Is there a Best Practice on where to implement AD Import rules in a Hierarchy? Should be this done on the Parent SMP or Child SMPs?
There is not a written "best practice" per se, but the general practice and common sense include the following:
In a hierarchical environment, the recommended approach is to have AD Import run only on the Tier 1 NS only (Parent SMP). There are some misconceptions about how all these resources are sent between the Parent and Child SMPs:
The parent never sends down computer resources.
Computer resources are replicated(not relocated) from Child to Parent.
However, if it is needed to replicate some imported data DOWN(e.g. Users), then there should be a custom hierarchy rule for that resource type.
Keep in mind that some resources(which are included in default rules) can replicate imported data by default because imported resources can become a dependent item of some existing resource(e.g. Computer can replicate a User with it ).
There are a lot of hierarchy rules which replicate resources in the UP direction.
So it also should be checked that the new custom hierarchy rule which will replicate resources in the DOWN direction should not have a duplicate that will replicate the same resources in the UP direction.
If there will be 2 rules for the same resources and different directions then it will be impossible to find real “source of truth”.
In that case if it is needed to replicate imported from AD resource in DOWN direction, but there is already default rule which replicates such resources in UP direction, then it will be needed to decide:
Disable hierarchy rule which replicated such resources in UP direction(for some cases it can be acceptable)
Prepare AD import on Child and let default hierarchy rule to replicate such resource to Parent(if it is needed)
Note that starting from IT Management Suite 8.1 RU5, the following new features are available for replicating AD import data: