---
title: Synchronize with Active Directory and other directory servers
description: PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft Active Directory (AD) systems.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_ad_systems
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_ad_systems.html
section_ids:
  considerations: Considerations
  known-limitations-and-workarounds: Known limitations and workarounds
  configuration-information: Configuration information
  from-pingdirectory-to-ad: From PingDirectory to AD
  from-ad-to-pingdirectory: From AD to PingDirectory
---

# Synchronize with Active Directory and other directory servers

PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft Active Directory (AD) *(tooltip: \<div class="paragraph">
\<p>A directory service for Windows domain networks, included in most Windows Server operation systems.\</p>
\</div>)* systems.

## Considerations

There are three key considerations when synchronizing between AD and PingDirectory:

* The `realtime-sync` tool

  The `realtime-sync` tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree for `realtime-sync` to work.

* Distinguished name (DN) mapping

  The AD Sync Source must be pointed at the top of the DIT, but not every branch under the top of the tree can be easily synchronized.

  For example, `cn=Users` is a container organizational unit (OU) that doesn't easily convert into a standard OU. Likewise, `cn=Builtin` is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don't need to be synchronized.

  To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.

* Schema and attribute mapping

  The schema between AD and PingDirectory is not a 1:1 relationship, which means that not all attributes can be directly synchronized.

  The following attributes are among those that can be directly synchronized:

  * `cn`

  * `sn`

  * `mail`

  Other attributes, such as the AD attribute `{{samAccountName}}` aren't defined in PingDirectory by default, and if you don't define schema for the attribute, you can map it to a similar attribute such as the PingDirectory `uid` attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory.

## Known limitations and workarounds

* Tracking group membership changes in AD

  The virtual attribute `memberOf` exists in an AD user entry and contains a list of that user's group memberships. When group membership changes, AD updates only the group entry member attribute. Therefore, if PingDataSync monitors only `memberOf` for group membership changes in AD, it won't detect them.

  You can try the following workarounds:

  * Run the [`resync` command](pd_sync_resync_tool.html) periodically.

  * Manually sync the groups between AD and PingDirectory.

    |   |                                                                                                                               |
    | - | ----------------------------------------------------------------------------------------------------------------------------- |
    |   | This requires the ability to map DNs between AD and PingDirectory based on the available information, which is often limited. |

* Syncing passwords from LDAP servers to AD

  You can sync passwords from PingDirectory to AD, but syncing passwords directly from other Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
  \<p>An open, cross platform protocol used for interacting with directory services.\</p>
  \</div>)* servers to AD isn't supported. You should sync these passwords to PingDirectory first, which allows you to then sync them to AD.

## Configuration information

For configuration information and procedures for synchronization between PingDirectory server or other LDAP source servers or targets with Microsoft AD systems, refer to the following:

* [Overview of configuration tasks](pd_sync_overview_config_tasks.html)

### From PingDirectory to AD

* [Active Directory sync user account](pd_sync_active_dir_sync_user_acct.html)

* [Preparing external servers](pd_sync_prepare_external_servers.html)

* [Configuring password encryption](pd_sync_config_password_encryption.html)

* [Password Sync Agent](pd_sync_password_sync_agent.html)

### From AD to PingDirectory

* [Configuring one way synchronization from Active Directory to PingDirectory](pd_sync_configure_sync_pipe_ad.html)

* [Mapping AD password policy state attributes to PingDirectory using `dsconfig`](pd_sync_mapping_ad_pwd_policy_dsconfig.html)

* [Configuring sync pipes and sync classes](pd_sync_config_sync_pipes_classes.html)