. I'm working under this idea.
> i'm trynig to achieve the following: sync only user objects and groups
> along with memberships.
>
> The problem i'm finding is that to achieve this is a two step process,
> sync user objects, then sync groups. I have two seperate configs for
> this, but I can only have one config loaded at a time as they both are
> aiming at the same AD root.
>
> Thoughs? I've searched and can't seem to find a solution. Much help
> appreciated.
>
> Thanks.
Re: adamsync against users and groups [message #161308 is a reply to message #159824] Tue, 22 September 2009 14:27 Go to previous messageGo to next message
daulphin  is currently offline daulphin  United States
Messages: 2
Registered: August 2009
Junior Member
Sorry didn't get back to you sooner, been tied up. Below you'll find
my config. I had previously tried to do a full sync of the domain but
got errors related when it tried to sync krbtgt and barked about
builtin objects. I got around this by creating a more focused filter
so as to exclude builtin objects like krbtgt. Let me know if there's a
better way to do this. Either way, currently, if i try to do get group
memberships into Adam it's two step process where i have to get all
the users synced first, then i have to swap the configs and sync the
groups. It's really annoying. Why couldn't I just have both configs
loaded and running. You'll find my two xml files below.

Here's my xml file to sync users

------------------------------------------------

<?xml version="1.0"?>
<doc>
<configuration>
<description>user-config</description>
<security-mode>object</security-mode>
<source-ad-name>*domain*</source-ad-name>
<source-ad-partition>dc=****,dc=***</source-ad-partition>
<source-ad-account>*accountname*</source-ad-account>
<account-domain>*domain*</account-domain>
<target-dn>dc=****,dc=****</target-dn>
<query>
<base-dn>dc=****,dc=****</base-dn>
<object-filter>(&amp;(objectCategory=person)(memberOf=CN=Exchange
Users,OU=Distribution,OU=Groups,DC=*****,DC=*****))</object-filter >
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>displayName</include>
<include>company</include>
<include>givenName</include>
<include>member</include>
<include>memberOf</include>
<include>sAMAccountName</include>
<include>primaryGroupID</include>
<include>department</include>
<include>sn</include>
<include>givenName</include>
<include>l</include>
<include>telephoneNumber</include>
<include>mail</include>
<include>title</include>
<!-- <include>userPrincipalName</include> -->
<include>postalcode</include>
<include>st</include>
<include>streetAddress</include>
<include>extensionAttribute2</include>
<include>cn</include>

<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
<schedule>
<aging>
<frequency>2</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update >
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>

-------------------------------------

Here's the other xml that i use to sync groups. For the most part it's
a copy of the above config.

-----------------------------------------

<?xml version="1.0"?>
<doc>
<configuration>
<description>group-config</description>
<security-mode>object</security-mode>
<source-ad-name>*domain*</source-ad-name>
<source-ad-partition>dc=****,dc=****</source-ad-partition>
<source-ad-account>*syncaccount*</source-ad-account>
<account-domain>*domain*</account-domain>
<target-dn>ou=groups,dc=****,dc=****</target-dn>
<query>
<base-dn>ou=groups,dc=****,dc=****</base-dn>
<object-filter>(objectCategory=group)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>displayName</include>
<include>grouptype</include>
<include>name</include>
<include>member</include>
<include>sAMAccountName</include>
<include>primaryGroupID</include>
<include>instancetype</include>
<include>objectCategory</include>
<include>objectclass</include>
<include>title</include>
<include>userPrincipalName</include>
<include>sAMAccountType</include>
<include>st</include>
<include>streetAddress</include>
<include>extensionAttribute2</include>
<include>cn</include>
<include>primaryGroupToken</include>
<include>description</include>
<exclude></exclude>
</attributes>
</query>
<schedule>
<aging>
<frequency>2</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update >
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>

-----------------------

Thanks much
Re: adamsync against users and groups [message #161381 is a reply to message #161308] Thu, 24 September 2009 11:06 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi

so you are actually doing a transform to userProxy rather than just sync'ing
users...
and you also want to sync group membership. You could try:

using ADSchemaanalyzer tool [1] to export your AD schema
for synchronization with ADAM. So,
--
Install a clean ADAM instance and create the naming context that you want in
it,
do not apply any LDIFs

Run ADSchemaAnalyzer load the AD schema from a DC
as the *target*, load the (minimal) ADAM schema as the base. Then check
the "Mark all non-present elements as included" menu option and then
"Create LDIF File...".

Load the LDIF just created into the ADAM Schema

Load MS-AdamSyncMetadata.LDF into the ADAM schema
--

In your XML configuration try

<object-filter>(&#124;(objectCategory=person)(objectCategory=group)) </object-filter>for your object filter and have an include entities of just<include>objectSID</include><include>member</include >and specifying the other elements as before.Then /install your XML configuration file and try a /syncLee Flight[1]http://technet.microsoft.com/en-us/library/cc755803(WS.10).aspx"daulphin" <aristides.taveras@gmail.com> wrote in messagenews:9dbd2af5-90e4-406d-bc84-d1092becafd8@33g2000vbe.googlegroups.com...> Sorry didn't get back to you sooner, been tied up. Below you'll find> my config. I had previously tried to do a full sync of the domain but> got errors related when it tried to sync krbtgt and barked about> builtin objects. I got around this by creating a more focused filter> so as to exclude builtin objects like krbtgt. Let me know if there's a> better way to do this. Either way, currently, if i try to do get group> memberships into Adam it's two step process where i have to get all> the users synced first, then i have to swap the configs and sync the> groups. It's really annoying. Why couldn't I just have both configs> loaded and running. You'll find my two xml files below.>> Here's my xml file to sync users>> ------------------------------------------------>> <?xml version="1.0"?>> <doc>> <configuration>> <description>user-config</description>> <security-mode>object</security-mode>> <source-ad-name>*domain*</source-ad-name>> <source-ad-partition>dc=****,dc=***</source-ad-partition>> <source-ad-account>*accountname*</source-ad-account>> <account-domain>*domain*</account-domain>> <target-dn>dc=****,dc=****</target-dn>> <query>> <base-dn>dc=****,dc=****</base-dn>> <object-filter>(&amp;(objectCategory=person)(memberOf=CN=Exchange > Users,OU=Distribution,OU=Groups,DC=*****,DC=*****))</object-filter >> <attributes>> <include>objectSID</include>> <include>sourceObjectGuid</include>> <include>displayName</include>> <include>company</include>> <include>givenName</include>> <include>member</include>> <include>memberOf</include>> <include>sAMAccountName</include>> <include>primaryGroupID</include>> <include>department</include>> <include>sn</include>> <include>givenName</include>> <include>l</include>> <include>telephoneNumber</include>> <include>mail</include>> <include>title</include>> <!-- <include>userPrincipalName</include> -->> <include>postalcode</include>> <include>st</include>> <include>streetAddress</include>> <include>extensionAttribute2</include>> <include>cn</include>>> <exclude></exclude>> </attributes>> </query>> <user-proxy>> <source-object-class>user</source-object-class>> <target-object-class>userProxy</target-object-class>> </user-proxy>> <schedule>> <aging>> <frequency>2</frequency>> <num-objects>0</num-objects>> </aging>> <schtasks-cmd></schtasks-cmd>> </schedule>> </configuration>> <synchronizer-state>> <dirsync-cookie></dirsync-cookie>> <status></status>> <authoritative-adam-instance></authoritative-adam-instance> > <configuration-file-guid></configuration-file-guid>> <last-sync-attempt-time></last-sync-attempt-time>> <last-sync-success-time></last-sync-success-time>> <last-sync-error-time></last-sync-error-time>> <last-sync-error-string></last-sync-error-string>> <consecutive-sync-failures></consecutive-sync-failures>> <user-credentials></user-credentials>> <runs-since-last-object-update></runs-since-last-object-update >> <runs-since-last-full-sync></runs-since-last-full-sync>> </synchronizer-state>> </doc>>> ------------------------------------->> Here's the other xml that i use to sync groups. For the most part it's> a copy of the above config.>> ----------------------------------------->> <?xml version="1.0"?>> <doc>> <configuration>> <description>group-config</description>> <security-mode>object</security-mode>> <source-ad-name>*domain*</source-ad-name>> <source-ad-partition>dc=****,dc=****</source-ad-partition> > <source-ad-account>*syncaccount*</source-ad-account>> <account-domain>*domain*</account-domain>> <target-dn>ou=groups,dc=****,dc=****</target-dn>> <query>> <base-dn>ou=groups,dc=****,dc=****</base-dn>> <object-filter>(objectCategory=group)</object-filter>> <attributes>> <include>objectSID</include>> <include>sourceObjectGuid</include>> <include>displayName</include>> <include>grouptype</include>> <include>name</include>> <include>member</include>> <include>sAMAccountName</include>> <include>primaryGroupID</include>> <include>instancetype</include>> <include>objectCategory</include>> <include>objectclass</include>> <include>title</include>> <include>userPrincipalName</include>> <include>sAMAccountType</include>> <include>st</include>> <include>streetAddress</include>> <include>extensionAttribute2</include>> <include>cn</include>> <include>primaryGroupToken</include>> <include>description</include>> <exclude></exclude>> </attributes>> </query>> <schedule>> <aging>> <frequency>2</frequency>> <num-objects>0</num-objects>> </aging>> <schtasks-cmd></schtasks-cmd>> </schedule>> </configuration>> <synchronizer-state>> <dirsync-cookie></dirsync-cookie>> <status></status>> <authoritative-adam-instance></authoritative-adam-instance> > <configuration-file-guid></configuration-file-guid>> <last-sync-attempt-time></last-sync-attempt-time>> <last-sync-success-time></last-sync-success-time>> <last-sync-error-time></last-sync-error-time>> <last-sync-error-string></last-sync-error-string>> <consecutive-sync-failures></consecutive-sync-failures>> <user-credentials></user-credentials>> <runs-since-last-object-update></runs-since-last-object-update >> <runs-since-last-full-sync></runs-since-last-full-sync>> </synchronizer-state>> </doc>>> ----------------------->> Thanks much
Re: adamsync against users and groups [message #161386 is a reply to message #161381] Thu, 24 September 2009 11:52 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Sorry for the formatting in my last post, the final bit should have been:


In your XML configuration try

<object-filter>(&#124;(objectCategory=person)(objectCategory=group)) </object-filter>for your object filter and have an include entities of just<include>objectSID</include><include>member</include >and specifying the other elements as before.Then /install your XML configuration file and try a /syncLee Flight
Re: adamsync against users and groups [message #161387 is a reply to message #161386] Thu, 24 September 2009 12:04 Go to previous message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Sorry for the formatting in my last post, the final bit should have been:

In your XML configuration try

==

<object-filter>(&#124;(objectCategory=person)(objectCategory=group)) </object-filter>==for your object filter and have an include entities of just==<include>objectSID</include><include>member</include >==and specifying the other elements as before.Then /install your XMLconfiguration file and try a /syncLee Flight
Previous Topic:Re: Domain Controller Multiple NIC DNS problem
Next Topic:windows XP Network folder problem
Goto Forum:
  


Current Time: Tue Jan 23 16:18:18 MST 2018

Total time taken to generate the page: 0.42164 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software