You might be able to do something like
Create two OU, create the replication agreements to the OU's, sync with one AD server and in the other OU, and create a referral to the sync'ed OU? It sounds ugly, looks ugly because it's ugly, but that might work.
FWIW, good luck.
Dan
Create two OU, create the replication agreements to the OU's, sync with one AD server and in the other OU, and create a referral to the sync'ed OU? It sounds ugly, looks ugly because it's ugly, but that might work.
FWIW, good luck.
Dan
From: "Juan Asensio Sánchez" <okelet@xxxxxxxxx>
To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, October 24, 2012 2:12:05 PM
Subject: Re: AD replication agreement with 2 different servers/domains
Hi again
Rich, I dont think that ticket would help me; i need to sync users
with two different servers/domains, not with two different OUs in the
same server/domain.
Dan, I don't want do merge the two AD domains, I want to replicate the
data in 389DS to the two AD servers/domains. I could use the LDIF
export, but then I would lose the password replication I get with the
replication agreement.
I guess i will not be able to do what I think...
Thanks all.
2012/10/24 Dan Lavu <dan@xxxxxxxx>:
> Juan,
>
> It's not designed to work that way, its unique ou replicated to unique ou,
> you will have strange overlap and rewriting if you try to replicate that
> way, two agreements to the same ou. So if I understand this correctly you
> are essentially trying to do a merge between two domains?
>
> I would suggest creating a new suffix for each domain or create one giant
> suffix with ou's for domains that way you can use '-s sub' to search the
> entire suffix but still have that segregation, or you can export an LDIF
> between AD and use ldapdiff.pl to pre-merge the AD domains.
>
> Hope this helps.
>
> Dan
>
> ________________________________
> From: "Juan Asensio Sánchez" <okelet@xxxxxxxxx>
> To: "General discussion list for the 389 Directory server project."
> <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, October 24, 2012 1:03:55 PM
> Subject: Re: AD replication agreement with 2 different
> servers/domains
>
>
> Hi Dan
>
> Yes, I am trying to sync the same OU to two different servers/domains.
> This is due to the users in our directory are splitted into several
> organizations, and each organization is semi-self-managed. Some of
> that organizations have replication agreements with their own AD
> domain. Now we want from the "central organization" to replicate all
> the users (from all the organizations) to a new AD domain which will
> provide mail with Exchange, so each user's OU will have two Windows
> replication agreements (one with the organization AD domain and other
> with the new "central organization" AD domain with Exchange).
>
> Anyone experienced with a topology like this?
>
> NB: Don't ask why we don't use the existing AD domains, boss things...
>
> Regards.
>
>
> 2012/10/24 Dan Lavu <dan@xxxxxxxx>:
>> Juan,
>>
>> The winsync utility is not designed to write to the same ou in 389, can
>> you
>> separate the sync agreements into two different OU's or databases? I'm
>> making the assumption that you are making the agreements to the same OU in
>> 389. If you're not writing to the same OU, can you go into more detail
>> about
>> the design?
>>
>> Dan
>>
>> ________________________________
>> From: "Juan Asensio Sánchez" <okelet@xxxxxxxxx>
>> To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> Sent: Wednesday, October 24, 2012 7:09:41 AM
>> Subject: AD replication agreement with 2 different
>> servers/domains
>>
>>
>> Hi
>>
>> I am trying to configure the replication between 389DS an two
>> different servers and domains in Active Directory. The first
>> replication agreement works fine, and the second works fine too in the
>> initialization. But when I modify some user, the change is replicated
>> to the first server/domain, but not to the second ones. I think this
>> is due to the first agreement has created the objectGUID in AD, and
>> replicated to 389DS in the ntUniqueId attribute, but with the second
>> agreement, the second server domain has created a different objectGUID
>> but not replicated/overwrote the previous ntUniqueId created by the
>> first agreement (that then would break the first agreement). Is this
>> correct? Is there any way to solve/workaround this?
>>
>> Regard and thanks in advance.
>> --
>> 389 users mailing list
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing list
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, October 24, 2012 2:12:05 PM
Subject: Re: AD replication agreement with 2 different servers/domains
Hi again
Rich, I dont think that ticket would help me; i need to sync users
with two different servers/domains, not with two different OUs in the
same server/domain.
Dan, I don't want do merge the two AD domains, I want to replicate the
data in 389DS to the two AD servers/domains. I could use the LDIF
export, but then I would lose the password replication I get with the
replication agreement.
I guess i will not be able to do what I think...
Thanks all.
2012/10/24 Dan Lavu <dan@xxxxxxxx>:
> Juan,
>
> It's not designed to work that way, its unique ou replicated to unique ou,
> you will have strange overlap and rewriting if you try to replicate that
> way, two agreements to the same ou. So if I understand this correctly you
> are essentially trying to do a merge between two domains?
>
> I would suggest creating a new suffix for each domain or create one giant
> suffix with ou's for domains that way you can use '-s sub' to search the
> entire suffix but still have that segregation, or you can export an LDIF
> between AD and use ldapdiff.pl to pre-merge the AD domains.
>
> Hope this helps.
>
> Dan
>
> ________________________________
> From: "Juan Asensio Sánchez" <okelet@xxxxxxxxx>
> To: "General discussion list for the 389 Directory server project."
> <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, October 24, 2012 1:03:55 PM
> Subject: Re: AD replication agreement with 2 different
> servers/domains
>
>
> Hi Dan
>
> Yes, I am trying to sync the same OU to two different servers/domains.
> This is due to the users in our directory are splitted into several
> organizations, and each organization is semi-self-managed. Some of
> that organizations have replication agreements with their own AD
> domain. Now we want from the "central organization" to replicate all
> the users (from all the organizations) to a new AD domain which will
> provide mail with Exchange, so each user's OU will have two Windows
> replication agreements (one with the organization AD domain and other
> with the new "central organization" AD domain with Exchange).
>
> Anyone experienced with a topology like this?
>
> NB: Don't ask why we don't use the existing AD domains, boss things...
>
> Regards.
>
>
> 2012/10/24 Dan Lavu <dan@xxxxxxxx>:
>> Juan,
>>
>> The winsync utility is not designed to write to the same ou in 389, can
>> you
>> separate the sync agreements into two different OU's or databases? I'm
>> making the assumption that you are making the agreements to the same OU in
>> 389. If you're not writing to the same OU, can you go into more detail
>> about
>> the design?
>>
>> Dan
>>
>> ________________________________
>> From: "Juan Asensio Sánchez" <okelet@xxxxxxxxx>
>> To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> Sent: Wednesday, October 24, 2012 7:09:41 AM
>> Subject: AD replication agreement with 2 different
>> servers/domains
>>
>>
>> Hi
>>
>> I am trying to configure the replication between 389DS an two
>> different servers and domains in Active Directory. The first
>> replication agreement works fine, and the second works fine too in the
>> initialization. But when I modify some user, the change is replicated
>> to the first server/domain, but not to the second ones. I think this
>> is due to the first agreement has created the objectGUID in AD, and
>> replicated to 389DS in the ntUniqueId attribute, but with the second
>> agreement, the second server domain has created a different objectGUID
>> but not replicated/overwrote the previous ntUniqueId created by the
>> first agreement (that then would break the first agreement). Is this
>> correct? Is there any way to solve/workaround this?
>>
>> Regard and thanks in advance.
>> --
>> 389 users mailing list
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing list
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
