Active Directory Import FAQ

book

Article ID: 181440

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Directory Synchronization

 ·         The Directory Synchronization Schedule’s purpose is to delete any items in the Symantec_CMDB, imported by the Active Directory Connector Solution rule, that have been deleted, renamed or moved into a different organizational unit within Active Directory. This includes users, computers, subnets, sites, etc.

Below are a couple of scenarios that demonstrate how this works with users:

Scenario 1:  User1 gets created in OU1 within Active Directory. A “full” or “update” “User”  import rule runs and imports the users into the Symantec_CMDB database. The user associated with the default scope membership collection for “User” (BD77070C….). Once the Delta Resource Membership update schedule runs, the user is also associated with the scopecollectionguid for OU1 in the ScopeMembership table.

If the option “Create organizational unit filters” is selected within the rule, the user is also inserted into the OU1 filter that is created during the import process.

If User1 is then moved within AD into OU2 and then the Directory Synchronization schedule is ran, User1 will be deleted completely from the Symantec_CMDB database.

Scenario 2. :  User1 gets created in OU1 within Active Directory. A “full” or “update” “User” import rule runs and imports the users into the Symantec_CMDB database. The user is associated with the default scope membership collection for  “User” (BD77070C….). Once the Delta Resource Membership update schedule runs, the user is also associated with the scopecollectionguid for OU1 in the ScopeMembership table.

If User1 is then moved within AD into OU2 and then an AD Update process for the respective rule is ran, the user will be moved to the OU2 folder and OU2 filter. A Delta Resource Membership update process also needs to run after the import has finished for this to complete.

·         The same information is valid for computers except that once a computer becomes managed the Directory Synchronization process will NOT delete them even if the computers were removed from AD all together.

·         Users imported by a “User” import rule should not be mistaken for accounts that get created in the console manually and associated with a “Windows” user. An imported user and a created user account could theoretically have the same name. The user account in the console will maintain its association to the Windows account unless the user is removed from AD

·         A “Role and Account rule” is used to import security groups and their membership as roles and accounts into the database. A ”Role and Account” rule will create roles for each imported security group  and  its membership as “Accounts”.  These “Accounts” are also included in the role’s membership.

·         The recommendation is to use the Directory Synchronization process on an infrequent basis such as monthly and a “Full” AD import more frequently if there is concern that the sync process will delete items that it shouldn't’t.  If changes are made to AD, make sure that that an “Update” import rule runs prior to the Directory Synchronization to avoid the possibility of unexpected object deletion.


Import Role and Account Resources

The AD Connector has been updated (with SMP 7.1 and 7.5 releases) and now supports creating Role and Account resources based on Groups and Users in Microsoft Active Directory.
Role resources are created for each Group imported from AD, and Account and Windows Credential resources are created for each User imported from AD.
Also, the memberships of the group in AD are also imported.

Resource Information
When performing AD imports the security resources that are created have the following resource keys:
• trusteename - This is the value of the sAMAccountName property in AD property prefixed with the domain name. e.g. testdom01\TestRole or testdom1\TestUser
• distinguishedname - This is the value of the distinguished name of the object in AD
• directoryid - This is the guid of the object in AD
• sid (WindowsCredential Resource Only) - This SID of the object in AD.

If any of the resources that are imported from AD match existing resources on ANY of these keys then the existing resources will be managed from AD from then on.

Using the above keys ensures that the following scenarios are covered:
• Created Account whose name matches a user in AD

• If a user creates an account whose name is testdom01\TestUser and this user exists in AD then the Account resource imported from AD will match on the trusteename key and will match the existing account

• Created Account & WindowsCredential whose SID matches a user in AD

• If a user creates a Windows Credential whose SID is in AD and assigns it to an a user created Account (whose name can be anything) then the WindowsCredential will match on the sid key and the existing account will renamed and updated to match the name of the user in AD.

• Created Role whose name matches a role in AD

• If a user creates an account whose name is testdom01\TestGroup and this group exists in AD then the Role resource imported from AD will match on the trusteename key and will match the existing role

• User or Groups are renamed in AD

• If a user or group is renamed in AD, but its guid does not change. Imported resources will match on the directoryid key and will update existing resources

• User or Groups deleted and re-created

• If a user or group is deleted from AD and re-created with the same name, the import will match on trusteename and distinguishedname

• User or Groups deleted

• If a user or group is deleted from AD the re-sync schedule will be unable to find objects in AD using the directoryid key and will then delete them from the NS.



Role Members
AD is treated as the source of truth regarding group memberships. Any changes that are made to a role resource's members in the NS (assuming the role is matches a group AD) will be lost whenever the nextcomplete update is done. During a complete import the role resource's members will be updated to match the group's members that are in AD.

Account \ Credentials
Assume an account resource in the NS has multiple credentials, e.g. it has a windows credential and an internal credential. If this account resource matches a user in AD and an import is done the following will happen:
• The account resource and windows credential resources will be updated with information from AD
• The internal credential will be unassigned from the account resource

How AD Import Handles Roles and Accounts Imports
The Active Directory function in NS is split between a full import and an update import. The resync schedule is also important for when roles and accounts are deleted. Groups imported from AD are converted to roles in NS.
 

  • NS recognizes changes to Roles and Accounts in Active Directory based on changes to the uSNChanged value. If the uSNChanged value is greater than the NS maximum uSNChanged value then NS knows that either the Role or Account has changed since the last AD import. Full import and update import deal with changes to uSNChanged differently.
  • If nothing has changed in AD, then whatever changes are made in the NS will remain unchanged until a full import is run. If you create a new account then the new account (and any other modified accounts) will be imported from AD. A full import will import everything no matter what value the uSNChanged is.
  • The Update import will only change the roles or accounts in NS when there are changes in Active Directory, namely the uSNChanged value. For example, if an existing account is added to an existing role then nothing will happen when update import is run. If the account is new and it is added to an existing role then it will be added. If an account is renamed then it will be added as part of an update import.
  • Changing the group membership is not the same as deleting it, e.g. removing an account from one role and placing it in another will not register as a deletion. Only deleting the account completely from AD is considered deletion. The resync schedule is needed to delete those accounts and roles in the NS that have been deleted in AD. They are removed from their AD roles as well as the 'Everyone' group.
  • AD does not manage NS roles. After an import, if an AD account is moved from an AD role to a NS security role and a full import is carried out, the account will remain in the NS role. The account will be added to the AD role again so that the account will now be a member of both roles.
  • When changes are made to the AD groups, the AD rules used by NS need to be changed. If a group is a part of an AD rule and the group name is changed or the group is deleted from AD, then if the rule is run it will show an error. The rule must include groups that are present in AD, no mismatches.