Product Documentation

AD Sync Services

Jun 05, 2015
CloudPortal Services Manager AD Sync Services synchronize customer OUs in the hosted domain controller with user changes in the external domain controllers. The service enables users to connect to hosted services with the same credentials they use for their local domain.

The AD Sync service requires no installation on the hosted environment and uses the CloudPortal Services Manager API to perform the synchronization. An AD Sync client installed on each external domain controller communicates with the API. This interface is a one-way connection that can be customized to synchronize specific Active Directory information.

API requests are encrypted using a combination of a public/private key and a symmetric key (RSA and AES) to securely transfer data and credentials. The data in the request is also hashed (SHA1) to prevent unauthorized changes.

The following diagram shows a typical installation scenario.


Installation scenario for AD Sync service

Prerequisites

  • For each domain controller in the external domain:
    • If SSL is enabled for Services Manager, edit the CortexDotnetweb.config file to set the UserSyncAPISSL value to True.
    • Disable User Account Control (UAC) on each external domain controller that will run the AD Sync client.
    • Obtain a list of the user groups to include in AD Sync operations.
    • If applicable, obtain proxy server information.
  • Firewalls: Open HTTP and HTTPS ports (80 and 443) bi-directionally between the server where the Services Manager API is installed and each domain controller in the external domain.

    Alternative: Open HTTP and HTTPS ports (80 and 443) bi-directionally between the server where the Services Manager API is installed and the proxy server used in the external domain.

To configure AD Sync Services

  1. Enable the service (top level): From the main menu, choose Configuration > System Manager > Service Deployment, expand AD Sync, and click Save.
  2. Enable the service (location level): Under Service Filter, select Active Directory Location Services, choose a Location Filter if applicable, expand AD Sync, and click Save.
  3. Enable the service (top reseller level): From the main menu, choose Customers > Customer Hierarchy, expand Services, expand the Reseller, select the AD Sync check box, and then click Provision.
  4. Configure and provision the service to the customer: From the main menu, choose Customers > Customers, expand the customer, click Services, expand AD Sync, and click Provision.

To customize the AD Sync client installer

You can customize the following characteristics of the AD Sync client installer for a CloudPortal Services Manager site:

  • Product settings shown in the Windows Add or Remove Programs or Programs and Features panel. Settings include name, manufacturer, and links to help and support.
  • Product name used as the default installation folder, service name, and source name of errors in the Event Log.
  • Banner and dialog images (.bmp or .jpg) used in the installer. The default sizes of those images are:
    • Banner (493 x 58 pixels)
    • Dialog (493 x 312 pixels)
  1. Log on to the CloudPortal Web Server and navigate to the [INSTALLDIR]CortexDotNetServicesSync directory.
  2. Open sync.config in a text editor and customize the settings as needed. If you change a commented item, remove the comment markup.
  3. After completing the changes, direct your customers to download the AD Sync installer from the CloudPortal Services Manager web site.

To install the AD Sync client on external domain controllers

Install the AD Sync client on every domain controller in the external domain.

  1. Log on to an external domain controller and then log on to the Services Manager web console using the administrator credentials of the customer just provisioned.
  2. Download the AD Sync client installer:
    1. From the main menu, choose Services > AD Sync Download and then click Download.
    2. Click Save to save the AD Sync client installer to a drive location so you can copy it to the other external domain controllers.
  3. Install the client:
    1. Run the AD Sync Setup installer, enter the password, and then click Next.
    2. Select the Watch for changes to users check box, specify the User watch frequency, and then click Next.
      Important: Perform this step for only one AD Sync client to ensure that duplicate requests are not sent to the Services Manager API. The domain controller configured to “Watch for user changes” synchronizes user and password changes. The other domain controllers synchronize only password changes.
    3. Choose the Active Directory user groups to include in AD Sync operations and then click Next twice. When the AD Sync service detects a USN change, it performs the synchronization only if the user is in an included group. The last USN value is stored in [INSTALLDIR]QueueSyncActiveDirectory.config.
    4. If a proxy server is used in the external domain, enter the information for it. Using a proxy server ensures that domain controllers are not exposed to the internet.
    5. Click Next, choose a location to install the AD Sync client, click Next, and then click Install.
    6. Restart the domain controller. The AD Sync service starts.
    7. Copy the AD Sync client installer to all other external domain controllers and then repeat Steps 3a - 3g for each domain controller.
  4. Test the AD Sync client:
    1. After a domain controller restarts, log on to Services Manager and then click Users to view the user list. The synchronized users have a small green arrow next to the user icon.
    2. To test that the synchronization works for new accounts, create a new user account in the external domain, add it to a user group that is included in AD Sync operations, change an attribute on the account, and then verify that the account appears on the Users screen.

To synchronize additional Active Directory attributes

To change the Active Directory attributes included in API requests, edit the request format in [INSTALLDIR]Requests.