What happens when Directory Synchronization Schedule is enabled?

On the SMP (Symantec Management Platform) Server console, Actions menu > Discover > Import Microsoft Active Directory, it is possible to access the Active Directory Import configuration page.

Click at the top icon that is located on the top bar in order to launch the “Directory Synchronization Schedule” page. Then, click at the "Enabled/disable" icon to enable/disable the desired schedule, as highlighted below.

ITMS 8.x

As one would expect, after selecting a Schedule, it will add the Directory Synchronization task to the schedule specified.  This page uses the standard shared schedules provided by the SMP Server.

Enabling the policy

What happens “OnSchedule”:

The task added to the schedule points to the DirectoryResyncItem.OnSchedule method (located in the Altiris.DirectoryServices namespace).

When the schedule service (Altiris.NS.Scheduling.ScheduleService) is called at the set date and time it will create a new instance of the DirectoryResyncItem class and call the OnSchedule method.

Synchronizing the Directory Items

Overview

The Directory item synchronization task retrieves information stored in the database and compares it with the information in the Directory at execution time. If an Item is no longer in the Directory it will be removed from the Database.

Execution overview

First the system retrieves the DirectoryImportItemClassGUID from a .Net class (DirectoryConstants in the Altiris.DirectoryServices namespace)

DirectoryImportItemClassGUID: b2378265-2779-49e6-998d-8be620b3d9d9

For each entry found in the database, the SMP Server will check if a corresponding directory entry exists on the LDAP (using the DirectoryEntryExist method implemented in the DirectoryExporter class). If the entry does not exist on the directory the ItemGUID will be added into a RemoveItemList collection.

Once the SMP Server has read all the database entries for a given ImportRuleGUID, it removes all of the items listed by GUID in the RemoveITemList collection from the database. Upon completion the system moves to the next ImportRuleGUID until all ImportRuleGUIDs have been processed.

Synchronizing the Directory Resources

Overview 

The Directory resources synchronization task works in a very similar manner to the Directory Item synchronization task, with a few nuances. The difference will be described in the following few pages.

First, the system retrieves the DirectoryImportItemClassGUID from the same .NET DirectoryConstants class. But this time it retrieves three class GUIDs, as listed below:

• DirectoryImportRuleDataClassGUID: 1be9ab23-a4f1-43d4-a68f-d861d34cbeea
• GlobalADDetailsClassGUID: 2280041b-5438-4965-9d0d-606f558b97e8
• WindowsUserDataClassGUID: 697620f1-7479-4b6a-bcaa-bdb055081fb4

As for the Item synchronization, the SMP Server will look for each entry found and check if a DirectoryentryExist on the LDAP (AD or NT). If the entry does not exist on the AD, the ItemGUID will be added into a filter.

Once the SMP Server has read all the database entries for a given ImportRuleGUID, it removes all of the ItemGUID added to the filter mentioned above and moves to the next ImportRuleGUID until no ImportRuleGUIDs are left to check.