Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.
You can register an entire AD (Active Directory) domain to be used by IDFW (Identity Firewall), or you can synchronize a subset of a large domain. Once a domain is registered, NSX synchronizes all AD data required by IDFW. Selective sync is used for large active directory domains.
Selective sync allows you to selectively choose organizational units so that you do not have to sync the entire domain. Only the selected organization units which are created and changed since the last delta sync will be updated during a selective sync. Groups that are moved out of the selected organization units are not updated during a selective sync. Configuration maximums still apply selective sync. Deleted groups are removed in a full sync, when all groups are updated. To specify organization units for synchronization, see Configuring Active Directory and Event Log Scraping.
If you use the API to manually end a full sync after it is has begun, the sync stats will not be updated correctly.
Scale limits for Active Directory and IDFW can be found on the VMware Configuration Maximums page.
Procedure
- With admin privileges, log in to NSX Manager.
- Navigate to .
- Click the three button menu () next to the Active Directory that you want to synchronize, and select one of the following:
Option Description Sync All Full sync of all data is performed from the Active Directory, regardless of the state of sync on NSX. Sync Delta Perform a delta synchronization, where local AD objects that have changed since the last synchronization are updated. A full sync of all data is not performed. Deleted groups are removed during Sync All, when all groups are updated.
- Click Save.
- Click View Sync Status to see the current state of the Active Directory, the previous synchronization state, the synchronization status, and the last synchronization time.