[389-users] 389 <=> AD group sync

[Rich Megginson]

On 11/30/2012 07:47 AM, Matti Alho wrote:
> On 11/30/2012 04:30 PM, Rich Megginson wrote:
>> On 11/30/2012 01:30 AM, Matti Alho wrote:
>>>>> I'm testing group sync between 389ds and Microsoft AD. It works
>>>>> otherwise, but incremental updates are not working. Any changes to
>>>>> groups on 389 side do not get synced to AD unless I do a full manual
>>>>> update triggered via console. Syncing users works normally. Would
>>>>> someone have an idea why?
>>>>
>>>> Can you be more specific?  Can you provide your winsync config and an
>>>> example of what you are trying to do?
>>>
>>> Ah sorry, here is an example of a group I'm trying to sync:
>>>
>>> dn: cn=wingrouptemp,ou=People,dc=domain,dc=com
>>> ntUniqueId: 9da16bd7236fb04285c419aefb9cb2a5
>>> ntGroupCreateNewGroup: on
>>> objectClass: top
>>> objectClass: groupofuniquenames
>>> objectClass: ntgroup
>>> uniqueMember: uid=test1,ou=People,dc=domain,dc=com
>>> uniqueMember: uid=test2,ou=People,dc=domain,dc=com
>>> ntUserDomainId: wingrouptemp
>>> cn: wingrouptemp
>>>
>>> Sync agreement is set for ou=People,dc=domain,dc=com and has "New
>>> Windows User Sync" and "New Windows Group Sync".
>>
>> And what change are you making to this group that is not being sent 
>> to AD?
>
> The group itself or any changes.

So adding the group entry?  Or changing the membership?

> I mean if I create a group like that via 389 console, it doesn't 
> appear in AD unless I trigger a full sync. Maybe I'm missing something 
> obvious and/or simple?

I don't know.  Looks ok to me.  I guess the next step would be to 
reproduce the problem with the 
http://port389.org/wiki/FAQ#Troubleshooting Replication log level 
enabled, and then look in the errors log to see why the group add 
operation is not being sent to AD.

>
> PS. thanks for answering!
>
> -Matti
> -- 
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users