Product Documentation

AD Sync

Jun 05, 2015
Updated: 2014-11-19
Deploying the AD Sync service involves the following tasks:

If, after deployment, a customer performs changes that affect the AD Sync service, refer to Re-configure AD Sync for Customer Changes to perform the required reconfiguration.

For more information about requirements for deploying the AD Sync service, refer to Plan to deploy the AD Sync service.

To configure the AD Sync service

  1. Enable the service (top level):
    1. From the Services Manager menu bar, select Configuration > System Manager > Service Deployment.
    2. Expand AD Sync and then click Save.
  2. Enable the service (location level):
    1. Under Service Filter, select Active Directory Location Services and select a Location Filter, if applicable.
    2. Expand AD Sync and then click Save.
  3. Enable the service (top reseller level):
    1. From the Services Manager menu bar, select Customers > Customer Hierarchy.
    2. Under the top reseller node, expand Services and then expand Reseller. The Customer Services page appears.
    3. In the service list, select the AD Sync check box and then click Provision.
  4. Configure and provision the service to the customer:
    1. From the Services Manager menu bar, click Customers.
    2. Expand the selected customer and click Services.
    3. Expand AD Sync and then click Provision.

To customize the AD Sync client installer

You can customize the following characteristics of the AD Sync client installer for a Services Manager site:

  • Product settings shown in the Windows Add or Remove Programs or Programs and Features panel. Settings include name, manufacturer, and links to help and support.
  • Product name used as the default installation folder, service name, and source name of errors in the Event Log.
  • Banner and dialog images (.bmp or .jpg) used in the installer. The default sizes of those images are:
    • Banner (493 x 58 pixels)
    • Dialog (493 x 312 pixels)
  1. Log on to the Services Manager web server and navigate to the [INSTALLDIR]CortexDotNetServicesSync directory.
  2. Open sync.config in a text editor and customize the settings as needed. If you change a commented item, remove the comment markup.
  3. After completing the changes, direct your customers to download the AD Sync installer from the Services Manager web site.

To install the AD Sync client on external domain controllers

Install the AD Sync client on every domain controller in the external domain. For more information on preparing these domain controllers for AD Sync, see Plan to deploy the AD Sync service.
Important: The AD Sync client cannot decrypt users' existing passwords when installed due to Active Directory encryption. After the client is installed, users must change their passwords so the client can synchronize them with Services Manager.
  1. Log on to an external domain controller and then log on to the Services Manager control panel using the administrator credentials of the customer just provisioned.
  2. Download the AD Sync client installer:
    1. From the Services Manager menu bar, select Services > AD Sync > AD Sync Download and then click Download.
    2. Click Save to save the AD Sync client installer to a drive location so you can copy it to the other external domain controllers.
  3. Install the client:
    1. Run the AD Sync Setup installer, enter the requested password, and then click Next.
    2. Specify the User watch frequency, select the following settings, and then click Next:
      • Watch for changes to contacts
      • Watch for changes to groups
      • Watch for changes to users
      Important: Perform this step for only one AD Sync client to ensure that duplicate requests are not sent to the Services Manager API. The domain controller configured to watch for changes synchronizes user and password changes. The other domain controllers synchronize only password changes.
    3. Select the Active Directory user groups to include in AD Sync operations and then click Next twice. When the AD Sync service detects a USN change, it performs the synchronization only if the user is in an included group. The last USN value is stored in [INSTALLDIR]QueueSyncActiveDirectory.config.
    4. If a proxy server is used in the external domain, enter the information for it. Using a proxy server ensures that domain controllers are not exposed to the internet.
    5. Click Next, choose a location to install the AD Sync client, click Next, and then click Install.
    6. Restart the domain controller. The AD Sync service starts.
    7. Copy the AD Sync client installer to all other external domain controllers and then repeat Steps 3a - 3g for each domain controller.
  4. Test the AD Sync client:
    1. After a domain controller restarts, log on to Services Manager and then click Users to view the user list. The synchronized users have a small green arrow next to the user icon.
    2. To test that the synchronization works for new accounts, create a new user account in the external domain, add it to a user group that is included in AD Sync operations, change an attribute on the account, and then verify that the account appears on the Users screen.

To synchronize additional Active Directory attributes

To change the Active Directory attributes included in API requests, edit the request format in [INSTALLDIR]Requests.