This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2-way directory sync expected behavior

Current config:

Source: AD, 2008 R2, Target: AD 2008 R2

DMM AD v8.13, no Exchange components (using ODME)

My customer has a requirement to sync AD passwords from target to source for legacy application support. I have never done a two-way sync before and have always been advised against it. Needless to say, I've set the tool up, narrowed my sync scope on the source to an OU of test accounts and a single OU on the target. I am using LDAP filters to control exactly what objects will get synchronized. About 90% of the source objects already have an object in the target domain.

In my initial test, I copied/merged a single source/target object. I started my initial sync and my expected behavior would be to see that the "synchronized objects" count would be "1". Instead, it went up to 14 and once I saw that, I stopped the DSA completely as I didn't want to break anything further. See graphic:

I exported the INI file and found the 14 objects in question. My questions are:

1. My understanding is that the DSA on initial sync of source and target environments will enumerate the entire source and target environments. Is that correct?

2. Why would the sync'd objects count increase beyond one? I double-checked my LDAP filter and it only retrieved a single object

3. I spot-checked a few of the 14 "synchronized objects" and they don't appear to be altered but I cannot be sure. Beyond the obvious, are there any other "gotchas" doing a two-way sync? I'd like to convince the customer that it's dangerous.

Sorry to the length of this. Appreciate anyone's assistance.

Regards,

Eric

Parents Reply Children
No Data