Setting up 389 Directory Server for Active Directory Sync

The official installation method is to added EPEL repository

Then you can yum install 389-ds then you can run then you can start dirsrv and dirsrv-admin services

Follow this link and you will be able to finish it. Viewing the official manual consumes too much time.

Some notes here:
1) If you only sync From AD (Active Directory) to DS (Directory Server), then the sync account in AD no need to be in Admin group. It can be an ordinary user with “replicate directory change” permission. This permission can be set by using “delegate control” in “AD user and computer”.

2) If you need to further sync from DS to other DS, you need to choose “Single Master” in the sync agreement. Otherwise, you can only initialize the second DS but no further replication will occur. It will say No replication since the server started.

3) Pay attention to the user names. In DS, use uid=xxx,dc=domain,dc=local but in AD they use cn=xxx,dc=domain,dc=local.

4) If you use your own CA, then you need to import your CA cert to 4 places:
4a) The truststore of DS.
4b) The truststore of DS-admin.
4c) The trusted root certificate of local computer in Domain Controllers.
4d) The trust store in the PassSync program folder in Domain Controller.

5) In Windows server 2008 R2, you need to open an administrator command prompt to run the passsync setup program.

6) To configure oneway sync, you need to add an attribute to the sync agreement. You can do it by browser the DS directory, in the config subtree. You can find your created sync agreement there.

7) To troubleshoot, there is a very good tool called ldp.exe released by microsoft in its Windows server 2003 support tool.. Yes, 2003… but it can run on Windows 2008 R2. Just download the whole package from the link below and extract only ldp.exe to your server. Life will suddenly become easier.


Leave a Reply