Chat now with support
Chat with Support

Directory Sync Pro for Active Directory 20.10 - User Guide

General Object Settings

Target Proxy Address Overwrite Behavior

If you check this box, source proxy addresses will always overwrite the proxy addresses in the target, replacing whatever values are there, if any. If this box is left unchecked, the source proxy address will only be added to those target objects where this attribute is currently empty.

User Object Settings

Options for AD Inter-forest and Intra-Forest Profiles

AS-IS means the objects will be created just as they currently exist in the source. If the account was disabled in Active Directory in the source, it will be disabled in Active Directory when created in the target. If the account was enabled in Active Directory in the source, it will be created as enabled in Active Directory in the target.

You can also choose to Active Directory enable all objects when they are created in the target, no matter their Active Directory account status in the source. Or, just the opposite, you can choose to have all objects created in an account disabled state in the target, no matter their status in the source.

For mail-enabled objects only, there is also the option is to convert all mail-enabled objects into contacts when they are created in the target.

Options for Exchange Inter-forest Profiles

AS-IS means the objects will be created just as they currently exist in the source. If the account was disabled in Active Directory in the source, it will be disabled in Active Directory when created in the target. If the account was enabled in Active Directory in the source, it will be created as enabled in Active Directory in the target.

You can also choose to enable all objects when they are created in the target, no matter their status in the source. Or, just the opposite, you can choose to have all objects created in an account disabled state in the target, no matter their status in the source.

You may also choose to convert all the mail-enabled objects into contacts when they are created in the target.

You would use this profile in conjunction with our Exchange Pro mailbox migration product.

Options for Exchange IntRA-forest Profiles

AS-IS means the objects will be created just as they currently exist in the source. If the account was disabled in Active Directory in the source, it will be disabled in Active Directory when created in the target. If the account was enabled in Active Directory in the source, it will be created as enabled in Active Directory in the target.

Note that All objects created will be Mail-Disabled, no matter what their Active Directory account status.

You can also choose to enable all objects when they are created in the target, no matter their status in the source. Or, just the opposite, you can choose to have all objects created in an account disabled state in the target, no matter their status in the source.

You may also choose to convert all the mail-enabled objects into contacts when they are created in the target.

User Conflicts

How do you want to handle any users conflicts? That is what should happen if (based on your matching criteria) that Directory Sync Pro for Active Directory finds a matching user already in the target? If you choose skip, Directory Sync Pro for Active Directory will not make an association between those objects, and an error will be noted in the log file.

With Update, Directory Sync Pro for Active Directory will consider those items the same. This means that any changes made to the source will update that matched item in the target, if you have set updates to occur. No new object will be created.

With Rename, a new object will be created in the target. You will need to distinguish this from the matched target object by giving it a new name. You can manually add a prefix or suffix of your choice, or, you choose any existing AD attribute to be prepended or appended to the name. Remember that if you choose rename, when you update the object in the source, it will be the Renamed object in the target that gets updated during a synchronization.

User SID History

You have the option to include an object's SID history during the migration. This will help prevent issues with some software, and network shared printers. We suggest this option. Consider however, that in a large enterprise, this might cause the Kerberos token to exceed the max token size for users that belong to many groups. You could mitigate that issue with a GPO that is set to accept larger tokens.

If you do choose to migrate SID History, all Domain Controllers that you have listed in the Target DC's tab will need access to the Domain Controller that holds the PDC Emulator FSMO role in the source.

Group Object Settings

Options for AD Profiles

By default, groups will retain their current group scope when they are migrated. You have the option to change that here, so that you can transform a group's scope as it is migrated. For example, if the new target does not have multiple domains, you may choose to convert your Universal Groups into Domain Local groups. Or you can choose not to migrate a particular group scope at all. There are some limitations on changing the scope of nested groups, so you may want to refer to the following TechNet link.

https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

Options for Exchange Profiles

By default, your mail-enabled groups will retain their current group scope when they are migrated. You have the option to change that here, so that you can transform a group's scope as it is migrated. You can also change the group to a contact, or you can choose not to migrate a particular group scope at all.

Group Conflicts

Options for AD and Exchange to AD Profiles

If you choose skip, Directory Sync Pro for Active Directory will not make an association between those objects, and an error will be noted in the log file.

If you choose Merge, Directory Sync Pro for Active Directory will consider those items the same. This means that any members of the source group will be added to the membership list of the target group, if you have set updates to occur. No new object will be created.

With Rename, a new Active Directory group object will be created in the target. You will need to distinguish this from the matched target object by giving it a new name. You can manually add a prefix or suffix of your choice, or, you choose any existing AD attribute to be prepended or appended to the name. Remember that if you choose rename, when you update the object in the source such as adding another member, it will be the Renamed group object in the target that gets updated during a synchronization.

 

Synchronize Members as Foreign Security Principals

If "Synchronize Members as Foreign Security Principals" is enabled, group members that cannot be matched in the target will be synchronized as Foreign Security Principals if trust relationships allow it and the target group is a Domain Local Security Group.

Device Object Settings

By default, the Active Directory account status of device is maintained when the object is created in the target. If a device was Active Directory enabled in the source, it will be enabled in the target, and vice-versa. Or, choose enabled, to make all migrated devices immediately Active Directory enabled, no matter what their status was in the source.

Maybe you want to ensure that these devices should not be available until a later time even after the device has been cutover. In that case, you can choose disabled, which will cause all migrated devices to be Active Directory disabled, no matter what the status in the source.

Device Conflicts

By default, the Active Directory account status of device is maintained when the object is created in the target. If a device was Active Directory enabled in the source, it will be enabled in the target, and vice-versa. Or, choose enabled, to make all migrated devices immediately Active Directory enabled, no matter what their status was in the source.

Maybe you want to ensure that these devices should not be available until a later time even after the device has been cutover. In that case, you can choose disabled, which will cause all migrated devices to be Active Directory disabled, no matter what the status in the source.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating