By default, all registered domains are automatically synchronized with Active Directory every 3 hours. You can also synchronize on demand.

Through the vSphere Web Client UI, you can perform a force sync for Active Directory domains. A periodic sync is automatically performed once a week, and a delta sync every 3 hours. It is not possible to selectively sync sub-trees through the UI.

With NSX 6.4 and later it is possible to selectively sync active directory sub trees using API calls. The root domain cannot have any parent-child relationships and must have a valid directory distinguished name.
  • /api/1.0/directory/updateDomain has an options to specify the folder under root domain. And there is an option to perform a force update private boolean forceUpdate .
  • /api/directory/verifyRootDN. Verify that the list of rootDN doesn't have any parent-child relationships. Verify each rootDN is a valid active directory distinguished name.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > System > Users and Domains.
  2. Click the Domains tab, and then select the domain to be synchronized.
    Important: Any changes made in Active Directory will NOT be seen on NSX Manager until a delta or full sync has been performed.
  3. Select one of the following:
    Click To
    delta Perform a delta synchronization, where local AD objects that changed since the last synchronization event are updated
    full Perform a full synchronization, where the local state of all AD objects is updated