Active Directory Sync Changes Operation

Overview

An Active Directory (AD) Sync Changes operation queries the target Active Directory instance and determines whether any previously undetected changes have been made, using the Directory Synchronization Cookie method (see here for more information). A change token is assigned to its encapsulating operation list if a change has occurred for a specified filter since the last detected change.

This operation will check for changes across the whole Active Directory instance, including tombstones (deleted objects). It requires that the account being used has Replicating Directory Changes permission.

The Active Directory Sync Changes operation will always return changes on its first run. If this is not the case, it may mean that the account does not have sufficient access to the instance, or that the LDAP filter specified is not correct. Active Directory tools such as ADSI Edit and LDP.exe may prove useful in checking these credentials are correct and that expected changes will be successfully retrieved with the security settings specified.

Technical Requirements

The AD Sync Changes operation requires an operational target Active Directory instance to check for changes against. This target Active Directory server needs to be configured with a set of access privileges which will facilitate the connection details specified by the selected AD Agent.

Usage

The AD Sync Changes operation will only allow its encompassing operation list to begin execution if changes are detected in the target Active Directory instance.

Configuration

In addition to the common configuration settings shared by all Changes Operations, the Active Directory Sync Changes operation requires the following by way of configuration:

Name

Description

Filter LDAP filter to apply to search results.
Domain The target domain to check for changes, eg. DC=Domain,DC=local
CHECK: An Active Directory agent is required to configure a Active Directory Sync Changes operation.
WARNING: Note that if anything other than the domain is specified, the operation will not function correctly.

Image 3533

Operation Active Directory Changes Operation

Is this article helpful for you?

Some notes:

1/ The AD Sync Check operation requires the agent's identity to be specified in UPN format not domain\sAMAccountName, otherwise it never transitions to a 'Live' status.

2/ If you have preferred DCs configured in MIM then you should mirror those in the AD Agent configuration.

3/ You must add a "Commit AD Sync Changes" operation to the end of the operation list where you use the "AD Sync Changes" check operation, otherwise the operation list will run every time.

4/ If you migrate a UNIFYNow config from a lower environment then it is necessary to re-edit the AD Sync Check operation so the UI has a chance to reset the cookie/token on the operation list.

Only "Replicating Directory Changes" permission should be granted and NOT "Replicating Directory Changes All".  The latter should only be assigned to domain controllers, domain/enterprise admins and system/password sync service accounts since it permits access to security credentials and other secret domain data!

And in case you're wondering Replicating Directory Changes All is not even required if MIM is being used for password sync, since PCNS is used instead.

Update from Bob: in the past RDC All was required for the FIM/MIM AD MA.  It's not clear if this is still the case or whether RDC-only is now sufficient (as suggested some MSFT engineers online).