It is possible to create uni-directional synchronization, where changes are only sent one-way. This is similar to a master-consumer relationship as opposed to multi-master.
An additional attribute for the sync agreement,
oneWaySync, enables uni-directional synchronization and specifies the direction to send changes. The possible values are
fromWindows (for Active Directory to Directory Server sync) and
toWindows (for Directory Server to Active Directory sync). If this attribute is absent, then synchronization is bi-directional.
Figure 12.3. Uni-Directional Synchronization
The synchronization process itself is the mostly same for bi-directional and uni-directional synchronization. It uses the same sync interval and configuration. The only difference is in how sync information is requested.
For Windows-only sync, during the regular synchronization update interval, the Directory Server contacts the Active Directory server and sends the DirSync control to request updates. However, the Directory Server does not send any changes or entries from its side. So, the sync update consists of the Active Directory changes being sent to and updating the Directory Server entries.
For Directory Server only sync, the Directory Server sends entry modifications to the Active Directory server in a normal update, but it does not include the DirSync control so that it does not request any updates from the Active Directory side.
To enable uni-directional sync:
There is no option in the Directory Server Console to set uni-directional sync when the agreement is initially created. Edit the sync agreement to contain the
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
Enabling uni-directional sync does not automatically prevent changes on the un-synchronized server, and this can lead to inconsistencies between the sync peers between sync updates. For example, uni-directional sync is configured to go from Active Directory to Directory Server, so Active Directory is (in essence) the data master. If an entry is modified or even deleted on the Directory Server, then the Directory Server information is different then the information and those changes are never carried over to Active Directory. During the next sync update, the edits are overwritten on the Directory Server and the deleted entry is re-added.
To prevent data inconsistency, use access control rules to prevent editing or deleting entries within the synchronized subtree on the un
synced server. Access controls for Directory Server are covered in Section 13.3, “Creating ACIs Manually”
. For Active Directory, see the appropriate Windows documentation.