search cancel

AD Import in a Hierarchy

book

Article ID: 150390

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Is there a Best Practice on where to implement AD Import rules in a Hierarchy? Should be this done on the Parent SMP or Child SMPs?

Environment

ITMS 8.x

Resolution

There is not a written "best practice" per se, but the general practice and common sense include the following:

In a hierarchical environment, the recommended approach is to have AD Import run only on the Tier 1 NS only (Parent SMP). There are some misconceptions about how all these resources are sent between the Parent and Child SMPs:

  1. The parent never sends down computer resources.

    Computer resources are replicated(not relocated) from Child to Parent.

    However, if it is needed to replicate some imported data DOWN(e.g. Users), then there should be a custom hierarchy rule for that resource type.

  2. Keep in mind that some resources(which are included in default rules) can replicate imported data by default because imported resources can become a dependent item of some existing resource(e.g. Computer can replicate a User with it ).

  3. There are a lot of hierarchy rules which replicate resources in the UP direction.

    So it also should be checked that the new custom hierarchy rule which will replicate resources in the DOWN direction should not have a duplicate that will replicate the same resources in the UP direction.

    If there will be 2 rules for the same resources and different directions then it will be impossible to find real “source of truth”.

  4. In that case if it is needed to replicate imported from AD resource in DOWN direction, but there is already default rule which replicates such resources in UP direction, then it will be needed to decide:

  • Disable hierarchy rule which replicated such resources in UP direction(for some cases it can be acceptable)

  • Prepare AD import on Child and let default hierarchy rule to replicate such resource to Parent(if it is needed)

Note that starting from IT Management Suite 8.1 RU5, the following new features are available for replicating AD import data:

  • A new default hierarchy replication rule AD import Replication replicates data for users and computers that are imported from Active Directory. By default, this rule is disabled.
  • The Replication mode option lets you configure what kind of data the hierarchy replication rule should replicate.
    For example, if you replicate Active Directory (AD) import data from parent Notification Server to its children, you can either replicate missing data for the resources that exist on child Notification Servers or replicate the resources that are not present on child Notification Servers.