By default, all registered domains are automatically synchronized with Active Directory every 3 hours. You can also synchronize on demand.

About this task

Through the vSphere Web Client UI, you can perform a force sync for Active Directory domains. A periodic sync is automatically performed once a week, and a delta sync every 3 hours. It is not possible to selectively sync sub-trees through the UI.

With NSX 6.4 and later it is possible to selectively sync active directory sub trees using API calls. The root domain cannot have any parent-child relationships and must have a valid directory distinguished name.

  • /api/1.0/directory/updateDomain has an options to specify the folder under root domain. And there is an option to perform a force update private boolean forceUpdate .

  • /api/directory/verifyRootDN. Verify that the list of rootDN doesn't have any parent-child relationships. Verify each rootDN is a valid active directory distinguished name.


  1. In the vSphere Web Client, navigate to Networking & Security > System > Users and Domains.
  2. Click the Domains tab, and then select the domain to be synchronized.

    Any changes made in Active Directory will NOT be seen on NSX Manager until a delta or full sync has been performed.

  3. Select one of the following:




    Perform a delta synchronization, where local AD objects that changed since the last synchronization event are updated


    Perform a full synchronization, where the local state of all AD objects is updated