Active Directory Topologies
This section describes the procedure to configure Directory Sync per Active Directory topology.
Single Forest/Single Domain
In this environment, install and run Directory Sync in one system.
If multiple domain controllers will be used, you can specify all domain controllers as LDAP Servers to which the Directory Sync connects.
If multiple options are specified for LDAP server connections, one of the successfully connected domain controllers will be selected as the one used by Directory Sync.
Under the environments that include Directory Sync being installed on multiple machines for the purpose of system redundancy, follow the precautions below.
- Scheduled executions must be configured and performed for only one instance of Directory Sync.
- To change which instance of Directory Sync is used for scheduled executions, run Directory Sync in recovery mode and then configure the scheduled executions.
Multi-forest/Multi-domain
Running Directory Sync in Each Active Directory Domain
For each Active Directory domain, install and run an instance of Directory Sync in one system.
If using multiple domain controllers in a single domain, you can specify all domain controllers as options from which the Directory Sync LDAP server can connect.
If multiple options are specified for LDAP server connections, one of the successfully connected domain controllers will be selected as the one used by Directory Sync.
You cannot run an instance of Directory Sync on multiple machines in the same domain. Running an instance of Directory Sync on multiple machines at the same time will cause errors in synchronization.
Under the environments that include Directory Sync being installed on multiple machines for the purpose of system redundancy, follow the precautions below.
- Scheduled executions must be configured and performed for only one instance of Directory Sync.
- To change which instance of Directory Sync is used for scheduled executions, run Directory Sync in recovery mode and then configure the scheduled executions.
Configuring the SCIM Filter for Users
Directory Sync synchronizes the different users on each domain controller with the IIJ ID Service.
When running Directory Sync as a scheduled task, you must use the SCIM filter to filter the users that will be synchronized with the IIJ ID Service to prevent from deleting users that were created and synchronized by another instance of Directory Sync.
Use the following examples as reference to configure the SCIM filter so that only users corresponding to the domain controllers per instance of Directory Sync are synchronized with the IIJ ID Service.
Example 1: Filtering by Domain Part of User ID
To synchronize only users with a user ID in the "example.com" domain or the "example.jp" domain:
iid:
scim:
filter:
user: 'userName ew "@example.com" or userName ew "@example.jp"'
Example 2: Filtering Users by Group
In this example, an instance of Directory Sync synchronizes only the users that belong to the "Head Office" group. Groups specified here must not be synchronized by another instance of Directory Sync.
iid:
scim:
filter:
user: 'groups.display eq "Head Office"'
Example 3: Filtering by Department
To synchronize only users in the "Sales Department": Departments specified here must not be synchronized by another instance of Directory Sync.
iid:
scim:
filter:
user: 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department sw "Sales Department"'
Parameters | Description |
|---|---|
| userName | User ID |
| groups.display | Name of group to which the user belongs |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | Department |
| or | Logical OR |
| ew | Acronym for "ends with." Attribute value ends with the specified value. |
| eq | Acronym for "equal." Attribute value equals the specified value. |
| sw | Acronym for "starts with." Attribute value starts with the specified value. |
Configuring the SCIM Filter for Groups
For each domain controller, Directory Sync synchronizes different groups with the IIJ ID Service.
When running Directory Sync as a scheduled task, you must use the SCIM filter to filter the groups that will be synchronized with the IIJ ID Service to prevent from deleting groups that were created and synchronized by another instance of Directory Sync.
Use the following example as a reference to configure the SCIM filter so that only groups corresponding to the domain controllers per instance of Directory Sync are synchronized with the IIJ ID Service.
Example: Filtering by Group Description
iid:
scim:
filter:
group: 'urn:iij:params:scim:schemas:extension:enterprise:2.0:Group.description eq "example.com domain group"'
| Parameters | Description |
|---|---|
| displayName | Group name |
| urn:iij:params:scim:schemas:extension:enterprise:2.0:Group.description | Group description |
| or | Logical OR |
| ew | Acronym for "ends with." Attribute value ends with the specified value. |
| eq | Acronym for "equal." Attribute value equals the specified value. |
| sw | Acronym for "starts with." Attribute value starts with the specified value. |