Is there a Best Practice on where to implement AD Import rules in a Hierarchy? Should be this done on the Parent SMP or Child SMPs?

ITMS 8.x

There is not a written "best practice" per se, but the general practice and common sense include the following:

In a hierarchical environment, the recommended approach is to have AD Import run only on the Tier 1 NS only (Parent SMP). There are some misconceptions about how all these resources are sent between the Parent and Child SMPs:

1. The parent never sends down computer resources.

   Computer resources are replicated(not relocated) from Child to Parent.

   However, if it is needed to replicate some imported data DOWN(e.g. Users), then there should be a custom hierarchy rule for that resource type.

2. Keep in mind that some resources(which are included in default rules) can replicate imported data by default because imported resources can become a dependent item of some existing resource(e.g. Computer can replicate a User with it ).

3. There are a lot of hierarchy rules which replicate resources in the UP direction.

   So it also should be checked that the new custom hierarchy rule which will replicate resources in the DOWN direction should not have a duplicate that will replicate the same resources in the UP direction.

   If there will be two rules for the same resources and different directions then it will be impossible to find a real “source of truth”.

4. In that case, if it is needed to replicate imported from AD resource in the DOWN direction, but there is already a default rule which replicates such resources in the UP direction, then it will be needed to decide:

• Disable the hierarchy rule which replicated such resources in the UP direction(for some cases it can be acceptable)

• Prepare AD import on Child and let default hierarchy rule to replicate such resource to Parent(if it is needed)

Note that starting from IT Management Suite 8.1 RU5, the following new features are available for replicating AD import data:

• A new default hierarchy replication rule AD import Replication replicates data for users and computers that are imported from Active Directory. By default, this rule is disabled.
• The Replication mode option lets you configure what kind of data the hierarchy replication rule should replicate.
  For example, if you replicate Active Directory (AD) import data from the parent Notification Server to its children, you can either replicate missing data for the resources that exist on child Notification Servers or replicate the resources that are not present on child Notification Servers.