The ARS Service uses Microsoft's directory synchronization (DirSync) control to retrieve changes that occur in Active Directory.
This ensures the following:
- The ARS Clients always display up-to-date information about all directory objects
- The membership lists of all administrative views (Managed Units) and query-based (dynamic) groups are correct
- Once an object is created, renamed, or moved in Active Directory, the ARS Service appropriately updates all views, groups and security settings.
To use the DirSync control, the EDM Service must have the "Replicating Directory Changes" extended right.
The ARS Service must maintain consistency between the data stored in Active Directory and the data stored in its internal memory structures. For performance reasons, and to minimize network traffic to domain controllers, the ARS Service caches in memory a small piece of data for every directory object. This data includes object identification attributes and must be updated whenever an object is created, renamed, or moved in Active Directory. Otherwise, the ARS Service may:
- Lose the object as a result the object cannot be displayed by ARS Clients.
- Be unable to update query-based membership lists as a result the object belongs to improper administrative views (Managed Units) and query-based (dynamic) groups.
In the latter case, security settings on the object may get incorrect as permissions are normally specified at (and inherited from) the Managed Unit level, and given to security groups.
The EDM Service caches in memory the following attributes from Active Directory:
In order to maintain consistency of the memory cache with the data stored in Active Directory, the EDM Service performs a directory search using Microsoft's DirSync control - an LDAP server extension that enables applications to search Active Directory for objects that have changed since a previous state. The main advantage of this solution is that the search results include only the objects and attributes that have changed since the previous state, thereby considerably decreasing operation overhead.
The DirSync caller must have the "Replicating Directory Changes" extended right - the right needed to replicate changes from Active Directory.
If you have a large enterprise environment with many managed domains, for each managed domain the DirSync server should be the closest available domain controller to the ARS service. You can change this setting by going to the properties of each managed domain and choosing the DIRSYNC tab. Settings will take effect immediately.