Best Practice
ForgeRock Identity Platform
Does not apply to Identity Cloud

Best practice for LiveSync in IDM (All versions) with Active Directory

Last updated Apr 8, 2021

The purpose of this article is to provide best practice advice on using LiveSync in IDM with Active Directory® when you are using the LDAP connector; this information does not apply to Azure® Active Directory. This article also discusses high availability in this scenario.

2 readers recommend this article

LiveSync with Active Directory

LiveSync captures the changes that occur in Active Directory and pushes them to IDM.

The LiveSync mechanism for Active Directory is based on the uSNChanged and highestCommittedUSN attributes. The LiveSync synchronization token is set to the uSNCHanged (USN) number for the last update that was processed and subsequent LiveSync attempts query the Active Directory instance for changes since then.


The USN numbers are unique per Domain Controller (DC) and therefore the LDAP connector must point to a single DC (no load balancer in between). Failover to an alternate DC may cause LiveSync to break as the USN numbers are not replicated across DCs, meaning the USN numbers will be inconsistent.

You do not need to make any changes to the provisioner configuration file (for example, provisioner.openicf-ldap.json) to specify the attributes used by LiveSync if you are using Active Directory.


You should consider configuring the LiveSync retry policy to determine how many times a failed modification should be reattempted and what should happen in the event that the modification is unsuccessful after the specified number of attempts. This is discussed in: Synchronization Guide › Configure the LiveSync Retry Policy. If no retry policy is configured, IDM reattempts the change an infinite number of times, until the change is successful.

High availability

Since you can only point to one DC, using LiveSync is not an option if you require high availability. As an alternative, you can use the timestamp mechanism instead for synchronizing changes and point to a Global Catalog (GC). Timestamps are maintained per entry for create and modify operations; however, delete operations cannot be detected via timestamps. If delete synchronization is a high priority, you should continue to use LiveSync.

There are two constraints you should be aware of if you use a GC:

  • GC only contains a partial attribute set. This means not all attributes are replicated from the DC to GC, although this is configurable.
  • Groups and their members are only properly handled if the groups are universal.

To use the timestamp mechanism, you should add the following property to your provisioner configuration file (for example, provisioner.openicf-ldap.json, located in the /path/to/idm/conf directory):

"useTimestampsForSync" : "true",

See Also

Best practice for liveSync in IDM (All versions) with multiple DS instances

Synchronization Guide › Types of Synchronization

Connectors Guide › Using the Generic LDAP Connector With Active Directory

Connectors Guide › The ForgeRock Identity Connector Framework (ICF)

Samples Guide › Connect to a MySQL Database With ScriptedSQL

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.