There are 2 modes of updating DG group membership: 1) Dirsync processing 2) Complete rebuild
1. Dirsync processing is performed by all Active Roles servers. When particular Active Roles server receives dirsync notification is assesses if such change may lead to change of group membership. In case of positive answer (eg, DG is build on the base of attribute "City" and Active Roles detects that City was changed ) it checks if user is already a member of the group (maybe changes have already been done by other Active Roles service) and if changes are still necessary it modifies group. If Dirsync processing detects that the amount of changes exceeds 100 object (eg. you need to add to group more than 100 new users) then it waits till complete rebuild.
2. Complete rebuild:
* Can be done on schedule (by running built-in task)
* Can be initiated from MMC (selecting ZRebuild command)
* Is performed on one ARS service only. GUID of Active Roles that should perform rebuild is one of DG property
What does Active Roles do to process DG if the specific Active Roles server becomes unavailable? Active Roles has Daily built-in task DG-Checker that verifies if GUID of Active Roles service originator corresponds to alive Active Roles service. If it discovers that such Active Roles is not existent anymore, it then re-assigns DG to be processed by Active Roles that runs this DG Verifies task. (Since each Active Roles service runs the same task DG should not be orphaned longer than 1 day)
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy