Dealing with limited member range (the 1500 user limit)
Active Directory will deliver the groups and users of a configured OU as a tree. Users are placed there directly, while group members are listed within the group. However, both types need to be synchronized with DigaSystem.
AD has a limited member range of 1500 users, when it comes to group members; Microsoft strongly recommends NOT to change this limit.
After that ADSync has to use the Active Directories method of range-retrieval to get the additional users, which means retrieving the information one by one block.
Dealing with group-members outside the considered Organizational Unit
As described before the LDAP path in the ADSync configuration represents the synchronization root. A group may have users from outside the root as members; they are nevertheless considered as real group members. Therefore they will be recognized as users synchronized with DigaSystem, although the AD users are not directly located in the root path. Consider carefully how to deal with group members outside your installation environment. To avoid problems read the following notes:
- Deleting the membership means deleting the user in DigaSystem
When users are inside the scope of ADSync (inside the synchronization root), they are members of a group, hence taken into account by ADSync.
By deleting the membership of these users to the group, ADSync will not recognize these users any more. They are treated as deleted and will get status deleted in DigaSystem.
Adding the membership again will bring them back to into the scope of ADSync and will re-add the users to DigaSystem. This will create parallel users with changed names if the users have not been deleted in DigaSystem before.
- Dealing with limited member range is not supported for users outside the synchronization root
When users are outside the scope of ADSync (outside the synchronization root), they are not members of a group, hence not taken into account by ADSync.
Because of limited member range, the group will not show up all containing members when the amount of members exceeds the limit (normally 1500). In this case actively taking into account more than the limit is not supported in actual version of ADSync. This means that, in this case, the users above the limit will not be considered as existing by ADSync.
It might also happen that users that have been taken into account will be deleted when the specific users inside the limit will be shown by Active Directory due to other added users.
Dealing with heavy load in Active Directory
While changing or deleting users/groups during reading the Active Directory, ADSync might get inconsistent lists from Active Directory. This can occur e.g., when deleting a user that was reported as member of a valid group, but when checking this users detailed properties an error is thrown. In this case ADSync retries to get the information from AD, several times. In case this does not succeed ADSync skips the sync-loops without doing anything on site of DigaSystem. ADSync will repeat this procedure on every sync cycle until the problem has been resolved on AD side. You will find according warnings inside the DPE log.