16.6. Synchronizing Groups

Like user entries, groups are not automatically synchronized between Directory Server and Active Directory. Synchronization both directions has to be configured:

Groups in the Active Directory domain are synchronized if it is configured in the sync agreement by selecting the Sync New Windows Groups option. All of the Windows groups are copied to the Directory Server when synchronization is initiated and then new groups are synchronized over as they are created.
A Directory Server group account is synchronized to Active Directory through specific attributes that are present on the Directory Server entry. Any Directory Server entry must have the ntGroup object class and the ntGroupCreateNewGroup attribute; the ntGroupCreateNewGroup attribute (even on an existing entry) signals Directory Server Windows Synchronization to write the entry over to the Active Directory server.
New or modified groups that have the ntGroup object class are created and synchronized over to the Windows machine at the next regular update.

Important

When a group is synchronized, the list of all of its members is also synchronized. However, the member entries themselves are not synchronized unless user sync is enabled and applies to those entries.

This could create a problem when an application or service tries to do a modify operation on all members in a group on the Active Directory server, if some of those users do not exist.

Additionally, groups have a few other common attributes:

Two attributes control whether Directory Server groups are created and deleted on Active Directory, ntGroupCreateNewGroup and ntGroupDeleteGroup.
ntGroupCreateNewGroup is required to sync Directory Server groups over to Active Directory.
ntUserDomainId contains the unique ID for the entry on the Active Directory domain. This is the only required attribute for the ntGroup object class.
ntGroupType is the type of Windows group. Windows group types are global/security, domain local/security, builtin, universal/security, global/distribution, domain local/distribution, or universal/distribution. This is set automatically for Windows groups that are synchronized over, but this attribute must be set manually on Directory Server entries before they can be synchronized.

16.6.1. About Windows Group Types

In Active Directory, there are two major types of groups: security and distribution. Security groups are most similar to groups in Directory Server, since security groups can have policies configured for access controls, resource restrictions, and other permissions. Distribution groups are for mailing distribution. These are further broken down into global and local groups. The Directory Server ntGroupType supports all four group types:

-2147483646 for global/security (the default)
-2147483644 for domain local/security
-2147483643 for builtin
-2147483640 for universal/security
2 for global/distribution
4 for domain local/distribution
8 for universal/distribution

16.6.2. Group Attributes Synchronized between Directory Server and Active Directory

Only a subset of Directory Server and Active Directory attributes are synchronized. These attributes are hard-coded and are defined regardless of which way the entry is being synchronized. Any other attributes present in the entry, either in Directory Server or in Active Directory, remain unaffected by synchronization.

Some attributes used in Directory Server and Active Directory group entries are identical. These are usually attributes defined in an LDAP standard, which are common among all LDAP services. These attributes are synchronized to one another exactly. Table 16.4, “Group Entry Attributes That Are the Same between Directory Server and Active Directory” shows attributes that are the same between the Directory Server and Windows servers.

Some attributes define the same information, but the names of the attributes or their schema definitions are different. These attributes are mapped between Active Directory and Directory Server, so that attribute A in one server is treated as attribute B in the other. For synchronization, many of these attributes relate to Windows-specific information. Table 16.3, “Group Entry Attribute Mapping between Directory Server and Active Directory” shows the attributes that are mapped between the Directory Server and Windows servers.

For more information on the differences in ways that Directory Server and Active Directory handle some schema elements, see Section 16.6.3, “Group Schema Differences between Red Hat Directory Server and Active Directory”.

Table 16.3. Group Entry Attribute Mapping between Directory Server and Active Directory

Directory Server Active Directory

cn name

ntUserDomainID name

ntGroupType groupType

uniqueMember

member

Member^[a]

^[a] The Member attribute in Active Directory is synchronized to the uniqueMember attribute in Directory Server.

Table 16.4. Group Entry Attributes That Are the Same between Directory Server and Active Directory

cn	o
description	ou
l	seeAlso
mail

16.6.3. Group Schema Differences between Red Hat Directory Server and Active Directory

Although Active Directory supports the same basic X.500 object classes as Directory Server, there are a few incompatibilities of which administrators should be aware.

Nested groups (where a group contains another group as a member) are supported and for Windows Synchronization are synchronized. However, Active Directory imposes certain constraints as to the composition of nested groups. For example, a global group is not allowed to contain a domain local group as a member. Directory Server has no concept of local and global groups, and, therefore, it is possible to create entries on the Directory Server side that violate Active Directory's constraints when synchronized.

16.6.4. Configuring Group Synchronization for Directory Server Groups

For Directory Server groups to be synchronized over to Active Directory, the group entries must have the appropriate sync attributes set.

16.6.4.1. Configuring Group Synchronization in the Console

In the Directory Server Console, select the Directory tab.
Right-click the group entry, and click Advanced to open the advanced property editor for the entry. All of the sync-related attributes must be added manually, so only the advanced property editor can set the attributes.
Click the objectClasses field, and then click the Add Value button.
Select the ntGroup object class.
Setting the ntGroup object class automatically adds the ntUserDomainId attribute. This attribute is required, so add a value.
To enable synchronization, click the Add Attribute button, and select the ntGroupCreateNewGroup attribute from the list. Then, set its value to true. This signals to the sync plug-in that the entry should be added to the Active Directory directory.
To delete the group entry from the Active Directory domain if it is deleted from the Directory Server database, set the ntGroupDeleteGroup attribute and set it to true.
Add any other Windows attributes for the Directory Server entry. The available attributes are listed in Section 16.6.2, “Group Attributes Synchronized between Directory Server and Active Directory”.
If the ntGroupType is not added, then the group is automatically added as a global security group (ntGroupType:-2147483646).

16.6.4.2. Configuring Group Synchronization in the Command Line

To enable synchronization through the command line, add the required sync attributes to an entry or create an entry with those attributes.

Three schema elements are required for synchronization:

The ntGroup object class.
The ntUserDomainId attribute, to give the Windows ID for the entry.
The ntGroupCreateNewGroup attribute, to signal to the synchronization plug-in to sync the Directory Server entry over to Active Directory.
The ntGroupDeleteGroup attribute is optional, but this sets whether to delete the entry automatically from the Active Directory domain if it is deleted in the Directory Server.

It is also recommended to add the ntGroupType attribute. If this attribute is not specified, then the group is automatically added as a global security group (ntGroupType:-2147483646).

For example, using ldapmodify:

# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=Example Group,ou=Groups,dc=example,dc=com
changetype: modify
add: objectClass
objectClass:ntGroup
-
add: ntUserDomainId
ntUserDomainId: example-group
-
add: ntGroupCreateNewGroup
ntGroupCreateNewGroup: true
-
add: ntGroupDeleteGroup
ntGroupDeleteGroup: true
-
add: ntGroupType
ntGroupType: 2

Many additional Windows and group attributes can be added to the entry. All of the schema which is synchronized is listed in Section 16.6.2, “Group Attributes Synchronized between Directory Server and Active Directory”. Windows-specific attributes, belonging to the ntGroup object class, are described in more detail in the Red Hat Directory Server 10 Configuration, Command, and File Reference.

16.6.5. Configuring Group Synchronization for Active Directory Groups

Synchronization for Windows users (users which originate in the Active Directory domain) is configured in the sync agreement.

16.6.5.1. Configuring Group Synchronization in the Console

Open the Configuration tab and expand the Replication folder.
Open the appropriate database, and select the sync agreement.
Open the Connection tab.
Check the New Windows Group Sync check box to enable group sync. To disable sync, uncheck the box.

For new sync agreements, select the corresponding group sync check box in the sync agreement creation wizard.

16.6.5.2. Configuring Group Synchronization in the Command Line

The attribute to set Active Directory group sync is nsds7NewWinGroupSyncEnabled and is set on the sync agreement. To enable group sync, add this attribute to the sync agreement or create a sync agreement with this attribute set to on. Using ldapmodify:

# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=replication_agreement_name,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: on

To disable group sync, set nsds7NewWinGroupSyncEnabled: off.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories