Knowledge Partner
Knowledge Partner
282 views

AD shim parameter "Enable DirSync Incremental Values": why is it disabled and hidden by default?

So this is something I was always asking myself: why is the AD shim AD
parameter "Enable DirSync Incremental Values" disabled and hidden by default?
Documentation has:

"Enable DirSync Incremental Values: The Publisher channel usually receives all
the values of a multi-valued attribute. Enabling this option reports only the
added or deleted values during the poll interval. This requires 2003 Forest
functional mode or above. This option is hidden by default. It can be modified
by selecting the Edit XML option in the Driver configuration tab."

But why? Ist is dangerous (other than it does not work in pre-2003 forests)?
Does it refuse to play nicely with the default packages? Anyone who knows about
nasty bugs or other caveats to avoid enabling it?


--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values":why is it disabled and hidden by default?

Lothar Haeger <lothar.haeger@is4it.de> wrote:
>
> "Enable DirSync Incremental Values: The Publisher channel usually receives all
> the values of a multi-valued attribute. Enabling this option reports only the
> added or deleted values during the poll interval. This requires 2003 Forest
> functional mode or above. This option is hidden by default. It can be modified
> by selecting the Edit XML option in the Driver configuration tab."
>
> But why? Ist is dangerous (other than it does not work in pre-2003 forests)?
> Does it refuse to play nicely with the default packages? Anyone who knows about
> nasty bugs or other caveats to avoid enabling it?
>
>


The other pre 2003 tweaks have been mostly removed from recent package
versions.

I use the incremental values all the time, it works just fine for moderate
sized deployments. (Don't know about big/huge deployments.)

If I recall correctly, the base requirement for incremental values wasn't
just win2003 but that the specific groups that used this feature must have
been created/populated on a 2003 or higher DC.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values": why is it disabled and hidden by default?

Alex Mchugh wrote:

> The other pre 2003 tweaks have been mostly removed from recent package
> versions.


Which were those? (sorry not an AD guys and not a default package guy either...)

> I use the incremental values all the time, it works just fine for moderate
> sized deployments. (Don't know about big/huge deployments.)


That is reassuring, thanks!

> If I recall correctly, the base requirement for incremental values wasn't
> just win2003 but that the specific groups that used this feature must have
> been created/populated on a 2003 or higher DC.


Begs the question: is the shim smart enough to handle that case by itself? Or
will that result in messed up groups?

Environment here has ~100000 users and some groups with 10000+ members.
Domain/forest is 2003 level but I do not know the creation times/server
versions of all existing groups.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values":why is it disabled and hidden by default?

Lothar Haeger <lothar.haeger@is4it.de> wrote:
> Alex Mchugh wrote:
>
>> The other pre 2003 tweaks have been mostly removed from recent package
>> versions.

>
> Which were those? (sorry not an AD guys and not a default package guy either...)
>


One that comes to mind is the truncation of group names to 20 characters to
satisfy some ancient win nt hangovers. This was removed from packages at
some point.

(You can still encounter this issue if you manipulate groups using the
built in net group command line, so it still is vaguely relevant)

>
>> If I recall correctly, the base requirement for incremental values wasn't
>> just win2003 but that the specific groups that used this feature must have
>> been created/populated on a 2003 or higher DC.

>


https://msdn.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

> Begs the question: is the shim smart enough to handle that case by itself? Or
> will that result in messed up groups?
>


This is pure AD functionality from what I recall. The shim just takes what
it gets from AD.

> Environment here has ~100000 users and some groups with 10000+ members.
> Domain/forest is 2003 level but I do not know the creation times/server
> versions of all existing groups.
>


If I interpret the link above, old groups don't get auto converted to the
incremental model until they go over 5k members.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: AD shim parameter "Enable DirSync Incremental Values": why is itdisabled and hidden by default?

On 10/11/2016 19:48, Lothar Haeger wrote:
> So this is something I was always asking myself: why is the AD shim AD
> parameter "Enable DirSync Incremental Values" disabled and hidden by default?
> Documentation has:
>
> "Enable DirSync Incremental Values: The Publisher channel usually receives all
> the values of a multi-valued attribute. Enabling this option reports only the
> added or deleted values during the poll interval. This requires 2003 Forest
> functional mode or above. This option is hidden by default. It can be modified
> by selecting the Edit XML option in the Driver configuration tab."
>
> But why? Ist is dangerous (other than it does not work in pre-2003 forests)?
> Does it refuse to play nicely with the default packages? Anyone who knows about
> nasty bugs or other caveats to avoid enabling it?
>


Actually it should be enabled all the time, I don't understand that it's
not enabled in the package... oh well.

DirSync is as the readme states a nifty little thing, prior to DirSync
we had some interesting problems synchronizing large groups. On a
modification you would get the whole group, meaning an XDS with +30.000
entries, and then the engine had to calculate the difference (the same
still happens on an add, but there is no calculation involved) ... now
with DirSync you'll get only the added, or removed members, which make
the XDS tiny, and it's a lot faster.

If you do not have any Windows servers in your setup prior to 2003 then
by all means enable it.

Casper
0 Likes
Highlighted
bpenris1 Absent Member.
Absent Member.

Re: AD shim parameter "Enable DirSync Incremental Values": w

Is this on the Ideas Portal? Because I think I created a request for it.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values": why is it disabled and hidden by default?


bpenris;272406 Wrote:
> Is this on the Ideas Portal? Because I think I created a request for
> it.
>


Hi bpenris,
I believe that this option is available at least for 10 years (maybe
more).
"Enable DirSync Incremental Values" was available in AD driver included
to IDM3.5 distribution.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=56836

0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: AD shim parameter "Enable DirSync Incremental Values": why is itdisabled and hidden by default?

On 14/11/2016 20:46, bpenris wrote:
>
> Is this on the Ideas Portal? Because I think I created a request for it.
>


It should be part of the driver configuration as of 3.6.x, that at least
was when I remember seeing it explained in the readme the first time.

Casper

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values":why is it disabled and hidden by default?

Casper Pedersen <cpedersen@no-mx.forums.microfocus.com> wrote:
> On 14/11/2016 20:46, bpenris wrote:
>>
>> Is this on the Ideas Portal? Because I think I created a request for it.
>>

>
> It should be part of the driver configuration as of 3.6.x, that at least
> was when I remember seeing it explained in the readme the first time.
>

It was available in a post 3.5.1 AD patch IIRC.
You had to add the XML elements manually to the driver parameters to enable
this.

Then it shipped by default in the driver preconfig around the 3.6.x era but
quite invisible as due to some screwup, it was marked as a group
subordinate that was always hidden so you still had to edit xml manually to
make it visible and turn it on.

That didn't get fixed until the early AD package days if my memory serves
me.

Which explains why this feature has historically been so easy to overlook.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values": why is it disabled and hidden by default?


> So this is something I was always asking myself: why is the AD shim AD
> parameter "Enable DirSync Incremental Values" disabled and hidden by
> default?
> Documentation has:
>
> "Enable DirSync Incremental Values: The Publisher channel usually
> receives all
> the values of a multi-valued attribute. Enabling this option reports
> only the
> added or deleted values during the poll interval.* This requires 2003
> Forest
> functional mode or above*. This option is hidden by default. It can be
> modified
> by selecting the Edit XML option in the Driver configuration tab."


Many organizations upgrade domain controllers, but they afraid to change
(increase) domain/forest level.
For me this option works better (especially for big environment):
instead receive a huge *full* list of users with every add/remove one
user transaction, we will get only update doc.
This is exactly what we need for handle change.
I use it in all my implementations (when domain level allows it 🙂 )


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=56836

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values":why is it disabled and hidden by default?

al b <al_b@no-mx.forums.microfocus.com> wrote:
>
>
> Many organizations upgrade domain controllers, but they afraid to change

(increase) domain/forest level.

It used to be an option you couldn't reverse (without doing a time
consuming restore from backup). They fixed that in I think 2012 where you
could rollback in a limited fashion.

Microsoft has also pushed a lot of things in recent times that require at
least a 2008R2 domain level. Exchange has been a big driver here.

The stragglers with outdated functional levels will have to catch up soon
enough.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD shim parameter "Enable DirSync Incremental Values": why is it disabled and hidden by default?


alexmchugh;272410 Wrote:
> al b <al_b@no-mx.forums.microfocus.com> wrote:
> >
> >
> > Many organizations upgrade domain controllers, but they afraid to

> change
> (increase) domain/forest level.
>
> It used to be an option you couldn't reverse (without doing a time
> consuming restore from backup). They fixed that in I think 2012 where
> you
> could rollback in a limited fashion.
>
> Microsoft has also pushed a lot of things in recent times that require
> at
> least a 2008R2 domain level. Exchange has been a big driver here.
>
> The stragglers with outdated functional levels will have to catch up
> soon
> enough.
>
> --
> If you find this post helpful and are logged into the web interface,
> show
> your appreciation and click on the star below...


Alex, you completely right, but people afraid to make non reversible
changes in AD (especially when they not really confident and afraid to
take responsibility).
They have many excuses that we had "outdated" business critical app that
can stop work. (Definitely nobody can explain, what exactly can fail and
why).
In our organization domain/forest level increased to 2003 in 2012,
domain/forest level to 2008 just in January 2016.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=56836

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.