AD Sync
The AD Sync service for Services Manager synchronizes customer OUs in the hosted domain controller with user changes in the external domain controllers. The service enables users to connect to hosted services with the same credentials they use for their local domain. Additionally, Services Manager includes a server monitor that reports the connectivity status of domain controllers on which the AD Sync client is installed.
The AD Sync service requires no installation on the hosted environment and uses the CloudPortal Services Manager API to perform the synchronization. An AD Sync client installed on each external domain controller communicates with the API. This interface is a one-way connection that can be customized to synchronize specific Active Directory information.
API requests are encrypted using a combination of a public/private key and a symmetric key (RSA and AES) to securely transfer data and credentials. The data in the request is also hashed (SHA1) to prevent unauthorized changes.
The following diagram shows a typical installation scenario.
The AD Sync service is a customer-only service; by default, the service is unavailable for provisioning to users. Once provisioned to a customer, the customer's administrator has access to download and configure the AD Sync tool to their existing domain controller. To download the tool, the customer must be configured with the Allow passwords to Never Expire option set to Yes. If this option is set to No, errors are recorded in the customer's event log and no users appear in the control panel.
AD Sync server monitor
The AD Sync service monitors the connectivity status of external domain controllers on which the AD Sync client is installed and displays a list of all monitored servers on the AD Sync Server Monitor page in the control panel.
The AD Sync client sends requests to the Services Manager API at specified intervals that are recorded in a monitoring table. This table includes the server name, time of the last request made, and expected time interval between requests. When the difference between the current time and the time of the last request exceeds the expected interval, the Server Monitor page displays a red dot next to the affected server, indicating connectivity has been disrupted. When a request is received within the expected time interval, the Server Monitor page displays a green dot next to the server, indicating connectivity is uninterrupted.
Prerequisites for deployment
- If SSL is enabled for Services Manager, edit the CortexDotnetweb.config file to set the UserSyncAPISSL value to True.
- Ensure the password complexity of the external domain controllers matches or exceeds the password complexity of the domain controllers in the Services Manager deployment.
- Disable User Account Control (UAC) on each external domain controller that will run the AD Sync client.
- Obtain a list of the user groups to include in AD Sync operations.
- If applicable, obtain proxy server information.
- Open HTTP and HTTPS ports (80 and 443) bi-directionally between the server hosting the Services Manager API and each domain controller in the external domain.
- Open HTTP and HTTPS ports (80 and 443) bi-directionally between the server hosting the Services Manager API and the proxy server used in the external domain.
Service deployment overview
- Configure the AD Sync service using the control panel.
- If required, customize the AD Sync client installer, such as default settings and logo images, for your Services Manager deployment.
- Install and test the AD Sync client on external domain controllers. If necessary, add or modify the Active Directory attributes included in API requests by editing the request file on the external domain controller.
- Provision the service to customers so they can download the AD Sync client software.
For deployment instructions, see Deploy the AD Sync service.