Using separate connections to sync Users and Groups (DNHashGen)
Created: 2012-04-20 08:09:59Modified: 2019-07-19 11:19:39
Tags: DNHASHGEN Features Group as Group Sync UnitySync
Default functionality for Group as Group sync is outlined in the How can I sync Groups as Groups (List Processing) article. Default Group as Group sync processing requires that you sync both Groups and member objects (Users or Contacts). This is required because the connection needs to know how to resolve the DNs of the Group members in order to sync group membership .
Occasionally, in certain circumstances, you may have a connection that needs to sync Users and Groups in separate connections. In these cases, you may implement this DNHashGen connection solution. This solution uses a Join connection between the Source and Destination, and builds a DNHash.txt file containing DN information for the Source and Destination member objects. This file is used by your Group sync connection so Group Membership can be resolved.
Connection 1 is a standard LDAP to LDAP connection that syncs only Users/Contacts to create destination contacts.
Connection 2 is a special connection which uses a Destination Sync Engine of DNHashGen. This connection uses Join functionality to identify matching member objects between the Source and Destination directories. See our article on Join functionality for more information on queries. *Consider using query (samaccountname=^samaccountname^) or combination OR query: (|(mail=^mail^)(samaccountname=^samaccountname^))
The Source and Destination IP’s are the same as those in Connection 1. When the DNHashGen connection runs, the Join is performed, exporting a file, export.txt. This file contains a hash table identifying Source/Destination matches. Your Destination objects are not touched at this time. If source contains nested groups, object type Groups should be included on this connection’s source tab.
Connection 3 is a standard LDAP to LDAP connection that syncs only Groups. This connection is configured to create Destination Group objects (with membership). This connection uses the export.txt created by connection 2 (renamed to DNHash.txt) to resolve DNs of Group membership. The destination tab may be set for JOIN only if this connection will NOT be creating the groups. In this case, NOTE: Source AD will be authoritative for membership on the destination Groups
The below example uses an Active Directory (AD) Source (AD1) and an AD Destination (AD2), and uses a Join with existing objects query of mail=^mail^.
IMPORTANT: This 3 connection solution should be configured and tested using just a few source Users/Groups
To create Connection 1: AD1 to AD2 Person Sync
- Create a standard AD to AD connection.
- On the Source tab, identify your source IP/ID/password.
- On the Source tab, select Object Types of Contacts and/or Users only (not Groups).
- On the Destination tab, identify your destination IP/ID/password.
- Configure the Create Objects parameters to identify the container to sync to.
- Click Save.
- When you run this connection, Contacts and/or Users will be synced.
To create Connection 2: AD1 to AD2 DNHashGen Sync
- Click Connection > New > Connection
- Give this connection a name i.e. “AD1 to AD2 DNHashGen Sync”
- Select a Source map template of ActiveDir and Source engine of LDAP.
- Leave the default Destination map template and select a Destination engine of DNHASHGEN. The exact Destination map template doesn’t matter because this connection isn’t really creating anything.
- Fill in the Source tab to identify AD1, the same as Connection1.
- On the Destination tab, there should be NOT be a ‘Create Objects’ section - if there IS, you have not properly selected the DNHashGen sync engine. Delete this connection and start again.
- Fill in the Destination tab to identify the AD2 destination, the same as Connection1.
- On the Destination tab, fill in the Join with Existing Objects parameters:
User(s) Query:(mail=^mail^)
Contact(s) Query:(mail=^mail^)
- Click APPLY
- Run Discovery and Sync. Discovery reads the source, Sync performs the JOIN and outputs a file, export.txt. Nothing is added or changed on the destination at this time.
To create Connection 3: AD1 to AD2 Group Sync
- Create a standard AD to AD connection, just like Connection 1. You may chose to use the Copy function on the General tab of Connection 1 to create Connection 3.
- On the Source tab, identify your source IP/ID/password.
- On the Source tab, select Object Types of GROUPS only (NOT Contacts or Users).
- On the Destination tab, identify your destination IP/ID/password.
- On the Destination tab, configure the Create Objects parameters to identify the container to sync to. This may be the same or different than where you sync person objects in Connection 1.
- On the Destination tab, specify the type of Group object to create by selecting a List Processing option.
- Copy the export.txt (created by connection 1) to the Connection 3 directory as dnhash.txt
i.e.,...\UnitySync-v1.x\Connections \AD1 to AD2 Group Sync\dnhash.txt
- Click Save.
- Run this connection, Discovery and Sync. Discovery reads the source, Sync writes to the destination, creating Groups on the Destination, and applying membership.
- Review the results of the sync run:
- Were the appropriate number of Groups created?
- Do they have correct membership assigned?
- Were any Member Not Found warnings logged at Sync time?
Note: If running this on an ongoing basis, you’ll want to always run all three connections, copying the export.txt to DNHASH.txt in between the connection runs. Sync runs and copy of the export file can be automated via a typical batch script run by a scheduler service.
Example script - AutoSync.cmd
c:\\
\UnitySync-v1.x\Programs\\
shell "AD1 to AD2 Person Sync"\\
shell "AD1 to AD2 DNHashGen Sync"\\
copy /y c:\UnitySync-v1.x\Connections\AD1 to AD2 DNHashGen Sync\export.txt c:\UnitySync-v1.x\Connections\AD1 to AD2 Group Sync\dnhash.txt \\
shell "AD1 to AD2 Group Sync"