MachPanel ADSync

MachPanel ADSync module is the directory synchronization tool that consolidates one Active Directory with another. It performs one-way synchronization and keeps your cloud user accounts updated.

Summary

This article provides you information regarding the configuration of ADSync.

Applies To

1. Applies to ADSync v4.2 - v6.
2. ADSync latest version is 6.0.
3. Latest MachPanel Build v7.2.35 supports latest ADSync v6

Pre-Requisite

You need following information:

• You have to Enable ADSync from MachPanel before configuring your ADSync at the local Active Directory.

1. Navigate to the following path: Home » Service Director » Active Directory » Active Directory Organizations
2. Click on Enable ADsync link as shown in the snapshot below:

• Service Username and Service Password i.e. Login Name and Password to Access the Control Panel customer account who is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer in control panel.

• MachPanel Service URL should be accessible from Client-AD.

Reboot Required

Description

• User Accounts
• Groups

The data fields which are being synchronized through this utility for User Accounts are:

1. Description
   
2. Display Name
   
3. First Name
   
4. Last Name
   
5. Email
   
6. Initials
   
7. Middle Name
   
8. UserPrincipalName(UPN)
   
9. Direct Manager
   
10. Home Phone
    
11. Mobile Phone
    
12. Business Phone
    
13.  Pager
    
14. Home Page
    
15. Fax
    
16. Address
    
17. City
    
18. Country
    
19. State
    
20. Zip Code
    
21. Company
    
22. Job Title
    
23. Department
    
24. Office Location
    
25. Password
    
26. Notes
    
27. Proxy Addresses [
    
    • SIP Address
      
    • EUM Address
      
    • SMTP Address ]
      
28. AD User Enabled
    
29. Thumbnail Image
    
30. Logon Hours
31. Use email to generate UPN  {'Use Email to Generate UPN' is not attribute rather a configuration setting to to set user's UPN on hosted side using 'Email' attribute at the time of creation.} 

The data fields which are being synchronized through this utility for Groups are:

1. Name
2. Display Name
3. Type
4. Members

MachSol ADSync utility is a one way synchronization tool, that enables the synchronization of AD users from local/on-premises to the hosted/cloud AD and vice versa is not currently possible. Editing through MachPanel is disabled for a mailbox enabled for ADSync.

The reason to disable the AD user editing in MachPanel for those organizations which are selected to be synchronized with on-premises ADs is that the information updated on MachPanel shall not be available on client’s on-premises AD. And also as ADSyncSvc periodically updates data from local to hosted AD, the changes done through MachPanel will be voided with the synchronization process.

Configuring AD Sync

• When installation finishes on Primary Domain Controller, ADSync Configuration Studio appears, fill form according to instructions below and save settings.
• From the Home page you can click settings

Terminology used:
Terms used to reference ADs are as under:  Please note the difference between Two AD’s:

• Local-AD / Client-AD / On-Premises:  This is the AD where you have installed MachPanel ADSync Utility. Once ADSync is enabled you can access this local AD and modify user properties on this AD. These changes will automatically replicate/sync with the Provider’s AD (hosted AD).
• Provider AD / Hosted AD / Cloud AD:  This is the AD that is managed directly by MachPanel Control Server via MachPanel Remote Servers.

Settings:

Settings will show General & Advanced Setting of ADSync:

General Settings:

Fields of the above screen are described below:

1. Control Panel Url:  This is the URL to Control Panel Web Service (provided by host). This can be a Web or IP based address. Check "Tooltip" next to input field for example.
2. Domain NetBios name: Local-AD domain NetBios name input field.
3. Service Account:  Local-AD administrator account with permissions to perform local operations.
4. Password: Password for local-ad admin user provided in above field.

Advanced Settings:

1. Sync Data Attribute: Sync Data Attribute’ is used to capture the updating password info and store its hash in this attribute. Previously this was fixed to ‘division’ attribute of Active Directory User, but now can be customized to any valid writable Active Directory User attribute. Note that this attribute is used to temporarily store (encrypted hash) password before syncing it to hosted user and as soon as user password/info is synced in next sync cycle it is cleared from the active directory attribute.
   
2. Sync Data every: You can specify Sync interval or use Sync Now option.
3. Logging Enabled: Enable/Disable logging. Simple check/uncheck input to whether to enable logging or not.
4. Logs Folder: This is Log Path. Select log folder to create log files in there if logging is required. The log folder path of ADSync logs should not be of PDC desktop, and the provided log path should also be present on all ADC.
5. Purge Logs after: Select number of days after which logs are cleared from the ADSync folder.
   

Then under Profiles you can click 'Add Profile' to add a new profile.

Profiles:

Add Profile will display following fields:

Local Organization

• Organization: Input field to set Local-AD/On-Premises organization LDAP, or use Icon on the right to list all local organizations and select one of the organizations. This field is editable so you can even specify the ROOT so that ALL USERS under this AD get listed all at once. You can specify the ROOT if users are under different OUs and you want to list all of them in a single go. In case of large ADs it is recommended to use specific OUs only to keep this quick as it will take long time to load all users in case of large ADs.
  
• User custom filter: Define a filter for Users.
• Sync Security Groups: In order to Sync security Groups from MachPanel for ADSync Enabled organization check option Sync Security Groups.
• Group custom filter: Define a custom filter for security groups.
• Auto Create New User: Allows you to enable / disable auto creation of Local-AD user on the Hosted AD.  This option enables the customer that any new user created in local OU for this profile will be automatically created on hosted.
• Enable Auto Mapping: Enable/Disable Auto Mapping of all Existing users.  This option enables the customer that all the existing users will be auto mapped to selected hosted organization on the basis of UPN and DisplayName respectively.

Hosted Organization

• User Name: Login Name to access the customer account in MachPanel in format: user@domain.com.  This is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer. (In ADSync we need Customer credentials not Reseller/Provider credentials to fetch list of OU’s. List of all OU’s related to Customer are fetched.)
• Password: Password for user login provided in service user name.
• Target OU: Once above service credentials are provided then hosted organizations enabled for ADSync are listed in the selection input box, select one of the organizations to synchronize its contents.  Only the organization(s) owned by single customer (whose credentials are provided) are shown.

Add: Adds a profile to the below profiles listing and is saved in configuration file on pressing the Save button on the configuration screen.

​

​

Click Save to save all settings.

Add Custom Filters

In "Custom Filter" for user and groups we need to specify sync group and sync user in the group and users description (Any attribute can be used). Below are examples to use Custom Filter for Users and Group which uses "sync user" and "sync group" description. In below snapshot UserA, UserB, UserC, GroupA and GroupB, GroupC are created in Active Directory.

Example 1:
In this example we have specified "sync user" and "sync group" description in custom filter and as a result UserA, UserB and GroupA and GroupB (which have description set accordingly) will get synced. See below snapshots:

Filter settings
Users custom filter: (description=sync user)
Groups custom filter: (description=sync group)

Example 2:
When we specify below custom filter settings in sync group and sync user description that we need not to sync (any number of attributes can be used) for e.g.

1. Specify something in company for users that I don’t want to sync
2. Specify something in display name for groups that I don’t want to sync

only UserA and GroupA will get synced as shown below:

Filter settings
Users custom filter: (&(description=sync user)(!(company=*)))
Groups custom filter: (&(description=sync group)(!(displayName=*)))

 Example 3:

To Show and Sync Active Users only, the Attribute that will be used is userAccountControl. This attribute has following properties.

• 512 -> Enabled
• 514 -> Disabled
• 66048 -> Enabled, password never expires
• 66050 -> Disabled, password never expires​

 You can use this attibute in a way if you want to extract only active users, example given below will extract only active users.

Filter settings

User custom filter: (|(userAccountControl=512)(userAccountControl=66048))

Filter expressions guides:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax

​

Configure Mappings

• Under the Profiles click Mapping
  

Select Users to Sync
Enable ADSync for the Hosted Organization in MachPanel. Choose Users from interface below to enable ADSync for users in the parent container i.e: OU selected in profile.

1. Click Mapping to choose mapping between Hosted and Local User, click check-box to enable sync for selected users.
2. For users which exist in Local domain but have no counterparts on the hosted AD, you can "Enable Sync" and then auto create them in Hosted platform by choosing "--Create New--".

Important Note:

1. ADSync needs to be installed on Primary and all Additional Domain Controllers.
2. After installation on all Additional Domain Controllers, configure basic information in ADSync Tool on Primary ADSync Server, then copy SyncConfigurations.xml from installation folder on Primary Domain Controller to each Additional Domain Controller. Registry on both types of servers will tell you correct location for configuration file. For old clients the path will be C:\Windows\System32 folder, and for new clients the path to place this file will be C:\Program Files\ADSync. You can confirm/fix the Registry for correct location of SyncConfigurations.xml.
3. Make sure “Password must meet Complexity Requirements” is Enabled in Local domain policy. Describe any symptoms for a particular problem.
4. To start ADSync to function you need to force all users to change password on On-Premises (Local/Client) AD, please do expire all user passwords and restart all domain controllers.

Summary On: How does the utility update the information & how it should be operated?

Below is a step by step process how shall this utility be operated.

1. Save Basic configurations in utility on Primary DC.
2. Copy SyncConfigurations.xml file from PDC installation folder to all ADC(s) to appropriate folder. Registry on both types of servers will tell you correct location for configuration file. For old clients the path will be C:\Windows\System32 folder, and for new clients the path to place this file will be C:\Program Files\ADSync. You can confirm/fix the Registry for correct location of SyncConfigurations.xml.
3. Provide On-Premises to Hosted user mapping using the ADSync config studio.
4. After providing the mapping, modify the On-Premises Active Directory user account information (Including password). ADSIEdit is not supported, other than that, all other mechanisms (OWA, or Exchange, Locked screen of desktop etc.) are supported. Change in password via any medium (except ADSIEdit.msc) is captured. Only thing to note is that all the Domain Controllers should have the ADSync module installed on them (one primary and others as secondary) so that the password change actioned by any of the domain controllers gets captured.
5. To force the sync process to start immediately, Press Click to Sync Now from ADSync Configuration tool, or simply restart the ADSyncSvc using Services.MSC (Windows Services Manager) on PDC.
6. This shall update the information to the control server.
7. From there, control server uses its Provisioning Service to update the data on associated backend Hosted active directory server. You can also force the control server to process records instantly by restarting provisioning service on control panel server.
8. You can set Time in "Sync Interval" to start sync or Click to Sync now to force an immediate sync.

This should update the On-Premises active directory user information to the Hosted active directory user.

In case of any issues, you should Enable Logging from configuration studio of ADSync Tool and review that for any problems. Similar logs need to be review on MachPanel Control Server to see if there is any issue in processing of ADSync related data. You can also send the log files generated from inside the selected folder to us for review.

User Mappings Example

Let’s assume Hosted AD having the following user.

1. User.one@livead.com
2. User.two@livead.com
3. User.xzy@livead.com Display Name:Gorge John

And local AD having the following Users.

1. User.abc@localad.com Display Name: Gorge  John
2. User.One@localad.com
3. User.new@Localad.com 
4. User.lmn@Localad.com

Recommended Scenario:

• ADSync – Installation Guide:  http://kb.machsol.com/Knowledgebase/Article/50350

Troubleshooting Notes:

Detailed troubleshooting notes are available here:
http://kb.machsol.com/Knowledgebase/Article/53477

1. Ensure logging is enabled in ADSync Client Configuration Screen. In case of any issues, you should Enable Logging from configuration studio of ADSync Tool and review that for any problems. Similar logs need to be review on MachPanel Control Server to see if there is any issue in processing of ADSync related data. You can also send the log files generated from inside the selected folder to us for review.
   
2. Check to confirm if “ADSyncPolicy, ADSync.ClientHelper, ADSync.PolicyLogger” dll files exist in “$windir\System32” folder.
   
3. Ensure the client enabled “Password Must meet complexity requirements”  in user account policy after completing configuration of ADSync and restarted and ADs.
   
4. Ensure that there exist an entry for “ADSyncPolicy” in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages]
   
5. Ensure that ADSync utility is installed on Primary Domain Controller and all Additional Domain Controllers.
   
6. See if "Password Intercept Log" is being generated/updated for each password update on C:\ drive on any/all of the ADs if client is using “ADSiEdit.msc” to change the password.
   
7. See if "Password Intercept Log" is being generated/updated for each password update on C:\ drive on any/all of the ADs if client using “DSA.msc” to change the password.
   
8. See if ADSync is working fine for all the attributes other than password.
   
9. Ensure that user provided in ADSync Config Studio for “Local Admin” field has sufficient permissions in local AD (Should be Member of: Administrators, Domain Admins, Domain Users, Enterprise Admins, Organization Management. Check reference below).
   
10. Ensure the Operating user of ADSync Utility (User logged in with while configuring ADSync) has read/write permissions on installation directory and the directory specified for logging.
    
11. Ensure LDAP URL is correct.
    
12. The service account in ADSync (“Admin Login” / “Admin Password”) is used to read the values of attributes that need to be synced from local AD. The service account only writes to Sync Data attribute ( any other Attribute you specify) of Synced User/Group for tracking purpose on local AD. However, to read the AD attributes, the service account needs to be made member of Domain Admins group in the Local AD.

The "Admin User" specified in ADsync should be member of following. See snapshot below (Schema Admin is optional):



Security and Password Policy:

Please note that password policy shall remain consistent between source (client) AD and Hosted (Cloud) AD, meaning that both ADs should have similar password policies. Best to have Complex Password Policy. Also there is no need to select the ‘reversible password’ option in source (client) AD for syncing password.

Password for a user account is secured by modern encryption schemes and is stored in a secured place.

To make communication even more secure, one must apply/enable SSL certificate for MachPanel Control Panel website and use the ADSync Web Service address as https:// (like https://cp.providerdomain.com/webservices/Adsyncsvc.asmx)

1. Open ADSync Configuration Studio and provide mapping for this newly created user (you can use ‘Create New’ option) or if you have enabled ‘Auto Create New user’ option for the selected Sync Profile then leave this step.
2. Restart ADSync-Svc on local/client/On-Premises AD machine
3. Now get to hosted MachPanel Control server
4. Open the database and check ‘Hb_tblTempData’ table, whether it has a pending entry in it or not ?
5. If there are pending records in ‘Hb_TblTempData’ then restart Provisioning-Svc on Control server
6. Check in MachPanel whether the user is created on hosted or not. You can use following navigation path. Home > Service Director > Active Directory > Users
7. Also you can check the Audit logs in the MachPanel interface for sync process. (for filtering select ‘ADSync’ in event groups and press search button)