Comments on: Synchronization of Windows Server 2008 Active Directory Users from a Sql Server table http://itknowledgeexchange.techtarget.com/itanswers/synchronization-of-windows-server-2008-active-directory-users-from-a-sql-server-table/ Sun, 19 May 2013 03:14:28 +0000 hourly 1 By: chippy088 http://itknowledgeexchange.techtarget.com/itanswers/synchronization-of-windows-server-2008-active-directory-users-from-a-sql-server-table/#comment-74420 chippy088 Tue, 02 Mar 2010 08:13:41 +0000 #comment-74420 Could you not just update the sql db from AD daily, or when necessary. Seems like a lot of effort to keep a copy of the user list up-to-date.

]]> By: juano http://itknowledgeexchange.techtarget.com/itanswers/synchronization-of-windows-server-2008-active-directory-users-from-a-sql-server-table/#comment-74349 juano Sat, 27 Feb 2010 06:41:33 +0000 #comment-74349 Well, there is more than one way of skinning this cat. The potential approach will be based on your budget, your environment. Let me elaborate. If you have a large environment 30-40,000+ users, you will better server with a synchronization tool like ILM/FIM (newer name for MIIS) for your solution. These solutions are very powerful, can be complex and are relatively expensive. These tools engage with the Active Directory DirSync Control (API that allow the agent to communicate with a domain controller like if it is another domain controller) facilitating synchronization of attribute level changes as they occurs the environment.

Another way is using LDIF to update active directory, however since your application is not interfacing with DirSync Control, your process would have to consume the complete object coming from AD. You could develop a process that call LDIFDE and extract all users and object including the subset of attributes you need to synchronize and import them to SQL. Then when changes in SQL are needed to be sent to AD you could develop a procedure to export your changes in an LDIF format ready for consumption by AD. Then call LDIFDE.exe to import the new objects, delete or process changes to AD. You will be able to generate deltas from SQL to AD, but would have to consume a full export from AD to be imported to SQL.
As an experienced ILM consultant, I like to point out that although the process is crude, it works, is easily supportable and I have done it before. Although I was not provisioning objects to AD the process is the same. I was updating once a day all the user personal information that was being updated from a web application into an SQL DB. I was running a process updating 80,000 users daily and it took about 2.5 hours to complete.

I hope this helps.

]]>