Introduction
This document describes the timeframes for Active Directory changes to sync to the cloud, update via the API, and appear in the Umbrella dashboard.
Sync Types and Timing
Active Directory (AD) changes sync to the cloud in two main types:
- Full sync:The connector performs a complete synchronization of the AD environment. This process takes a few minutes.
- Delta sync:The connector synchronizes only the changes made since the last sync. This process also takes a few minutes.
Forcing a Sync
- To trigger a delta sync, restart the connector service.
- To trigger a full sync, remove the LDIF folder and then restart the connector service.
- If multiple connectors exist in the environment, restart all connector services.
Previous Connector Sync Behavior
Older connector performance involved this sequence:
- The local AD environment replicates changes, the Connector collects those changes, and then sends them to the cloud. This step typically takes 5 to 15 minutes. In environments with only one Active Directory server (domain controller), a change usually takes up to 5 minutes to process and send to the cloud, depending on network latency, processing, and organization size.
- The cloud processes and imports the AD tree into the Dashboard and policies. For small AD trees, this takes less than 10 minutes. For large AD trees, this process takes 2 or more hours. For very large trees with tens of thousands of users, results begin appearing after around two hours, with gradual display of changes as processing continues over several hours.
If multiple AD servers exist, synchronization time can increase. AD servers must replicate changes between each other, and this typically occurs every 15 minutes by default. Plan for this additional time on top of the values listed above.
Additional Resources
For more information about Active Directory replication, refer to the document How Active Directory Replication Topology Works.
Feedback