Cell Design and Identities in AD Bridge

AD Bridge Cells allow managing overlapping Unix identities in a single Active Directory organization for AD Bridge. Cells work in Directory Integrated mode only.

Storing Unix Identities

Cells store Unix identity information separate from other cells. This allows a single user or group to have different names or different numerical ID values (UID or GID) in different environments, all associated with the same AD identity.

This also allows multiple users or groups to have overlapping names or numerical ID values (UID or GID) in separate environments. Each cell requires additional overhead for the standard procedure for account management and for troubleshooting end-user logon issues, because both cases require the additional step of determining which cell the operation must be performed against.

To minimize complexity while allowing the flexibility of cells, we recommend that you use no more than four cells.

Named Cells

Named Cells store Unix identity information (uid, uidNumber, gidNumber, gecos, unixHomeDirectory, logonShell) in a subcontainer of the organizational unit (OU) which is associated with the cell.

Whether a user exists in the local domain or a trusted domain, the Unix identity information exists in an object in the cell. In other words, a Named Cell can reference users or groups from outside the current AD domain.

Default Cells

Default Cell mode refers to how an AD domain is set up. There is one Default Cell, and it is enterprise-wide. All trusted Microsoft Active Directory Global Catalogs are part of the Default Cell. However, individual AD domains participate in the Default Cell by creating the Default Cell object in the root of those domains.

In Default Cell mode, the Unix identity information is stored in the same OU as the user object that the Unix Identity information is related to. This enforces a single Unix identity for a single AD user across the entire enterprise. Therefore, the Default Cell should be viewed as the ultimate authority for Unix information within an enterprise.

Directory Integrated Mode - Default Cell Configurations

In Directory Integrated mode, the Default Cell stores the Unix identity information directly to the user or group object in the same manner as First Name (givenName), Address (address, city, state), and Email (emailAddress) attributes.

Because the Directory Integrated Mode - Default Cell stores the information to the user or group object, existing Identity Management (IDM) products do not need to be modified to provision users for the Default Cell in Directory Integrated Mode. This also allows non-AD Bridge computers that use the RFC 2307 attributes to use the same identity information as AD Bridge.

In Directory Integrated mode, the Default Cell is the preferred method for all AD Bridge installations. In all cases where Unix identity information can be made to be non-overlapping, the Directory Integrated Mode - Default Cell should be used.

Directory Integrated Mode - Named Cell Configurations

In Directory Integrated mode, Named Cells create objects of class PosixAccount and serviceConnectionPoint, which are linked back to the user or group object associated with the AD Bridge object.

Directory Integrated Mode - Named Cells are recommended wherever multiple cells beyond the Default Cell are required.

Schemaless Mode Cells

 

Schemaless mode is deprecated. The content below is for information only.

The AD Bridge clients determine cell and schema configuration at startup and re-check this configuration periodically. Because of how the data is stored, migration from a Schemaless Default Cell to a Directory Integrated Mode - Default Cell configuration requires more work, more steps, and more potential risks than any other cell migration.

For migration and long-term support purposes, Schemaless Mode Cells should only be created as Named Cells.

Directory Integrated mode is preferred for the performance benefits and because Microsoft Active Directory is moving towards Directory Integrated Mode by default.