Interaction With A Replicated Environment - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Chapter 7. Designing Synchronization
• nsDS5ReplicaTombstonePurgeInterval sets the frequency which the server runs a purge
operation. At this interval, the Directory Server runs an internal operation to clean the tombstone
and state entries out of the changelog. Make sure that the maximum age is longer than the longest
replication update schedule or multi-master replication may not be able to update replicas properly.
The parameters for managing replication and the changelog are described in chapter 2, "Core
Configuration Attributes," in the Configuration, Command, and File Reference.
7.2.3. Defining the Connection Type
Synchronization can occur using simple authentication over a standard port, using SSL/TLS, or using
Start TLS (a secure connection over a standard port).
Although it is not required, it is strongly recommended that SSL or other secure connection be used for
synchronization. If passwords are going to be synchronized from the Windows server, then SSL must
be enabled on both servers so the synchronization proceeds over a secure port.
7.2.4. Considering a Data Master
The data master is the server that is the master source of data; this is the primary or authoritative
source for data.
Windows and Directory Server services are kept continuously synchronized through the
synchronization agreement, which minimizes potential conflicts between the two services. However,
if the Directory Server is part of a replication deployment, then conflicts could arise between changes
made within the Directory Server replication scenario and the Windows domain depending on the
replication schedule.
Consider which server will be the data master when the data resides in two different directory services,
and decide how much of that information will be shared. The best course is to choose a single
directory service to master the data and allow the synchronization process to add, update, or delete
the entries on the other service.
Choose one area (Windows domain or Directory Server) to master the data. Alternatively, choose
a single Directory Server as a data master and synchronize it with each Windows domain. If the
Directory Server is involved in replication, design the replication structure to avoid conflicts, losing
data, or overwriting data.
How master copies of the data are maintained depends on the specific needs of the deployment.
Regardless of how data masters are maintained, keep it simple and consistent. For example, do
not attempt to master data in multiple sites, then automatically exchange data between competing
applications. Doing so leads to a "last change wins" scenario and increases administrative overhead.
7.2.5. Determining the Subtree to Synchronize
Only a single Directory Server subtree can be synchronized to a single Windows subtree, and it is
recommended that there only be a single synchronization agreement between directory services.
Select or design the parts of the directory trees to synchronize; consider designing special suffixes
specifically for synchronized entries.

7.2.6. Interaction with a Replicated Environment

Synchronization links a Directory Server suffix and subtree (for example, ou=People,
dc=example,dc=com) to a corresponding Windows domain and subtree
102