Syncing all users in all OUs from AD to a flat hierarchy under ADAM

Discussion in 'Active Directory' started by Tyson Flint, Mar 7, 2012.

  1. Tyson Flint

    Tyson Flint Guest

    I have an Server 2008 Lightweight Directory Services (LDS) instance that I'm synchronizing with AD to bring over the list of all the users in all OUs of the AD domain.

    My goal is to have all the users end up in a single OU under the LDS instance. Currently the synch is bringing over the entire OU structure from AD and I need to find a way to make it into a single flat hierarchy. It apears that if I attempted to specify an OU within LDS for the user objects to be created under, the AD OU structure would be mirrored underneath this OU within LDS.

    Any thoughts on how to use LDS to synch all the users from AD into a single OU within LDS?

    I could write my own sync script to pull the user list from AD, then create the same user objects within LDS each day. However I'm thinking I'd run into issues with how to deal with user deletions from AD, or what happens when my script runs and the DC it is using for it's source has a brief hiccup (ie: reboot) and my script thinks half the users were delted from AD. Why bother writing a script for this if the work has been done somewhere else with the framework already included that accounts for things I might not think of?

    I've heard bigger products are out there that could assist with this, but they all seem to carry a big price tag. There used to be things like IIFP (Identity Integration Feature Pack / MIIS 2003 Lite), but they've been swallowed up into bigger more costly products now like ILM 2007 (Identity Lifecycle Manager) and FIM 2010 (Forefront Identity Manager), which are pretty pricey considering the simplicity of the application's need.

    I've heard that IIFP was replaced by Active Directory Metadirectory Services (AD MDS), which I believe is a component of the Active Directory Rights Management Service (AD RMS) role. How would I go about setting up the synchronization between all users from all OUs in AD and a single OU in another LDAP database using this? Would I still be using LDS, or would this replace it? Would it allow for my application's LDAP queries to continue working just like on the LDS instance?

    Perhaps this is possible with Server 2008's LDS and I just need some help configuring the MS-AdamSyncConf.XML or the LDIF file to support this.
     
    Tyson Flint, Mar 7, 2012
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.