If you are planning to integrate OID (Directory Service from Oracle) with Active Directory (from Microsoft ) and importing user/group from Active Directory (AD) to Oracle Internet Directory (OID) then you can use one of two approaches (USNChanged or DirSync) to poll changes in Microsoft Active Directory.
This post covers overview of capturing changes in Microsoft Active Directory using these two methods (USNChanged or DirSync) and compare these two options.
.
Privileges Request for user importing changes from AD
A) USNChanged Approach (more commonly used) : Using this approach requires a user in AD
1. With List and Read permissions for every AD container that is in domain mapping rules.
2.With permissions to Read and List the Active Directory deleted objects container. (Use DSACLS.exe tool on AD to give read permission for deleted objects to a user)
Note : Deleted Objects are also called as tombstone entries.
.
B) DirSync Approach : Using this approach requires a user in AD
1. With Replicating Directory Changes permission for every domain that is in domain mapping rules.
Note : With DirSync method it is not necessary to grant the user read permissions for the Active Directory deleted objects container in order to synchronize user deletes. This is because all changes made to an Active Directory partition are returned from a DirSync control search; access to object data is unrestricted..
Things good to know
1. When you install DIP/OID 11g, it creates two default profiles for import: ActiveImport (using DirSync) and ActiveChgImp (using USNChanged )
2. When you use ExpressSyncSetup (utility in OID 11g to configure basic sync profiles quickly which creates two profile, one for import and another for export) it creates Import synchronization profile (ActiveChgImp) based on USNChanged approach.
3. USNChanged approach (ActiveChgImp) is usually preferred over DirSync approach (ActiveImport)
4. As per Microsoft Support
There are two benefits with using the uSNChanged attribute to poll for Active Directory object changes. The first benefit is that an uSNChanged attribute value search can be confined to a specific area of Active Directory. For example, unlike the DirSync control, object change searches can be limited to a specific subtree in the directory.
The second benefit is that you do not have to configure special user account permissions or group permissions for the program. The program only requires List and Read permissions for every container and leaf object in the subtree that is searched.
.
Comparing USNChanged V/S DirSync
a. Synchronization Scope : USNChanged enables synchronization of changes in any specific subtree. DirSync reads all then changes in the directory, filters out changes to the required entries, and propagates them to OID.
b. Multiple Domains in AD : USNChanged can obtain changes made to multiple domains by connecting to Global Catalog. DirSync requires separate connections (multiple profiles) to different domain controllers.
c. Synchronization point tracking : USNChanged uses attribute to track synchronization point where as DirSync uses cookie that identifies state of Directory.
d. Search Result : In USNChanged approach all attributes of changed entry are retrieved and compared with value stored in OID and updated where as in DirSync approach, changes consists of only changed attribute and new values.
e) Error handling : For USNChanged approach if synchronization stops because of errors, next synchronization cycle starts from entry where synchronization was interrupted. For DisSync approach if synchronization stops because of errors, in next synchronization cycle all changes that are already applied are read and skipped.
.
References/Related
Question for Readers
How to check if you are using DirSync or USNChanged for AD to OID import ?