What is the difference between the DirSync Domain Controller and the Operational Domain Controller?
The DirSync Server is a specific Active Directory Domain Controller to which an Active Roles Administration Service node is subscribed to. Through this subscription, Active Roles will receive notifications about CRUD (create, rename, update, and delete) operations which are processed by that specific Active Directory Domain Controller as well as operations which that Domain Controller receives via Active Directory Replication. Active Roles will then request the attributes of the processed objects from the DirSync Server via LDAP. Using the results of the request, Active Roles will determine if the operation which was just processed is something that needs to be actioned by a policy or automation such as a Dynamic Group.
The need for the creation of this subscription is why the Active Roles domain management account requires the "Replicating Directory Changes" extended right in Active Directory.
The DirSync Server is a per-Active Roles Administration Service, per-Managed Domain setting. If the DirSync Server becomes unresponsive or sends an error, Active Roles will start using another Domain Controller as the DirSync Server. By default, Active Roles will fail over to any Domain Controller in the environment. This behavior can be changed using the DirSync Server Selection screen in the Active Roles Console.
The Operational Domain Controller is the Active Directory Domain Controller to which Active Roles will send operations which have been requested by Active Roles clients. In a distributed environment with multiple Active Directory sites, it is necessary to be able to target any given Active Directory Domain Controller in order to make a change that is relevant for a specific end user or process. Allowing the specification of an Operational Domain Controller provides this targeting.
Within the Active Roles client, the Active Roles User can choose the Operational Domain Controller as a property of the Active Directory Domain. In the Active Roles Console, for example, an Active Roles User can choose the All Tasks | Change Operational DC command on the Active Directory domain object. In the Active Roles Web Interface, the Change Operational DC command is present on the Active Directory domain. Both the Active Roles Console and the Active Roles Web Interface store the Operational DC setting between sessions (the Active Roles Console stores it in an MSC preference file and the Active Roles Web Interface stores it in a browser cookie).
If the Operational Domain Controller becomes unavailable, both the Active Roles Console and the Active Roles Web Interface display an error message and provide the User the ability to select another Domain Controller.
By default, the Operational Domain Controller is set to the same Active Directory Domain Controller as the current DirSync Server.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center