16.6. Synchronizing Groups
- Groups in the Active Directory domain are synchronized if it is configured in the sync agreement by selecting the Sync New Windows Groups option. All of the Windows groups are copied to the Directory Server when synchronization is initiated and then new groups are synchronized over as they are created.
- A Directory Server group account is synchronized to Active Directory through specific attributes that are present on the Directory Server entry. Any Directory Server entry must have the
ntGroup
object class and thentGroupCreateNewGroup
attribute; thentGroupCreateNewGroup
attribute (even on an existing entry) signals Directory Server Windows Synchronization to write the entry over to the Active Directory server.New or modified groups that have thentGroup
object class are created and synchronized over to the Windows machine at the next regular update.
Important
- Two attributes control whether Directory Server groups are created and deleted on Active Directory,
ntGroupCreateNewGroup
andntGroupDeleteGroup
.ntGroupCreateNewGroup
is required to sync Directory Server groups over to Active Directory. - ntUserDomainId contains the unique ID for the entry on the Active Directory domain. This is the only required attribute for the
ntGroup
object class. - ntGroupType is the type of Windows group. Windows group types are global/security, domain local/security, builtin, universal/security, global/distribution, domain local/distribution, or universal/distribution. This is set automatically for Windows groups that are synchronized over, but this attribute must be set manually on Directory Server entries before they can be synchronized.
16.6.1. About Windows Group Types
-2147483646
for global/security (the default)-2147483644
for domain local/security-2147483643
for builtin-2147483640
for universal/security2
for global/distribution4
for domain local/distribution8
for universal/distribution
16.6.2. Group Attributes Synchronized between Directory Server and Active Directory
Table 16.3. Group Entry Attribute Mapping between Directory Server and Active Directory
Table 16.4. Group Entry Attributes That Are the Same between Directory Server and Active Directory
cn | o |
description | ou |
l | seeAlso |
16.6.3. Group Schema Differences between Red Hat Directory Server and Active Directory
16.6.4. Configuring Group Synchronization for Directory Server Groups
16.6.4.1. Configuring Group Synchronization in the Console
- In the Directory Server Console, select the Directory tab.
- Right-click the group entry, and click Advanced to open the advanced property editor for the entry. All of the sync-related attributes must be added manually, so only the advanced property editor can set the attributes.
- Click the objectClasses field, and then click the button.
- Select the
ntGroup
object class. - Setting the
ntGroup
object class automatically adds thentUserDomainId
attribute. This attribute is required, so add a value. - To enable synchronization, click thebutton, and select the
ntGroupCreateNewGroup
attribute from the list. Then, set its value totrue
. This signals to the sync plug-in that the entry should be added to the Active Directory directory.To delete the group entry from the Active Directory domain if it is deleted from the Directory Server database, set thentGroupDeleteGroup
attribute and set it totrue
. - Add any other Windows attributes for the Directory Server entry. The available attributes are listed in Section 16.6.2, “Group Attributes Synchronized between Directory Server and Active Directory”.If the
ntGroupType
is not added, then the group is automatically added as a global security group (ntGroupType:-2147483646
).
16.6.4.2. Configuring Group Synchronization in the Command Line
- The
ntGroup
object class. - The
ntUserDomainId
attribute, to give the Windows ID for the entry. - The
ntGroupCreateNewGroup
attribute, to signal to the synchronization plug-in to sync the Directory Server entry over to Active Directory.ThentGroupDeleteGroup
attribute is optional, but this sets whether to delete the entry automatically from the Active Directory domain if it is deleted in the Directory Server.
ntGroupType
attribute. If this attribute is not specified, then the group is automatically added as a global security group (ntGroupType:-2147483646
).
ldapmodify
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Example Group,ou=Groups,dc=example,dc=com changetype: modify add: objectClass objectClass:ntGroup - add: ntUserDomainId ntUserDomainId: example-group - add: ntGroupCreateNewGroup ntGroupCreateNewGroup: true - add: ntGroupDeleteGroup ntGroupDeleteGroup: true - add: ntGroupType ntGroupType: 2
ntGroup
object class, are described in more detail in the Red Hat Directory Server 10 Configuration, Command, and File Reference.
16.6.5. Configuring Group Synchronization for Active Directory Groups
16.6.5.1. Configuring Group Synchronization in the Console
- Open the Configuration tab and expand the Replication folder.
- Open the appropriate database, and select the sync agreement.
- Open the Connection tab.
- Check the New Windows Group Sync check box to enable group sync. To disable sync, uncheck the box.
16.6.5.2. Configuring Group Synchronization in the Command Line
nsds7NewWinGroupSyncEnabled
and is set on the sync agreement. To enable group sync, add this attribute to the sync agreement or create a sync agreement with this attribute set to on
. Using ldapmodify
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=replication_agreement_name,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds7NewWinGroupSyncEnabled nsds7NewWinGroupSyncEnabled: on
nsds7NewWinGroupSyncEnabled: off
.