지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Editing connection parameters in the variable set

The connection parameters were saved as variables in the default variable set when synchronization was set up. You can change the values in these variables to suit you requirements and assign the variable set to a start up configuration and a base object. This means that you always have the option to use default values from the default variable set.

NOTE: To guarantee data consistency in the connected target system, ensure that the start-up configuration for synchronization and the base object for provisioning use the same variable set. This especially applies if a synchronization project is used for synchronizing Active Directory domains.

To customize connection parameters in a specialized variable set

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Open the Connection parameters view.

    Some connection parameters can be converted to variables here. For other parameters, variables are already created.

  4. Select a parameter and click Convert.

  5. Select the Configuration > Variables category.

    All specialized variable sets are shown in the lower part of the document view.

  6. Select a specialized variable set or click on in the variable set view's toolbar.

    • To rename the variable set, select the variable set and click the variable set view in the toolbar . Enter a name for the variable set.

  7. Select the previously added variable and enter a new value.

  8. Select the Configuration > Start up configurations category.

  9. Select a start up configuration and click Edit.

  10. Select the General tab.

  11. Select the specialized variable set in the Variable set menu.

  12. Select the Configuration > Base objects category.

  13. Select the base object and click .

    - OR -

    To add a new base object, click .

  14. Select the specialized variable set in the Variable set menu.

  15. Save the changes.

For more information about using variables and variable sets, or restoring default values and adding base objects, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Editing target system connection properties

You can also use the system connection wizard to change the connection parameters. If variables are defined for the settings, the changes are transferred to the active variable set.

NOTE: In the following circumstances, the default values cannot be restored:

  • The connection parameters are not defined as variables.

  • The default variable set is selected as an active variable set.

In both these cases, the system connection wizard overwrites the default values. They cannot be restored at a later time.

To edit connection parameters using the system connection wizard

  1. In the Synchronization Editor, open the synchronization project.

  2. In the toolbar, select the active variable set to be used for the connection to the target system.

    NOTE: If the default variable set is selected, the default values are overwritten and cannot be restored at a later time.

  3. Select the Configuration > Target system category.

  4. Click Edit connection.

    This starts the system connection wizard.

  1. Follow the system connection wizard instructions and change the relevant properties.

  2. Save the changes.
Related topics

Updating schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compression and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

    - OR -

    Select the Configuration > One Identity Manager connection category.

  3. Select the General view and click Update schema.

  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Mappings category.

  3. Select a mapping in the navigation view.

    Opens the Mapping Editor. For more information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Speeding up synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

Active Directory supports revision filtering. The Active Directory objects' Update Sequence Number (USN) is used as revision counter. The Update Sequence Number (USN) is a sequential number that is incremented when changes are made to Active Directory objects. An Active Directory object has its own USN on each domain controller. During synchronization, the highest USN of the rootDSE to be found on the domain controller is stored as revision in the One Identity Manager database (table DPRRevisionStore, column value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the Active Directory objects' USN is compared with the revision saved in the One Identity Manager database. This involves finding object pairs where one has a newer USN than the last time it was synchronized. Thus, only objects that have changed since the last synchronization are updated.

Synchronization is even faster if the change information on the schema type also takes deleted objects into account. If a schema type's objects were neither added, changed nor deleted, the synchronization step can be skipped. Objects must not be loaded for comparison. Active Directory provides the information about whether objects in the synchronized domain were added, changed, or deleted.

To use optimized revision filtering

  • In the Designer, set the Common | TableRevision configuration parameter.

    Now each time a table changes, the table's revision date updates. This information is stored in the QBMTableRevision table, RevisionDate column. In this way, One Identity Manager identifies whether a table object has been added, changed, or deleted.

Synchronization with revision filtering compares a table's revision date and the domain's change information against the revision saved in the One Identity Manager database. If the revision date is older, no objects have been changed in this table since the previous synchronization. If the change information of the domain is also older, no objects in this domain have been changed since the previous synchronization. Therefore, synchronization does not carry out this step for the affected table. If the revision date or change information of the domain is newer, synchronization does carry out this step and the changed objects are determined as described above.

The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • In the Synchronization Editor, open the synchronization project.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

To permit revision filtering for a start up configuration

  • In the Synchronization Editor, open the synchronization project.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

NOTE: Specify whether revision filtering will be applied when you first set up initial synchronization in the project wizard.

NOTE: If the Common | TableRevision is not set, all revision data in the QBMTableRevision table is deleted.

For more information about revision filtering, see the One Identity Manager Target System Synchronization Reference Guide.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택