You can use the information provided here to work with
the Active Directory Change Detection Connector.
Each delivered entry by the Connector contains the
changeType attribute
whose value is either "add" (for newly created objects), "modify"
(for modified objects) or "delete" (for deleted Active Directory objects).
Each entry also contains 2 attributes that represent the objectGUID
value:
- attribute objectGUID – contains a 16-byte byte array that
represents the 128-bit objectGUID of the corresponding Active Directory
object.
- attribute objectGUIDStr – contains the string representation
of the hexadecimal value of the 128-bit objectGUID. It is delivered
in the format {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}, where each x
represents a hexadecimal digit.
If you need to detect and handle moved or deleted objects,
you must use the
objectGUID value as object identifier instead
of the LDAP distinguished name. The LDAP distinguished name changes
when an object is moved or deleted, while the
objectGUID attribute
always remains unchanged. Store the objects'
objectGUID attribute
in the replicated data source and search by this attribute to locate
objects.
Note: Deleted objects in Active Directory live for a configurable
period of time (60 days by default), after which they are completely
removed. To avoid missing deletions, perform incremental synchronizations
more frequently.
The ADCD Connector can be interrupted at any time during
the synchronization process. It saves the state of the synchronization
process in the User Property Store of the IBM Security Directory Integrator (after
each Entry retrieval), and the next time the Active Directory Connector
is started, it successfully continues the synchronization from the
point the Active Directory Connector was interrupted.