title: Delta & Incremental Sync category: Synchronization tags: sync, delta, incremental, change-detection, performance priority: Normal

Delta & Incremental Sync

IdentityCenter supports both full synchronization and delta (incremental) synchronization. Understanding the difference and when to use each mode is critical for maintaining up-to-date identity data without overloading your domain controllers or database.

Full Sync vs. Delta Sync

How Full Sync Works

A full synchronization run follows these steps, orchestrated by the SyncProjectOrchestrator:

1. Query Step -- The DirectoryQueryService executes the LDAP filter against the configured scope, using paged search with retry logic to retrieve all matching objects
2. Transform Step -- Attribute mappings are applied to convert raw LDAP data into IdentityCenter's format
3. Lookup Step -- The ProcessLookupStepAsync method resolves DN references (such as manager) to IdentityCenter Object GUIDs
4. Upsert Step -- The FastBulkUpsertObjectsAsync method uses a HashSet for deduplication and SQL MERGE for high-performance bulk inserts/updates
5. Membership Step -- Group membership relationships are processed and stored
6. Cleanup Step -- Objects that exist in the database but were not returned by the query are evaluated for deletion or deactivation

Performance: FastBulkUpsertObjectsAsync

The bulk upsert method is optimized for full sync scenarios:

• Uses a HashSet to detect and skip duplicate objects within the same batch
• Builds SQL MERGE statements that insert new objects or update existing ones in a single database round-trip
• Skips objects whose attribute values have not changed (hash comparison), even during a full sync
• Processes objects in configurable batch sizes to balance memory usage and throughput

How Delta Sync Works

Delta synchronization only processes objects that have been modified since the last successful sync run. This dramatically reduces the amount of work at every layer.

Change Detection Methods

IdentityCenter uses these mechanisms to identify changed objects:

whenChanged Approach

The sync engine records the timestamp of the last successful sync run. On the next delta sync, it adds a filter condition to only return objects where whenChanged is greater than the last sync time:

(&(objectClass=user)(objectCategory=person)(whenChanged>=20260220120000.0Z))

This approach is simple and effective, but has a caveat: whenChanged reflects the last modification on the DC that was queried. If changes were made on a different DC and have not yet replicated, they may be missed until the next sync.

USN Tracking Approach

Each domain controller maintains a local Update Sequence Number (USN) that increments with every write operation. IdentityCenter can track the highestCommittedUSN from each sync run and query for objects with a uSNChanged value greater than the stored USN.

This is more precise than whenChanged because it is scoped to the specific DC being queried and does not depend on replication timing.

Delta Sync Steps

A delta sync follows the same step pipeline as a full sync, but with a narrower input set:

1. Query Step -- Only changed objects are returned (filtered by timestamp or USN)
2. Transform Step -- Same as full sync, but fewer objects to process
3. Lookup Step -- Only resolves references for changed objects
4. Upsert Step -- Only inserts/updates the changed rows
5. Membership Step -- Only processes membership changes for affected groups
6. Cleanup Step -- Typically skipped during delta sync (no deletions detected without a full scan)

Important: Delta sync does not detect deleted objects. If an object is deleted from Active Directory, it will not appear in the delta query results. Use periodic full syncs for reconciliation and cleanup.

When to Use Each Mode

Use Full Sync For

• Initial synchronization -- The first time you sync a connection
• After schema changes -- When you add or modify attribute mappings
• Periodic reconciliation -- Weekly or monthly to catch any drift or missed changes
• After restoring from backup -- To ensure the database matches the current directory state
• Troubleshooting -- When you suspect objects are out of sync

Use Delta Sync For

• Routine scheduled syncs -- Daily or more frequent syncs to keep data current
• Large environments -- Where a full sync would take too long to run frequently
• Low-impact monitoring -- Keeping data fresh without heavy DC or database load

Recommended Sync Schedule

The ideal schedule depends on your environment size and how quickly changes need to be reflected:

Tip: Schedule full syncs during off-hours (e.g., weekends or overnight) to minimize impact on domain controllers and the database server.

Configuring Sync Mode

To configure the sync mode for a project:

1. Navigate to Synchronization > Sync Projects
2. Open the sync project
3. In the project settings, select the Sync Mode:
   • Full -- Always runs a full sync
   • Delta -- Runs delta sync using change detection
   • Auto -- Runs delta by default, with periodic full sync at a configured interval
4. Configure the Last Sync Marker behavior (timestamp or USN)
5. Save the project

Auto Mode

Auto mode is the recommended setting for most environments. It runs delta syncs on the regular schedule and automatically triggers a full sync at a configured interval (e.g., every 7 days). This gives you the performance benefit of delta sync with the reliability of periodic reconciliation.

Performance Benchmarks

These benchmarks are representative of typical environments running on recommended hardware:

Actual performance depends on network latency, DC responsiveness, SQL Server performance, and the number of mapped attributes.

The Sync Pipeline

The SyncProjectOrchestrator routes each step by its StepType. Understanding the pipeline helps when troubleshooting or optimizing:

  ┌──────────┐   ┌───────────┐   ┌──────────┐   ┌──────────┐
  │  Query   │──►│ Transform │──►│  Lookup  │──►│  Upsert  │
  │ (LDAP)   │   │ (Mappings)│   │(Managers)│   │ (MERGE)  │
  └──────────┘   └───────────┘   └──────────┘   └──────────┘
                                                       │
                                                       ▼
                                              ┌────────────────┐
                                              │  Membership    │
                                              │(Groups/Members)│
                                              └────────┬───────┘
                                                       │
                                                       ▼
                                              ┌────────────────┐
                                              │    Cleanup     │
                                              │(Detect Removed)│
                                              └────────────────┘

Each step type can be individually enabled, disabled, or configured per sync project.

Monitoring Sync Performance

Track sync performance over time to detect degradation:

1. Sync Run History -- Review duration trends for each project
2. Items Processed / Succeeded / Failed -- Check the JobExecutionHistory for each run
3. Processing Center -- Monitor active and queued sync jobs
4. Database Growth -- Monitor the IdentityCenter database size and index fragmentation

If delta sync durations are increasing over time, it may indicate growing change volume or database performance issues (index fragmentation, statistics out of date).

Next Steps

• Creating a Sync Project -- Set up your first sync project
• Custom Attribute Mapping -- Control which attributes are synced
• Scheduling Sync -- Configure automated sync schedules
• Sync Troubleshooting -- Diagnose and fix sync issues
• Manager Resolution -- How the Lookup step resolves manager references