Search

MachPanel Knowledgebase


HOW TO: ADSync – Configuration Guide

Friday, December 1, 2023
Mudesira Munir
MachPanel

MachPanel ADSync

MachPanel ADSync module is the directory synchronization tool that consolidates one Active Directory with another. It performs one-way synchronization and keeps your cloud user accounts updated.

Summary

This article provides you information regarding the configuration of ADSync.

Applies To
  1. Applies to ADSync v4.2 - v6.
  2. ADSync latest version is 6.0.
  3. Latest MachPanel Build v7.2.35 supports latest ADSync v6
Pre-Requisite

You need following information:

  • You have to Enable ADSync from MachPanel before configuring your ADSync at the local Active Directory.
  1. Navigate to the following path: Home » Service Director » Active Directory » Active Directory Organizations
  2. Click on Enable ADsync link as shown in the snapshot below:

  • Service Username and Service Password i.e. Login Name and Password to Access the Control Panel customer account who is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer in control panel.
  • MachPanel Service URL should be accessible from Client-AD.
Reboot Required
Yes, it is required to Reboot ALL Client Domain Controllers (Primary and Additional) at least once where ADSync tool is installed.
Description
ADSync is a utility consisting of multiple components used to synchronize local active directory objects with Hosted/Cloud Active Directory objects. ADSync utility v6.0 will sync Multiple OU's in a client/local AD with Hosted OU.

Types of object(s) which are currently synchronized.
  • User Accounts
  • Groups

The data fields which are being synchronized through this utility for User Accounts are:

  1. Address
  2. BusinessPhone
  3. City
  4. Company
  5. Country
  6. Department
  7. Description
  8. DirectManager
  9. DisplayName
  10. Fax
  11. Email
  12. FirstName
  13. HomePhone
  14. Initials
  15. JobTitle
  16. LastName
  17. MobilePhone
  18. Notes
  19. OfficeLocation
  20. Pager
  21. proxyAddresses ‘[EUM addresses Only]’
  22. State
  23. UserPrincipalName
  24. wWWHomePage
  25. ZipCode

The data fields which are being synchronized through this utility for Groups are:

  1. Name
  2. Display Name
  3. Type
  4. Members

MachSol ADSync utility is a one way synchronization tool, that enables the synchronization of AD users from local/on-premises to the hosted/cloud AD and vice versa is not currently possible. Editing through MachPanel is disabled for a mailbox enabled for ADSync.

The reason to disable the AD user editing in MachPanel for those organizations which are selected to be synchronized with on-premises ADs is that the information updated on MachPanel shall not be available on client’s on-premises AD. And also as ADSyncSvc periodically updates data from local to hosted AD, the changes done through MachPanel will be voided with the synchronization process.

Configuring AD Sync
  • When installation finishes on Primary Domain Controller, ADSync Configuration Studio appears, fill form according to instructions below and save settings.
  • From the Home page you can click settings

Terminology used:
Terms used to reference ADs are as under:  Please note the difference between Two AD’s:

  • Local-AD / Client-AD / On-Premises:  This is the AD where you have installed MachPanel ADSync Utility. Once ADSync is enabled you can access this local AD and modify user properties on this AD. These changes will automatically replicate/sync with the Provider’s AD (hosted AD).
  • Provider AD / Hosted AD / Cloud AD:  This is the AD that is managed directly by MachPanel Control Server via MachPanel Remote Servers.

Settings:

Settings will show General & Advanced Setting of ADSync:

General Settings:

Fields of the above screen are described below:

  1. Control Panel Url:  This is the URL to Control Panel Web Service (provided by host). This can be a Web or IP based address. Check "Tooltip" next to input field for example.
  2. Domain NetBios name: Local-AD domain NetBios name input field.
  3. Service Account:  Local-AD administrator account with permissions to perform local operations.
  4. Password: Password for local-ad admin user provided in above field.

Advanced Settings:

  1. Sync Data Attribute: Sync Data Attribute’ is used to capture the updating password info and store its hash in this attribute. Previously this was fixed to ‘division’ attribute of Active Directory User, but now can be customized to any valid writable Active Directory User attribute. Note that this attribute is used to temporarily store (encrypted hash) password before syncing it to hosted user and as soon as user password/info is synced in next sync cycle it is cleared from the active directory attribute.
  2. Sync Data every: You can specify Sync interval or use Sync Now option.
  3. Logging Enabled: Enable/Disable logging. Simple check/uncheck input to whether to enable logging or not.
  4. Logs Folder: This is Log Path. Select log folder to create log files in there if logging is required. The log folder path of ADSync logs should not be of PDC desktop, and the provided log path should also be present on all ADC.
  5. Purge Logs after: Select number of days after which logs are cleared from the ADSync folder.

Then under Profiles you can click 'Add Profile' to add a new profile.

Profiles:

Add Profile will display following fields:

Local Organization

  • Organization: Input field to set Local-AD/On-Premises organization LDAP, or use Icon on the right to list all local organizations and select one of the organizations. This field is editable so you can even specify the ROOT so that ALL USERS under this AD get listed all at once. You can specify the ROOT if users are under different OUs and you want to list all of them in a single go. In case of large ADs it is recommended to use specific OUs only to keep this quick as it will take long time to load all users in case of large ADs.
  • User custom filter: Define a filter for Users.
  • Sync Security Groups: In order to Sync security Groups from MachPanel for ADSync Enabled organization check option Sync Security Groups.
  • Group custom filter: Define a custom filter for security groups.
  • Auto Create New User: Allows you to enable / disable auto creation of Local-AD user on the Hosted AD.  This option enables the customer that any new user created in local OU for this profile will be automatically created on hosted.
  • Enable Auto Mapping: Enable/Disable Auto Mapping of all Existing users.  This option enables the customer that all the existing users will be auto mapped to selected hosted organization on the basis of UPN and DisplayName respectively.

Hosted Organization

  • User Name: Login Name to access the customer account in MachPanel in format: user@domain.com.  This is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer. (In ADSync we need Customer credentials not Reseller/Provider credentials to fetch list of OU’s. List of all OU’s related to Customer are fetched.)
  • Password: Password for user login provided in service user name.
  • Target OU: Once above service credentials are provided then hosted organizations enabled for ADSync are listed in the selection input box, select one of the organizations to synchronize its contents.  Only the organization(s) owned by single customer (whose credentials are provided) are shown.

Add: Adds a profile to the below profiles listing and is saved in configuration file on pressing the Save button on the configuration screen.


Click Save to save all settings.

Add Custom Filters

In "Custom Filter" for user and groups we need to specify sync group and sync user in the group and users description (Any attribute can be used). Below are examples to use Custom Filter for Users and Group which uses "sync user" and "sync group" description. In below snapshot UserA, UserB, UserC, GroupA and GroupB, GroupC are created in Active Directory.

Example 1:
In this example we have specified "sync user" and "sync group" description in custom filter and as a result UserA, UserB and GroupA and GroupB (which have description set accordingly) will get synced. See below snapshots:

Filter settings
Users custom filter: (description=sync user)
Groups custom filter: (description=sync group)

 

Example 2:
When we specify below custom filter settings in sync group and sync user description that we need not to sync (any number of attributes can be used) for e.g.

  1. Specify something in company for users that I don’t want to sync
  2. Specify something in display name for groups that I don’t want to sync

only UserA and GroupA will get synced as shown below:

Filter settings
Users custom filter: (&(description=sync user)(!(company=*)))
Groups custom filter: (&(description=sync group)(!(displayName=*)))