16.8. Configuring Multiple Subtrees and Filters in Windows Synchronization

Windows Synchronization is designed to synchronize between multiple pairs of subtrees on the Directory Server (DS) and Active Directory (AD). By using filters, only specified entries under a subtree are synchronized.

Multiple Subtrees in Windows Synchronization

To synchronize among multiple subtree pairs, configure the Directory Server and the Active Directory subtrees in the winSyncSubtreePair parameter in the Windows sync agreement. For example to set multiple the ou=OU1,dc=DSexample,dc=com and ou=OU1,DC=ADexample,DC=com subtree:
# dsconf -D "cn=Directory Manager" ldap://server.example.com repl-winsync-agmt set --subtree-pair="ou=OU1,dc=DSexample,dc=com:ou=OU1,DC=ADexample,DC=com" --suffix="dc=example,dc=com" example-agreement
If winSyncSubtreePair is not set, the nsds7WindowsReplicaSubtree AD subtree parameter and the nsds7DirectoryReplicaSubtree DS subtree parameter are used for the synchronization target checks instead. Otherwise, these two parameters are ignored.

Filters in Windows Synchronization

You can set a filter that selects data to be synchronized in the following parameters:
  • --win-filter sets an additional filter on the Active Directory server,
  • --ds-filter parameter sets an additional filter on Directory Server.
The following example configures that the example_agreement synchronizes entries that contain user and group attributes:
# dsconf -D "cn=Directory Manager" ldap://server.example.com repl-winsync-agmt \
     set --win-filter="(|(cn=*user*)(cn=*group*))" --ds-filter="(|(uid=*user*)(cn=*group*))" \
     example_agreement