You might be able to do something like Create two OU, create the replication agreements to the OU's, sync with one AD server and in the other OU, and create a referral to the sync'ed OU? It sounds ugly, looks ugly because it's ugly, but that might work.
FWIW, good luck. Dan ----- Original Message ----- From: "Juan Asensio Sánchez" <oke...@gmail.com> To: "General discussion list for the 389 Directory server project." <389-us...@lists.fedoraproject.org> Sent: Wednesday, October 24, 2012 2:12:05 PM Subject: Re: [389-users] AD replication agreement with 2 different servers/domains Hi again Rich, I dont think that ticket would help me; i need to sync users with two different servers/domains, not with two different OUs in the same server/domain. Dan, I don't want do merge the two AD domains, I want to replicate the data in 389DS to the two AD servers/domains. I could use the LDIF export, but then I would lose the password replication I get with the replication agreement. I guess i will not be able to do what I think... Thanks all. 2012/10/24 Dan Lavu <d...@lavu.net>: > Juan, > > It's not designed to work that way, its unique ou replicated to unique ou, > you will have strange overlap and rewriting if you try to replicate that > way, two agreements to the same ou. So if I understand this correctly you > are essentially trying to do a merge between two domains? > > I would suggest creating a new suffix for each domain or create one giant > suffix with ou's for domains that way you can use '-s sub' to search the > entire suffix but still have that segregation, or you can export an LDIF > between AD and use ldapdiff.pl to pre-merge the AD domains. > > Hope this helps. > > Dan > > ________________________________ > From: "Juan Asensio Sánchez" <oke...@gmail.com> > To: "General discussion list for the 389 Directory server project." > <389-us...@lists.fedoraproject.org> > Sent: Wednesday, October 24, 2012 1:03:55 PM > Subject: Re: [389-users] AD replication agreement with 2 different > servers/domains > > > Hi Dan > > Yes, I am trying to sync the same OU to two different servers/domains. > This is due to the users in our directory are splitted into several > organizations, and each organization is semi-self-managed. Some of > that organizations have replication agreements with their own AD > domain. Now we want from the "central organization" to replicate all > the users (from all the organizations) to a new AD domain which will > provide mail with Exchange, so each user's OU will have two Windows > replication agreements (one with the organization AD domain and other > with the new "central organization" AD domain with Exchange). > > Anyone experienced with a topology like this? > > NB: Don't ask why we don't use the existing AD domains, boss things... > > Regards. > > > 2012/10/24 Dan Lavu <d...@lavu.net>: >> Juan, >> >> The winsync utility is not designed to write to the same ou in 389, can >> you >> separate the sync agreements into two different OU's or databases? I'm >> making the assumption that you are making the agreements to the same OU in >> 389. If you're not writing to the same OU, can you go into more detail >> about >> the design? >> >> Dan >> >> ________________________________ >> From: "Juan Asensio Sánchez" <oke...@gmail.com> >> To: 389-us...@lists.fedoraproject.org >> Sent: Wednesday, October 24, 2012 7:09:41 AM >> Subject: [389-users] AD replication agreement with 2 different >> servers/domains >> >> >> Hi >> >> I am trying to configure the replication between 389DS an two >> different servers and domains in Active Directory. The first >> replication agreement works fine, and the second works fine too in the >> initialization. But when I modify some user, the change is replicated >> to the first server/domain, but not to the second ones. I think this >> is due to the first agreement has created the objectGUID in AD, and >> replicated to 389DS in the ntUniqueId attribute, but with the second >> agreement, the second server domain has created a different objectGUID >> but not replicated/overwrote the previous ntUniqueId created by the >> first agreement (that then would break the first agreement). Is this >> correct? Is there any way to solve/workaround this? >> >> Regard and thanks in advance. >> -- >> 389 users mailing list >> 389-us...@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> >> -- >> 389 users mailing list >> 389-us...@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
