Domain Priority (Handling Duplicate Users)

This article aims to highlight specific and rare cases that the Eko AD Sync can handle. The handling of the case requires dedicated configuration, so if you foresee this situation, please get in touch with the Eko team to ensure that we set a proper configuration.

Domain Priority is a crucial feature within Eko AD Sync designed to manage and resolve conflicts that arise when a single user identity is sourced from multiple Active Directory (AD) domains or user databases within an organization.

1. The Duplication Problem Scenario

Organizations may utilize multiple internal directory systems or AD forests/domains to categorize employees. This creates a scenario where a duplicated user might exist across different sources.

For instance, based on feedback from some customers, they utilized two different databases:

• "contacts" for non-management positions.

• "users" for management positions.

If a non-management employee is promoted, they might not be deleted from the "contacts" source. Consequently, the same user exists in both databases, identifiable by the same username but possessing a different ad_domain and network_uid. This duplication issue requires a formal mechanism to decide which set of user data (which domain) is authoritative when synchronizing with the Eko Database (DB).

2. The Domain Priority Solution

Eko AD Sync uses domain priorities to merge duplicate users from different AD databases.

Domains are assigned numerical priority values, such as priority 1 (e.g., for "contact") or priority 0 (e.g., for "users").

3. Resolution Logic During Synchronization

When EkoADC sends user data (the payload) to the Eko for an update, the system follows a defined logic to handle potential conflicts:

1. Find Existing User: The system first attempts to find if the user exists in the Eko DB by matching the username.

2. Compare Priorities: If the user exists, the process compares the domain priority of the incoming user data (the "temp user") against the priority of the user data already recorded in the Eko DB.

3. Override/Update: If the domain priority of the temporary user is greater than or equal to (>=) the domain priority of the user currently in the DB, the system proceeds to override the user in the DB with the data from the higher-priority payload. This is considered a successful update.

4. Reject/Ignore Update: If the domain priority of the temporary user is less than (<) the domain priority of the user already in the DB, the system ignores the update. This mechanism protects higher-priority data from being overwritten by lower-priority sources.