Thanks for your reply.
This is my configuration on 389ds server.
Please tell me if the attribute of "oneWaySync: fromWindows" is correct.
Now, the new users in AD can't be synced to 389ds every 5 minutes, I have to
click "Initiate full Re-synchronized" manually. I'm stuck for days.
Thanks in advance!
> dn: cn=ou1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsDSWindowsReplicationAgreement
> description: OU=ou1,OU=Accounts,DC=example,DC=com
> cn: ou1
> nsds7WindowsReplicaSubtree: OU=ou1,OU=Accounts,DC=example,DC=com
> nsds7DirectoryReplicaSubtree: ou=Accounts, dc=example,dc=com
> nsds7NewWinUserSyncEnabled: on
> nsds7NewWinGroupSyncEnabled: off
> nsds7WindowsDomain: example.com
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaHost: tc-dc-2.example.com
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=ad_bind,cn=Users,dc=example,dc=com
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicaCredentials:
> *oneWaySync: fromWindows*
> nsds50ruv: {replicageneration} 5d5a75d80000ffff0000
> *nsDS5ReplicaUpdateSchedule: 1200-1210 4*
>
> dn: cn=ou2,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsDSWindowsReplicationAgreement
> description: OU=ou2,OU=Accounts,DC=example,DC=com
> cn: ou2
> nsds7WindowsReplicaSubtree: OU=ou2,OU=Accounts,DC=example,DC=com
> nsds7DirectoryReplicaSubtree: ou=Accounts, dc=example,dc=com
> nsds7NewWinUserSyncEnabled: on
> nsds7NewWinGroupSyncEnabled: off
> nsds7WindowsDomain: example.com
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaHost: tc-dc-2.example.com
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=ad_bind,cn=Users,dc=example,dc=com
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicaCredentials:
> *oneWaySync: fromWindows*
> nsds50ruv: {replicageneration} 5d5a75d80000ffff0000
> nsDS5ReplicaUpdateSchedule: 1211-1220 4
>
Sincerely,
--
DaV
On Tue, Aug 27, 2019, at 02:18, Mark Reynolds wrote:
>
> On 8/23/19 5:38 AM, DaV wrote:
>> Hi all,
>> For OneWaySync, AD to 389ds.
>>
>> I have read this guide
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/using_windows_sync-modifying_the_sync_agreement
>>
>>> Synchronization works two ways. The Directory Server sends its updates to
>>> Active Directory on a configurable schedule, similar to replication, using
>>> the *nsds5replicaupdateschedule* attribute. The Directory Server polls the
>>> Active Directory to check for changes; the frequency that it checks the
>>> Active Directory server is set in the *winSyncInterval* attribute.
>>> By default, the Directory Server update schedule is to always be in sync.
>>> The Active Directory interval is to poll the Active Directory every five
>>> minutes.
>>> To change the schedule the Directory Server uses to send its updates to the
>>> Active Directory, edit the nsds5replicaupdateschedule attribute. The
>>> schedule is set with start (SSSS) and end (EEEE) times in the form HHMM,
>>> using a 24-hour clock. The days to schedule sync updates are use ranging
>>> from 0 (Sunday) to 6 (Saturday).
>>
>> I want to know how to disable the *nsds5replicaupdateschedule *attribute.
>> Because I just want sync from AD to 389ds.
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaUpdateSchedule
> You can set it to "`0000-0001 0" to disable synchronizing according to the
> link above`
> ``
>> Thanks in advance!
>>
>> Sincerely,
>> --
>> DaV
>>
>> On Fri, Aug 23, 2019, at 08:18, DaV wrote:
>> > Hi William,
>> > Thanks for your reply.
>> >
>> > Sorry for incorrect message yesterday.
>> > My windows sync agreement exactly is:
>> >
>> > agreement1:
>> > >> DS Host: 389ds:389
>> > > >> Windows Host: dc01.example.com:389
>> > > >> DS Subtree: ou=Users,dc=example,dc=com
>> > > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com
>> > > >> Replicated subtree: dc=example,dc=com
>> >
>> > agreement2:
>> > >> DS Host: 389ds:389
>> > > >> Windows Host: dc01.example.com:389
>> > > >> DS Subtree: ou=Users,dc=example,dc=com
>> > > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com
>> > > >> Replicated subtree: dc=example,dc=com
>> >
>> >
>> > The windows AD has two OUs, and I want the two OUs are synced to the
>> > same ou(ou=users,dc=example,dc=com) in 389ds server.
>> > Maybe you would say I can create two same OUs in 389ds first and then
>> > create the sync agreement. But I don't want this because I want all
>> > accounts under the same ou in 389ds(no sub-ou).
>> >
>> >
>> > I have another question about this issue.
>> > After the two sync agreements created, I create a new user on AD side,
>> > after 5 minutes(default), nothing happens, the account hasn't been
>> > synced to 389ds correctly. I must click the "Initiate full
>> > Re-syncronization" to sync the account info, and then change account
>> > password on AD side manually so that the passsync can sync the
>> > password.
>> >
>> > >My concern is moving an account from ou1 to ou2 and how
>> > > that would work (or break).
>> > Because the digestion is same OU in 389ds, so move an account from ou1
>> > to ou2 on AD side, nothing happens .
>> >
>> >
>> > Another issue is :
>> > OnewaySync
>> > I want all data flow is AD to 389ds.
>> > I have configured the OnewaySync followed this link
>> > https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html
>> > for every sync agreement, I add one line
>> > oneWaySync: fromWindows
>> >
>> >
>> > The error message /var/log/dirsrv/slapd-INSTANCE/errors like this:
>> > [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin -
>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389):
>> > Replica has no update vector. It has never been initialized.
>> > [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin -
>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389):
>> > Replica has no update vector. It has never been initialized.
>> >
>> > I don't want the sync agreement to be bi-directional. So how to resolve
>> > this error message.
>> > Thanks in advance!
>> >
>> >
>> > Sincerely,
>> > --
>> > DaV
>> >
>> > On Fri, Aug 23, 2019, at 07:38, William Brown wrote:
>> > >
>> > >
>> > > > On 21 Aug 2019, at 22:10, DaV <snow...@gmail.com> wrote:
>> > > >
>> > > > Hi guys,
>> > > > Just update for this issue.
>> > > >
>> > > > Finally, I create multi windows sync agreement for each OU to sync the
>> > > > user account.
>> > > > like this:
>> > > >
>> > > >> DS Host: 389ds:389
>> > > >> Windows Host: dc01.example.com:389
>> > > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com
>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
>> > > >> Replicated subtree: dc=example,dc=com
>> > > >
>> > > >> DS Host: 389ds:389
>> > > >> Windows Host: dc01.example.com:389
>> > > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com
>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
>> > > >> Replicated subtree: dc=example,dc=com
>> > > > So the user account sync is done.
>> > > >
>> > > > For password sync, now I can't sync user's password with an " Initiate
>> > > > full Re-syncronization". I must reset all users one-by-one on AD
>> > > > server to sync the password. This is not convenient.
>> > > >
>> > > > Do you have any advice?
>> > > >
>> > >
>> > > I think Mark is the person who knows the most about this. I agree your
>> > > solution isn't really optimal here so I totally get you wanting to
>> > > improve this. My concern is moving an account from ou1 to ou2 and how
>> > > that would work (or break).
>> > >
>> > >
>> > >
>> > >
>> > > >
>> > > > This is the log info:
>> > > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - NSMMReplicationPlugin
>> > > >> - windows sync - windows_tot_run - Beginning total update of replica
>> > > >> "agmt="cn=chuxun" (tc-dc-2:389)".
>> > > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - NSMMReplicationPlugin
>> > > >> - windows sync - windows_process_total_add - agmt="cn=chuxun"
>> > > >> (tc-dc-2:389) - Cannot replay add operation.
>> > > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - NSMMReplicationPlugin
>> > > >> - windows sync - bind_and_check_pwp - agmt="cn=chuxun" (tc-dc-2:389):
>> > > >> Replication bind with SIMPLE auth resumed
>> > > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN - NSMMReplicationPlugin
>> > > >> - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389):
>> > > >> Replica has no update vector. It has never been initialized.
>> > > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN - NSMMReplicationPlugin
>> > > >> - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389):
>> > > >> Replica has no update vector. It has never been initialized.
>> > > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN - NSMMReplicationPlugin
>> > > >> - windows sync - windows_inc_run - agmt="cn=wangxun" (tc-dc-2:389):
>> > > >> Replica has no update vector. It has never been initialized.
>> > > >
>> > > > Sincerely,
>> > > > --
>> > > > DaV
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote:
>> > > >> Hi all,
>> > > >> I'm using a new 389 directory server on CentOS 7.6 with
>> > > >> 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and
>> > > >> password from Windows 2016 to 389ds one way.
>> > > >> The Synchronization Agreement like this:
>> > > >> DS Host: 389ds:389
>> > > >> Windows Host: dc01.example.com:389
>> > > >> DS Subtree: ou=Users,dc=example,dc=com
>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
>> > > >> Replicated subtree: dc=example,dc=com
>> > > >>
>> > > >> Here is my question:
>> > > >> The sync agreement can only sync top-level OU=Accounts, DC=example,
>> > > >> DC=com from Win2016 to 389ds server.
>> > > >> In fact, I have
>> > > >> ou=ou1,ou=accounts,dc=example,dc=com
>> > > >> ou=ou2,ou=accounts,dc=example,dc=com
>> > > >> on Win2016 server.
>> > > >> I want the sync agreement can sync not only the top-level but also
>> > > >> the child ou.
>> > > >>
>> > > >> This is the error log for your reference. Thanks!
>> > > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - windows_tot_run - Beginning total update of replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)".
>> > > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - slapd
>> > > >>> started. Listening on All Interfaces port 389 for LDAP requests
>> > > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
>> > > >>> never been initialized.
>> > > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
>> > > >>> never been initialized.
>> > > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
>> > > >>> never been initialized.
>> > > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
>> > > >>> never been initialized.
>> > > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - windows_tot_run - Beginning total update of replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)".
>> > > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - windows_tot_run - Finished total update of replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
>> > > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389):
>> > > >>> Replication bind with SIMPLE auth resumed
>> > > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - windows_tot_run - Beginning total update of replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)".
>> > > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - windows_tot_run - Finished total update of replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
>> > > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - NSMMReplicationPlugin
>> > > >>> - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389):
>> > > >>> Replication bind with SIMPLE auth resumed
>> > > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - prot_stop - Incremental protocol for replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
>> > > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN -
>> > > >>> NSMMReplicationPlugin - prot_stop - Total protocol for replica
>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
>> > > >>
>> > > >>
>> > > >> Sincerely,
>> > > >> --
>> > > >> DaV
>> > > >>
>> > > >>
>> > > >>
>> > > >
>> > > > _______________________________________________
>> > > > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> > > > Fedora Code of Conduct:
>> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > List Archives:
>> > > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> > >
>> > > —
>> > > Sincerely,
>> > >
>> > > William Brown
>> > >
>> > > Senior Software Engineer, 389 Directory Server
>> > > SUSE Labs
>> > > _______________________________________________
>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> > > Fedora Code of Conduct:
>> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > List Archives:
>> > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> > >
>> > _______________________________________________
>> > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> > Fedora Code of Conduct:
>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> >
>>
>> _______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>
> --
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
