Syncing Groups which contain synced contacts as Members (DNHashGen)

Created: 2012-04-20 08:09:59
Modified: 2019-07-19 11:19:23
Tags: DNHASHGEN Group as Group Sync UnitySync

Default functionality for Group as Group sync is outlined in the How can I sync Groups as Groups (List Processing) article. Default Group as Group sync processing requires that you sync both Groups and member objects (Users and/or Contacts). This is required because the connection needs to know how to resolve the DNs of the Group members in order to sync group membership.

You may have a connection that syncs Groups which contain synced contacts as members. The default Groups as Groups connection will drop those members, because the connection does not sync the member’s contact objects.

In these cases, you may implement a DNHashGen connection solution. This solution uses a Join connection between the Source and Destination, and builds a DNHash.txt file containing DN information for the Source and Destination member objects. This file is used by your Group sync connection so Group Membership can be resolved for those synced contact members.

Connection 1 (DirA-to-DirB) is your standard sync connection, which syncs Users and Groups as Groups. This connection will utilize the dnhash.txt created by Connection 2.

Connection 2 (DirA-to-DirB-DNHashGen) uses a special Destination sync engine of DNHASHGen. This connection uses Join functionality to identify matching member objects between the Source and Destination directories. When the DNHashGen connection runs, a Join is performed exporting a file named export.txt. This file contains a hash table identifying Source/Destination matches. Your Destination objects are not touched at this time. You will rename export.txt to DNHash.txt and copy to Connection 1 (...\Connections\DirA-To-DirB\DNHash.txt).

Connection 3 (DirB-to-DirA) is your standard sync connection that is syncing contacts into DirA. These contacts are then added as Members to local Groups. Note: If you are syncing Groups as Groups in both directions, and members are synced contacts, you’ll need another DNHashGen Connection for this connection as well (DirB-to-DirA DNHashGen). Follow the same format as outlined for Connection 2, using Connection 3 source/dest info. And copy this second Export.txt to \DirB-to-DirA\dnhash.txt.

To create Connection 1 (DirA-to-DirB) and Connection 3 (DirB-to-DirA)

These are regular AD to AD connections configured to Sync Users and Groups as Groups as appropriate for your environment. If the contacts created by either connection are added as Members to local Groups, the reverse connection syncing Groups will drop those members. Therefore, a DNHashgen connection is needed to generate a DNHash of the DNs.

If you are syncing Groups as Groups in both directions, you’ll actually need TWO DNHashGen connections - one for each regular connection.

To create Connection 2 (DirA-to-DirB-DNHashGen)

  • Click Connection > New > Connection
  • Give this connection a name like “DirA-to-DirB-DNHashGen”
  • Select a source map template of ActiveDir and source engine of LDAP.
  • Leave the Default Dest Map Template and select a destination engine of DNHASHGEN. The exact destination map template doesn’t matter because this connection isn’t really creating anything.
  • Fill in the Source tab to identify the AD source as usual (IP/login/pw) . This should be the same Source as identified as Source in Connection 1 (DirA-to-DirB).
  • On the Source tab, specify a Selection DN identifying the container where your synced contacts are located on this directory.
  • Fill in the Destination tab to identify the AD destination as usual (IP/login/pw). This should be the same Destination as identified as Destination in Connection 1 (DirA-to-DirB).
  • On the Destination tab, fill in the Join with Existing Objects parameters: User(s) Query: (mail=^mail^)
    Contact(s) Query: (mail=^mail^)
  • Click Save
  • Run this connection, Discovery and Sync. Discovery reads the source, Sync performs the JOIN and outputs a file, export.txt. Nothing is added or changed on the destination directory at this time.
  • Review the results of the sync run: were the appropriate number of records exported Did you have any “Search Mode Non Match” warnings This means a record exists on the source, but no match was found on the destination.

Executing your Connections

  • Run Discovery & Sync on connection DirB-to-DirA
  • On DirA, make a synced contact a member of a local Group
  • Run Discovery & Sync on connection DirA-to-DirB-DNHashGen
  • Copy \DirA-to-DirB-DNHashGen\Export.txt to \DirA-to-DirB\DNHash.txt
  • Run Discovery & Sync on connection DirA-to-DirB-DNHashGen

Note: If running this on an ongoing basis, you’ll want to always run all connections, copying the export.txt to DNHASH.txt in between the connection runs. Sync runs and copy of the export file can be automated via your usual sync script.

Sample Script to execute your connections and copy Export.txt to DNHash.txt

c:
cd\UnitySync-v1.x\programs
shell "DirB-to-DirA"
shell "DirA-to-DirB DNHashGen"
copy /Y c:\UnitySync-v1.x\connections\DirA-to-DirB-DNHashGen\Export.txt c:\UnitySync-v1.x\connections\DirA-to-DirB\DNHash.txt
shell "DirA-to-DirB"
Knowledgebase

Directory
  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
Password
  1. emPass - Sync
Obsolete
  1. Profiler
  2. SimpleSync