I did use multiple OUs, trying to mimic the AD structurer as closely as possible. I think I tried to all in one approach, but there was some kind of issue. The MS server is 2008 R2. The DS server is version 1.3.1. the attributes set on the groups are ntgroupcreatenewgroup = on, nt goupdeletegroup = on, ntuniqueid = xxxxxxxxxxxxxx, ntuserdomainid = "group name". It has the ntgroup objectClass, and a list of uniquemembers. Cheers DuWayne On Sun, 2014-05-18 at 20:42 +0300, Vesa Alho wrote: > On 05/16/2014 09:12 PM, DuWayne Holsbeck wrote: > > I have a 389 and AD servers setup, and sync agreements configured for > > users, and groups. The Groups synced fine, but on the AD side there are > > no members in the groups. I set the ntGroup objectClass, ntGroupType, > > ntGroupCreateNewAccount, ntGroupDeleteAccount, ntUniqueId attributes set > > on the 389DS side.Initial sync runs without errors. > > > > Am I missing something, or is there a trick to get the Group memberships > > to sync up between the 2? > > > > Any suggestions on a fix, or way to troubleshoot the issue would be > > greatly appreciated. > > Did you setup a single sync agreement? I managed to get group members > working when syncing users and groups with single sync agreement. Due to > our ldap structure, I had to create sync agreement for the whole root > suffix. > > 389: dc=domain,dc=com ==> AD: ou=ldap,dc=domain,dc=com > > Before this, I tried to sync users and groups with separate sync > agreements which didn't work. Also check you are running at least > version 1.2.11.29. I had general problems with MS Server 2012 R2 with > earlier versions. > > -Vesa > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
