Dear 389-ds community,

I have a question about windows sync agreement. Here’s the scenario:

two Windows DC’s and two 389-ds servers as below.  

Question1: Can I setup a one-way winsync i.e from windows to ldap? I have tried it and it was like hit or miss. I did this by not giving the “write” permissions to AD for  “CN=Sync Manager”.  Is this valid way of sync-ing one way? I have error messages “Replica has no update vector. It has never been initialized”. I did a full-resynchronization and it went well without errors. But I am not seeing any entry updates.

Question2: If I have windows sync on both the 389-ds sync-ing to a diferent DC. Does it cause any loop or issues. The problem I am facing is, that I have different OU’s in AD like ou=Marketing, ou=Finance, ou=Customers and only one “ou=People” in 389-ds.

I want only one-way sync. AD-->389-ds

Topology I am trying to make work. Please share your comments.

|--------|                                   |------- |
| DC-1 | <---replication----> | DC-2 |
|--------|                                   |--------|
     |                                                  |
winsync                                     Winsync
     |                                                  |

|---------|                                   |-------- |
| 389-1 | <---replication----> | 389-2 |
|---------|                                   |---------|

Thanks,
Prashanth