Dynamic Groups - Common Questions and Scenarios (18907)

1. The Administration Service uses Microsoft's directory synchronization (DirSync) control to retrieve changes that occur in Active Directory (AD).

This ensures the following:

- The Active Roles Administration Service always has up-to-date information about all directory objects.

- The membership lists of all administrative views (Managed Units) and query-based dynamic groups are correct and up to date.

- Once an object is created, renamed, or moved in Active Directory, the Administration Service appropriately updates all views, groups and security settings.

2. From the Active Directory point of view, a Dynamic Group is a normal group.  For that reason, limitations within Active Directory regarding group membership limits will apply.  The Dynamic Groups policy settings allow you to accommodate this accordingly.  Please see the "Dynamic Groups Policy" section of the Administrator Guide for more information regarding specific policy settings available.

3. As stated previously, Dynamic Groups can be limited depending on the Active Directory environment.  Depending on your Forest and Domain functional levels, group membership limits may be in effect.

The creation and modification of membership rules is only supported using the Active Roles MMC/console. The Active Roles Web Interface does not support creating, modifying, or viewing of Dynamic Group membership rules.

The "Dynamic Group Checker" Builtin Scheduled task verifies configuration of Dynamic Groups to ensure that the membership list of each Dynamic Group is updated in a timely manner.  If update does not occur within a certain time period, this task adjusts the "edsaDGOriginatingService" setting that the Dynamic Group Updater task relies upon.  The time period is specified on the Parameters tab in the Task Properties dialog box, and can be configured by assigning an appropriate value to the "DG update latency threshold" parameter.

The "Dynamic Group Updater" Builtin Scheduled task rebuilds membership lists of Dynamic Groups in accordance with the current membership rule settings.  It processes only those Dynamic Groups that have "edsaDGOriginatingService" set to the Administration Service on which this task is executed.  The "edsaDGOriginatingService" setting can be configured on the "Membership Rules" tab in the Dynamic Group Properties dialog box.

Dynamic Group membership queries are based on LDAP requirements, and must be generally similar to "Does attribute x equal value y?" It is not possible to ask something similar to "Does attribute x equal attribute z?"

While it is possible to create a Dynamic Group that is nested (contains one or more Dynamic Groups), this scenario is not recommended and will likely cause significant performance issues within Active Roles. In particular, including the following custom LDAP query will cause a significant amount of overhead on the target Active Directory Domain Controllers:

(edsaIsDynamicGroup=true)

Conclusion:

Dynamic groups are updated by the Active Roles Administration Service during three operations:

- If the dynamic group is edited (eg. membership criteria changed)

- During a DirSync event that has a user update matching the dynamic group criteria.  For example: If dynamic group is based off of Description=Sales, then ARS will listen for DirSync updates for all users having the Description=Sales. If it finds this, it will immediately update the dynamic group.

- During nightly dynamic group update scheduled task run. This updates only the DGs whose membership has been changed that day, else it will not rebuild DGs.

- When Dynamic Groups are copied in Active Roles, the final group will be a standard Active Directory Security Group. Membership rules are not retained in the target group, however the members of the source group will be members of the target group statically.

For more information please see What attribute contains the information on how a Dynamic Group is built?