In this post I will describe Aging with ADAMSync. If you configure ADAMSync to replicate your Active Directory information to an LDS Instance, without aging deleted data from Active Directory will never be removed from LDS. For example if you delete a user object from your Active Directory database, this object will not be deleted from the LDS Instance when you run the next sync.
The ADAMSync aging configuration is done under your ADAMSync XML configuration file.
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
The two configuration options you need to configure are frequency and num-objects.
Frequency:
http://technet.microsoft.com/en-us/library/cc737713.aspx
num-objects:
http://technet.microsoft.com/en-us/library/cc778153.aspx
Unfortunately the documentation on TechNet around these is very poor.
Frequency
- If it's set to "0", the Aging will be skipped, AdamSync will return the following informaiton:
a. Aging is skipped.
b. The times since the last sync.
- If it's larger than "0", system will compare its value with the number of times since the last sync:
a. If its value is larger than the number of times since the last sync, Aging will be skipped, and the number of the times since the last sync will be increased by 1.
b. if its value is not larger than the number of times since the last sync, Aging procedure will be called and the number of times since the last sync will be reset.
Examples:
- If the value is set to 0, aging will be not used.
- If the value is set to 1, the aging will be called each time during the sync.
- if it's set to 2, the aging will be called every two sync.
num-objects
num-objects is the number of objects that need to be aged per run. If you make this 0, it will always age all objects against Active Directory. If you make this 50, it will only age 50. When you perform the next sync, it will age the next 50. Don't worry all objects will eventually be aged... depends on how often you schedule task adamsync.exe to run!
Why was Aging developed?
Please read this fantastic article by Eric Fleischman which explains why Aging was developed by Microsoft in ADAMSync.
http://blogs.technet.com/b/efleis/archive/2006/10/28/change-visibility-in-the-directory-or-lack-there-of-aka-what-s-the-point-of-aging.aspx
Thankyou to James Li from the Directory Services Support Team at Microsoft for looking at the source code of ADAMSync.exe and explaining how the code works! This information was published with written permission from Microsoft via email.
I'm glad my ancient blog post was useful.
ReplyDelete~Eric
Thanks for the article...I've got a pretty straightforward scenario, on forest & domain. My LDS instance gets populated by membership in a USG, and works great. New members are added to LDS by doing a /fs style sync from AD to LDS. I've got aging set at 1, num objects is at 0, and I see aging statements in the log.
ReplyDeleteProblem is, I can't get stale accounts out of LDS. I can try to remove the user from the USG or disable the user, or move the user to another OU, but it remains in its original location. Any ideas for what I'm missing?
Have you ever done a domain migration and have SID History in place? There is a bug with ADAMSync.exe regarding aging and SIDHistory.
ReplyDeleteIs there any way to get around this bug if you do have SIDHistory populated on user accounts in the source AD?
DeleteHello , thanks for the article,
ReplyDeleteI am running in to a issue with ADAMSync
my end result should be : even if a user deleted from active directory it should not get deleted in LDS
my ADAM sync Config is
object filter : (|(&(
objectClass
=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))(&(
objectClass
=user)(
isDeleted
=TRUE)))
and
0
0
but still user are gettinig deleted automatically from LDS
can you please help me.
both values for aging are zero '0'
ReplyDeleteTry using isDeleted=*.
Deletehttps://technet.microsoft.com/en-us/library/cc978013.aspx shows that searching for deleted objects should include a filter like so.
So your entire filter could be:
(|(&(
objectClass
=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))(&(
objectClass
=user)(
isDeleted=*
)))