The AD Sync service for Services Manager synchronizes customer OUs in the hosted domain controller with user changes in the external domain controllers. The service enables users to connect to hosted services with the same credentials they use for their local domain. Additionally, Services Manager includes a server monitor that reports the connectivity status of domain controllers on which the AD Sync client is installed.
The AD Sync service requires no installation on the hosted environment and uses the CloudPortal Services Manager API to perform the synchronization. An AD Sync client installed on each external domain controller communicates with the API. This interface is a one-way connection that can be customized to synchronize specific Active Directory information.
API requests are encrypted using a combination of a public/private key and a symmetric key (RSA and AES) to securely transfer data and credentials. The data in the request is also hashed (SHA1) to prevent unauthorized changes.
The following diagram shows a typical installation scenario.
The AD Sync service is a customer-only service; by default, the service is unavailable for provisioning to users. Once provisioned to a customer, the customer's administrator has access to download and configure the AD Sync tool to their existing domain controller. To download the tool, the customer must be configured with the Allow passwords to Never Expire option set to Yes. If this option is set to No, errors are recorded in the customer's event log and no users appear in the control panel.
The AD Sync service monitors the connectivity status of external domain controllers on which the AD Sync client is installed and displays a list of all monitored servers on the AD Sync Server Monitor page in the control panel.
The AD Sync client sends requests to the Services Manager API at specified intervals that are recorded in a monitoring table. This table includes the server name, time of the last request made, and expected time interval between requests. When the difference between the current time and the time of the last request exceeds the expected interval, the Server Monitor page displays a red dot next to the affected server, indicating connectivity has been disrupted. When a request is received within the expected time interval, the Server Monitor page displays a green dot next to the server, indicating connectivity is uninterrupted.
For deployment instructions, see Deploy the AD Sync service.