Synchronizing SQL Server Database with Active Directory in real time

Question

I'm writing an application to manage AD permissions groups. However, some fields which are needed like "Primary Owner", "Secondary Owner, "Date Reviewed" and historical logs are not in AD. I'm planning on having a separate SQL Server database to hold this data and using the Group's System ID to join the data.

My question is: Can I have the SQL Server database be synchronized with what is in AD upon changes in AD? Perhaps some listening tool exists? Can LDAP be used to solve this?

A problem which can arise if the database is updated nightly is if a new group is created in AD, primary and secondary owners need to be assigned to it, but the SID of the new group will not be immediately in the SQL Server Database.

Answer 1

I'm not familiar with SQL Server, so I cannot tell whether it has some special capability to synchronize with AD.

What I know is that there are a few different solutions if you want to track changes in AD using LDAP. You can find an overview of the available techniques in this MSDN article.

I've recently open-sourced ADSync4J, a small Java library that can help you implementing the third technique mentioned in that article (Polling for Changes Using USNChanged). However it won't be of much help if your target platform is not the JVM.

Answer 2

We use a console application written in C# which is run on a batch to read the AD information and insert it into a SQL table. This could be done in almost any language with LDAP bindings but depending on the size of your AD catalog could be performance prohivative.

There does seem to be a way to query directly with SQL (although with some caveats, namely maximum result set size and no support for multi-value parameters). Many articles exist on this from a quick google search such as; https://www.mssqltips.com/sqlservertip/2580/querying-active-directory-data-from-sql-server/