<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000'>You might be able to do something like <br><br>Create two OU, create the replication agreements to the OU's, sync with one AD server and in the other OU, and create a referral to the sync'ed OU? It sounds ugly, looks ugly because it's ugly, but that might work. <br><br>FWIW, good luck.<br><br>Dan<br><br><hr id="zwchr"><div style="color: rgb(0, 0, 0); font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Juan Asensio Sánchez" <okelet@gmail.com><br><b>To: </b>"General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org><br><b>Sent: </b>Wednesday, October 24, 2012 2:12:05 PM<br><b>Subject: </b>Re: [389-users] AD replication agreement with 2 different servers/domains<br><br>Hi again<br><br>Rich, I dont think that ticket would help me; i need to sync users<br>with two different servers/domains, not with two different OUs in the<br>same server/domain.<br><br>Dan, I don't want do merge the two AD domains, I want to replicate the<br>data in 389DS to the two AD servers/domains. I could use the LDIF<br>export, but then I would lose the password replication I get with the<br>replication agreement.<br><br>I guess i will not be able to do what I think...<br><br>Thanks all.<br><br><br><br>2012/10/24 Dan Lavu <dan@lavu.net>:<br>> Juan,<br>><br>> It's not designed to work that way, its unique ou replicated to unique ou,<br>> you will have strange overlap and rewriting if you try to replicate that<br>> way, two agreements to the same ou. So if I understand this correctly you<br>> are essentially trying to do a merge between two domains?<br>><br>> I would suggest creating a new suffix for each domain or create one giant<br>> suffix with ou's for domains that way you can use '-s sub' to search the<br>> entire suffix but still have that segregation, or you can export an LDIF<br>> between AD and use ldapdiff.pl to pre-merge the AD domains.<br>><br>> Hope this helps.<br>><br>> Dan<br>><br>> ________________________________<br>> From: "Juan Asensio Sánchez" <okelet@gmail.com><br>> To: "General discussion list for the 389 Directory server project."<br>> <389-users@lists.fedoraproject.org><br>> Sent: Wednesday, October 24, 2012 1:03:55 PM<br>> Subject: Re: [389-users] AD replication agreement with 2 different<br>> servers/domains<br>><br>><br>> Hi Dan<br>><br>> Yes, I am trying to sync the same OU to two different servers/domains.<br>> This is due to the users in our directory are splitted into several<br>> organizations, and each organization is semi-self-managed. Some of<br>> that organizations have replication agreements with their own AD<br>> domain. Now we want from the "central organization" to replicate all<br>> the users (from all the organizations) to a new AD domain which will<br>> provide mail with Exchange, so each user's OU will have two Windows<br>> replication agreements (one with the organization AD domain and other<br>> with the new "central organization" AD domain with Exchange).<br>><br>> Anyone experienced with a topology like this?<br>><br>> NB: Don't ask why we don't use the existing AD domains, boss things...<br>><br>> Regards.<br>><br>><br>> 2012/10/24 Dan Lavu <dan@lavu.net>:<br>>> Juan,<br>>><br>>> The winsync utility is not designed to write to the same ou in 389, can<br>>> you<br>>> separate the sync agreements into two different OU's or databases? I'm<br>>> making the assumption that you are making the agreements to the same OU in<br>>> 389. If you're not writing to the same OU, can you go into more detail<br>>> about<br>>> the design?<br>>><br>>> Dan<br>>><br>>> ________________________________<br>>> From: "Juan Asensio Sánchez" <okelet@gmail.com><br>>> To: 389-users@lists.fedoraproject.org<br>>> Sent: Wednesday, October 24, 2012 7:09:41 AM<br>>> Subject: [389-users] AD replication agreement with 2 different<br>>> servers/domains<br>>><br>>><br>>> Hi<br>>><br>>> I am trying to configure the replication between 389DS an two<br>>> different servers and domains in Active Directory. The first<br>>> replication agreement works fine, and the second works fine too in the<br>>> initialization. But when I modify some user, the change is replicated<br>>> to the first server/domain, but not to the second ones. I think this<br>>> is due to the first agreement has created the objectGUID in AD, and<br>>> replicated to 389DS in the ntUniqueId attribute, but with the second<br>>> agreement, the second server domain has created a different objectGUID<br>>> but not replicated/overwrote the previous ntUniqueId created by the<br>>> first agreement (that then would break the first agreement). Is this<br>>> correct? Is there any way to solve/workaround this?<br>>><br>>> Regard and thanks in advance.<br>>> --<br>>> 389 users mailing list<br>>> 389-users@lists.fedoraproject.org<br>>> https://admin.fedoraproject.org/mailman/listinfo/389-users<br>>><br>>><br>>> --<br>>> 389 users mailing list<br>>> 389-users@lists.fedoraproject.org<br>>> https://admin.fedoraproject.org/mailman/listinfo/389-users<br>> --<br>> 389 users mailing list<br>> 389-users@lists.fedoraproject.org<br>> https://admin.fedoraproject.org/mailman/listinfo/389-users<br>><br>><br>> --<br>> 389 users mailing list<br>> 389-users@lists.fedoraproject.org<br>> https://admin.fedoraproject.org/mailman/listinfo/389-users<br>--<br>389 users mailing list<br>389-users@lists.fedoraproject.org<br>https://admin.fedoraproject.org/mailman/listinfo/389-users</div><br></div></body></html>