What is MACHPANEL ADSync (Active Directory Synchronization) utility?
MACHPANEL ADSync is a tool used to synchronize Users/Groups from a customer's local AD with Provider's Cloud/Hosted AD. It consolidates the selected attributes of one Active Directory with another. MachPanel ADSync performs one-way synchronization and keeps your cloud user accounts updated. MachPanel ADSync makes its extremely easy for you to synchronize your AD users between multiple platforms and leverage Single-Sign-On benefits. You have option to choose your desired OU and Users as well as auto create users on hosted AD that get created in local AD.
What Type of objects are Synchronized between Client and Hosted AD?
"User Accounts" and "Groups" are synchronized between client and hosted AD.
Is it possible to choose the type of attributes that get synchronized between client and hosted AD?
Yes, it is possible to choose which attributes you want to sync between
client AD and Hosted AD. This is done via ADSync Templates available in
the control panel which you can pick per Organization. Either have one
template for all organizations or create and pick a template per
organization.
MachPanel ADSync synchronization process is one-way or two-way?
MACHPANEL ADSync is a one-way
synchronization tool. It automates the synchronization of local Active
Directory users and groups to provider's hosted Active Directory. Two
way synchronization is not possible.
Which protocol is used by MACHPANEL ADSync utility?
LDAP protocol is used by MACHPANEL ADSync tool to manage and access the
directory information service, and communicate with the host/cloud AD.
Which network ports are used by MACHPANEL ADSync tool?
HTTP OR HTTPS: 80 OR 443
On which server is the MACHPANEL ADSync utility installed?
MACHPANEL ADSync utility has to be installed on the client's local
Active Directory Servers / Domain Controllers (Primary and Additional).
On the hosted side, the control panel takes care of communication sent
by ADSync Utility.
I have primary and additional DCs. Where should I deploy ADSync utility?
MACHPANEL ADSync utility comes with two installation modes, i.e. primary
and secondary. If there are multiple DCs available then ADSync's
primary installation is required on the primary DC, while all the
additional DCs will have the secondary installation of ADSync tool.
Does it synchronize user passwords in Real-Time?
Any Password or information update is captured by ADSync Tool Instantly
and passed on to the MachPanel Control Server in interval specified by
the client. It is up to the customer to define how short or how long the
information sync duration has to be. So, the information capture is
real time, where as the sync to hosted side depends on the interval
selected.
Will the existing passwords for all local AD users be synced over to hosted side?
For any user in the Local AD (new or old) its password will not sync to
the cloud/hosted ad until it is mapped to a hosted user and then
password is updated. Once mapping is done, the ADSync utility starts to
take into account the changes made on the mapped user and then
synchronizes that information during sync cycle. So, a one-time password
change is mandatory after configuring mapping for user (s) so that the
utility may capture the change and sync the updated password over to
hosted AD.
Why would all the information sync, except for the user password?
Check out the details on our self-care kb portal on this Important Note 4 Link.
How secure is ADSync? Does MACHPANEL AD Sync utility work using secure channel?
ADSync utility is extremely secure as
there is no direct interaction between the client AD and Hosted AD.
There is no need of any trust relationship between client and Hosted AD
either. All activity happens between the MachPanel ADSync Utility
deployed on the client AD and the MachPanel Control Panel (via MachPanel
ADSync service API specific to ADSync). If the MachPanel Control Panel
portal is SSL Protected, the MachPanel ADSync Service API will
automatically be SSL Protected as well and hence all communication
between ADSync Utility and MachPanel ADSync Service API is also totally
SSL Protected and secure.
The ADSync utility is not syncing user attributes?
Check out the details on our self-care kb portal on this Important Note 3 Link.
Is there option to Auto Map New Users created on Local AD?
Yes, there is a simple checkbox to enable option when adding your ADSync
Profile to enable Auto Mapping for the users that get created under
specified OU and this will auto Map the Users that exist on Hosted side
with the newly created user on local AD. Auto Mapping is done based on
user key characteristics such as UPN and Name etc.
Is there option to Auto Create Users on Hosted AD (users that are created in Local AD but do not already exist on Hosted AD)?
Yes, there is a simple checkbox to enable option when adding your ADSync
Profile to enable Automatic Creation of users that get created under
specified OU. This will automatically create the same user on hosted
side on the configured customer organization.
Is it possible to pick and choose only few users from a specific Organization to be synced?
Yes, MACHPANEL ADSync gives the option
to select required users, groups and contacts under the required OUs for
sync purpose. You get to see list of local users, and their matching
hosted users, it is up to you to map users and enable sync for your
desired users. You have to uncheck the option (Auto Mapping Enabled) in
this case.
Can I select different Organization unit in the AD Sync utility?
Yes you can add multiple Organization units in the utility to synchronize their objects with the Hosted AD.
Is it possible to restrict ADSync operations for specific organization in case they fail to pay the service charges?
It is easily possible to enable/disable ADSync feature from control
panel and the Synchronization operation will stop working. Once the
matter is sorted, you just have to enable their sync again to bring
everything back to working state.
How does a user link with an existing cloud user?
A user links with an existing cloud user making use of the userPrincipalName attribute.
How does a group link with an existing cloud group?
There is no mapping, by default all groups are synced (some can be
excluded using filter expression). Groups are matched on hosted/target
machine by 'name', 'samAccountName' and then by 'displayName'.
Which AD objects count towards the license limit?
The license limit applies on the sum of synchronized Users and Groups.
Are changes to a user in a local AD, synchronized across all hosted Domain Controllers?
Yes, the information is received by MachPanel control panel and then
applied to the hosted AD. It does not matter if it’s a single domain
controller or multiple domain controllers.
What is the service account used by MachPanel for ADSync? Is it only used for this specific purpose with the minimum privileges granted to the account only on the target customer OUs (Least-Privilege)?
The service account in ADSync (“Admin Login” / “Admin Password”) is used to read the values of attributes that need to be synced from local AD. The service account writes to the attribute you specify in ‘Sync Data Attribute’ field of Synced User/Group for tracking purpose on local AD. However to read the AD attributes, the service account needs to be made member of Domain Admins group in the Local AD.