MachPanel ADSync

MachPanel ADSync module is the directory synchronization tool that consolidates one Active Directory with another. It performs one-way synchronization and keeps your cloud user accounts updated.

Summary

This article provides you information regarding the configuration of ADSync.

Applies To

1. Applies to ADSync 4.2 and 4.3.
2. ADSync latest version is 4.3.
3. Latest MachPanel Build v6.3.12 supports latest ADSync v4.3.

Pre-Requisite

You need following information:

• You have to Enable ADSync from MachPanel before configuring your ADSync at the local Active Directory.

1. Navigate to the following path: Home » Service Director » Active Directory » Active Directory Organizations
2. Click on Enable ADsync link as shown in the snapshot below:

• Service Username and Service Password i.e. Login Name and Password to Access the Control Panel customer account who is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer in control panel.

• MachPanel Service URL should be accessible from Client-AD.

Reboot Required

Yes, it is required to Reboot ALL Client Domain Controllers (Primary and Additional) at least once where ADSync tool is installed.

Description

ADSync is a utility consisting of multiple components used to synchronize local active directory objects with Hosted/Cloud Active Directory objects. ADSync utility v4.2 will sync Multiple OU's in a client\local AD with Hosted OU.

Types of object(s) which are currently synchronized.

• User Accounts
• Groups

The data fields which are being synchronized through this utility for User Accounts are:

1. Address
2. BusinessPhone
3. City
4. Company
5. Country
6. Department
7. Description
8. DirectManager
9. DisplayName
10. Fax
11. Email
12. FirstName
13. HomePhone
14. Initials
15. JobTitle
16. LastName
17. MobilePhone
18. Notes
19. OfficeLocation
20. Pager
21. proxyAddresses ‘[EUM addresses Only]’
22. sAMAccountName
23. State
24. UserPrincipalName
25. wWWHomePage
26. ZipCode

The data fields which are being synchronized through this utility for Groups are:

1. Name
2. Display Name
3. Type
4. Members

MachSol ADSync utility is a one way synchronization tool, that enables the synchronization of AD users from local/on-premises to the hosted/cloud AD and vice versa is not currently possible. Editing through MachPanel is disabled for a mailbox enabled for ADSync.

The reason to disable the AD user editing in MachPanel for those organizations which are selected to be synchronized with on-premises ADs is that the information updated on MachPanel shall not be available on client’s on-premises AD. And also as ADSyncSvc periodically updates data from local to hosted AD, the changes done through MachPanel will be voided with the synchronization process.

Configuring AD Sync

• When installation finishes on Primary Domain Controller, ADSync Configuration Studio appears, fill form according to instructions below and save settings.

Terminology used:
Terms used to reference ADs are as under:  Please note the difference between Two AD’s:

• Local-AD / Client-AD / On-Premises:  This is the AD where you have installed MachPanel ADSync Utility. Once ADSync is enabled you can access this local AD and modify user properties on this AD. These changes will automatically replicate/sync with the Provider’s AD (hosted AD).
• Provider AD / Hosted AD / Cloud AD:  This is the AD that is managed directly by MachPanel Control Server via MachPanel Remote Servers.

Fields of the above screen are described below:

1. Web Service Url:  This is the URL to Control Panel Web Service (provided by host). This can be a Web or IP based address. Check "Tooltip" next to input field for example.
2. Admin Login:  Local-AD administrator account with permissions to perform local operations.
3. Admin Password: Password for local-ad admin user provided in above field.
4. Domain NetBios name: Local-AD domain NetBios name input field.
5. Sync Interval: You can specify Sync interval or use Sync Now option.
6. Enable Logging: Enable/Disable logging. Simple check/uncheck input to whether to enable logging or not.
7. Log Folder:  This is Log Path. Select log folder to create log files in there if logging is required. The log folder path of ADSync logs should not be of PDC desktop, and the provided log path should also be present on all ADC.
8. Service User Name: Login Name to access the customer account in MachPanel in format: user@domain.com.  This is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer. (In ADSync we need Customer credentials not Reseller/Provider credentials to fetch list of OU’s. List of all OU’s related to Customer are fetched.)
9. Service Password:  Password for user login provided in service user name.
10. Hosted Organization: Once above service credentials are provided then hosted organizations enabled for ADSync are listed in the selection input box, select one of the organizations to synchronize its contents.  Only the organization(s) owned by single customer (whose credentials are provided) are shown.
11. Local OU LDAP: Input field to set Local-AD/On-Premises organization LDAP, or use “select local organization” option to list all local organizations and select one of the organizations. This field is editable so you can even specify the ROOT so that ALL USERS under this AD get listed all at once. You can specify the ROOT if users are under different OUs and you want to list all of them in a single go. In case of large ADs it is recommended to use specific OUs only to keep this quick as it will take long time to load all users in case of large ADs.
12. Sync Security Groups: In order to Sync security Groups from MachPanel for ADSync Enabled organization check option Sync Security Groups.
    
13. Enable Auto Mapping: Enable/Disable Auto Mapping of all Existing users.  This option enables the customer that all the existing users will be auto mapped to selected hosted organization on the basis of UPN and DisplayName respectively.
14. Auto Create New User: Allows you to enable / disable auto creation of Local-AD user on the Hosted AD.  This option enables the customer that any new user created in local OU for this profile will be automatically created on hosted.
15. Add Profile: Adds a profile to the below profiles listing and is saved in configuration file on pressing the Save button on the configuration screen.
16. User custom filter: Define a filter for Users.
17. Group custom filter: Define a custom filter for security groups.

Click Save to save all settings.

Add Custom Filters

In "Custom Filter" for user and groups we need to specify sync group and sync user in the group and users description (Any attribute can be used). Below are examples to use Custom Filter for Users and Group which uses "sync user" and "sync group" description. In below snapshot UserA, UserB, UserC, GroupA and GroupB, GroupC are created in Active Directory.

Example 1:
In this example we have specified "sync user" and "sync group" description in custom filter and as a result UserA, UserB and GroupA and GroupB (which have description set accordingly) will get synced. See below snapshots:

Filter settings
Users custom filter: (description=sync user)
Groups custom filter: (description=sync group)

 

Example 2:
When we specify below custom filter settings in sync group and sync user description that we need not to sync (any number of attributes can be used) for e.g.

1. Specify something in company for users that I don’t want to sync
2. Specify something in display name for groups that I don’t want to sync

only UserA and GroupA will get synced as shown below:

Filter settings
Users custom filter: (&(description=sync user)(!(company=*)))
Groups custom filter: (&(description=sync group)(!(displayName=*)))

Configure Mappings

Right click on the selected user and select Configure Mapping to map the users. See the snapshot below:

Select Users to Sync
Enable ADSync for the Hosted Organization in MachPanel. Choose Users from interface below to enable ADSync for users in the parent container i.e: OU selected in profile.

1. Click Options > User Mappings to choose mapping between Hosted and Local User, click check-box to enable sync for selected users.
2. For users which exist in Local domain but have no counterparts on the hosted AD, you can "Enable Sync" and then auto create them in Hosted platform by choosing "--Create New--".

Important Note:

1. ADSync needs to be installed on Primary and all Additional Domain Controllers.
2. After installation on all Additional Domain Controllers, configure basic information in ADSync Tool on Primary ADSync Server, then copy SyncConfigurations.xml from installation folder on Primary Domain Controller to each Additional Domain Controller. Registry on both types of servers will tell you correct location for configuration file. For old clients the path will be C:\Windows\System32 folder, and for new clients the path to place this file will be C:\Program Files\ADSync. You can confirm/fix the Registry for correct location of SyncConfigurations.xml.
3. Make sure “Password must meet Complexity Requirements” is Enabled in Local domain policy. Describe any symptoms for a particular problem.
4. To start ADSync to function you need to force all users to change password on On-Premises (Local/Client) AD, please do expire all user passwords and restart all domain controllers.

Summary On: How does the utility update the information & how it should be operated?

Below is a step by step process how shall this utility be operated.

1. Save Basic configurations in utility on Primary DC.
2. Copy SyncConfigurations.xml file from PDC installation folder to all ADC(s) to appropriate folder. Registry on both types of servers will tell you correct location for configuration file. For old clients the path will be C:\Windows\System32 folder, and for new clients the path to place this file will be C:\Program Files\ADSync. You can confirm/fix the Registry for correct location of SyncConfigurations.xml.
3. Provide On-Premises to Hosted user mapping using the ADSync config studio.
4. After providing the mapping, modify the On-Premises Active Directory user account information (Including password). ADSIEdit is not supported, other than that, all other mechanisms (OWA, or Exchange, Locked screen of desktop etc.) are supported. Change in password via any medium (except ADSIEdit.msc) is captured. Only thing to note is that all the Domain Controllers should have the ADSync module installed on them (one primary and others as secondary) so that the password change actioned by any of the domain controllers gets captured.
5. To force the sync process to start immediately, Press Click to Sync Now from ADSync Configuration tool, or simply restart the ADSyncSvc using Services.MSC (Windows Services Manager) on PDC.
6. This shall update the information to the control server.
7. From there, control server uses its Provisioning Service to update the data on associated backend Hosted active directory server. You can also force the control server to process records instantly by restarting provisioning service on control panel server.
8. You can set Time in "Sync Interval" to start sync or Click to Sync now to force an immediate sync.

This should update the On-Premises active directory user information to the Hosted active directory user.

In case of any issues, you should Enable Logging from configuration studio of ADSync Tool and review that for any problems. Similar logs need to be review on MachPanel Control Server to see if there is any issue in processing of ADSync related data. You can also send the log files generated from inside the selected folder to us for review.

User Mappings Example

Let’s assume Hosted AD having the following user.

1. User.one@livead.com
2. User.two@livead.com
3. User.xzy@livead.com Display Name:Gorge John

And local AD having the following Users.

1. User.abc@localad.com Display Name: Gorge  John
2. User.One@localad.com
3. User.new@Localad.com 
4. User.lmn@Localad.com

#3 from LiveAD will be matched with #1 on LocalAD based on Display Name.
#1 from Live AD will be matched with #2 of LocalAD based on UPN.

Recommended Scenario:

It is recommended that for SSO (Same Sign On) the UPN should be fully matched in both LocalAD and LiveAD.

References

• ADSync – Installation Guide:  http://kb.machsol.com/Knowledgebase/Article/50350

Download
ADSync is a separate module and costs may apply. Kindly contact sales for further information.

Troubleshooting Notes:

Detailed troubleshooting notes are available here:
http://kb.machsol.com/Knowledgebase/Article/53477

1.    Ensure logging is enabled in ADSync Client Configuration Screen. In case of any issues, you should Enable Logging from configuration studio of ADSync Tool and review that for any problems. Similar logs need to be review on MachPanel Control Server to see if there is any issue in processing of ADSync related data. You can also send the log files generated from inside the selected folder to us for review.
2.    Check to confirm if “ADSyncPolicy, ADSync.ClientHelper, ADSync.PolicyLogger” dll files exist in “$windir\System32” folder.
3.    Ensure the client enabled “Password Must meet complexity requirements”  in user account policy after completing configuration of ADSync and restarted and ADs.
4.    Ensure that there exist an entry for “ADSyncPolicy” in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages]
5.    Ensure that ADSync utility is installed on Primary Domain Controller and all Additional Domain Controllers.
6.    See if "Password Intercept Log" is being generated/updated for each password update on C:\ drive on any/all of the ADs if client is using “ADSiEdit.msc” to change the password.
7.    See if "Password Intercept Log" is being generated/updated for each password update on C:\ drive on any/all of the ADs if client using “DSA.msc” to change the password.
8.    See if ADSync is working fine for all the attributes other than password.
9.    Ensure that user provided in ADSync Config Studio for “Local Admin” field has sufficient permissions in local AD (Should be Member of: Administrators, Domain Admins, Domain Users, Enterprise Admins, Organization Management. Check reference below).
10.   Ensure the Operating user of ADSync Utility (User logged in with while configuring ADSync) has read/write permissions on installation directory and the directory specified for logging.
11.   Ensure LDAP URL is correct.
12.   The "Admin User" specified in ADsync should be member of following. See snapshot below (Schema Admin is optional):



Security and Password Policy:

Please note that password policy shall remain consistent between source (client) AD and Hosted (Cloud) AD, meaning that both ADs should have similar password policies. Best to have Complex Password Policy. Also there is no need to select the ‘reversible password’ option in source (client) AD for syncing password.

Password for a user account is secured by modern encryption schemes and is stored in a secured place.

To make communication even more secure, one must apply/enable SSL certificate for MachPanel Control Panel website and use the ADSync Web Service address as https:// (like https://cp.providerdomain.com/webservices/Adsyncsvc.asmx)

Running a test case:

Create an AD user in local/client/On-Premises AD under one of the configured Sync Profile.

1. Open ADSync Configuration Studio and provide mapping for this newly created user (you can use ‘Create New’ option) or if you have enabled ‘Auto Create New user’ option for the selected Sync Profile then leave this step.
2. Restart ADSync-Svc on local/client/On-Premises AD machine
3. Now get to hosted MachPanel Control server
4. Open the database and check ‘Hb_tblTempData’ table, whether it has a pending entry in it or not ?
5. If there are pending records in ‘Hb_TblTempData’ then restart Provisioning-Svc on Control server
6. Check in MachPanel whether the user is created on hosted or not. You can use following navigation path. Home > Service Director > Active Directory > Users
7. Also you can check the Audit logs in the MachPanel interface for sync process. (for filtering select ‘ADSync’ in event groups and press search button)