Technical Overview. Active Directory Synchronization



Similar documents
GALSYNC V4.3. Manual NETSEC. 18. March NETsec GmbH & Co.KG Schillingsstrasse 117 DE Düren

Active Directory Synchronization Tool Architecture and Design

AD SYNCHRONIZATION GUIDE

LDAP Directory Integration with Cisco Unity Connection

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

IPedge Feature Desc. 5/25/12

Avaya Aura System Manager 6.2 LDAP Directory Synchronization Whitepaper

Active Directory Sync (AD) How to Setup

KACE Appliance LDAP Reference Guide V1.4

4.0. Attribute Mapping Rules

Avaya Aura System Manager 6.2 Feature Pack 3 LDAP Directory Synchronization Whitepaper

Configure Directory Integration

Océ LDAP Adapter User Guide

Content Filtering Client Policy & Reporting Administrator s Guide

Active Directory Sync (AD) How it Works in WhosOnLocation

Driver for Active Directory Implementation Guide. Identity Manager 4.0.2

Novell Identity Manager

ShoreTel Active Directory Import Application

VMware Identity Manager Administration

Integrate with Directory Sources

WHITE PAPER BT Sync, the alternative for DirSync during Migrations

Configuration Guide BES12. Version 12.3

ShoreTel Active Directory Import Application

Migrating application users and passwords with Password Manager

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.2

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

GALSYNC V7.0. Manual. NETsec. NETsec GmbH & Co.KG Schillingsstrasse 117 DE Düren. 01. June 2016

Scan Features Minimum Requirements Guide WorkCentre M123/M128 WorkCentre Pro 123/ P42081

Active Directory LDAP Quota and Admin account authentication and management

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Symprex Out-of-Office Manager

Configuration Guide. BES12 Cloud

Avaya Aura System Manager (Avaya Aura 6.2 Feature Pack 4) LDAP Directory Synchronization Whitepaper

Barracuda IM Firewall Administrator s Guide

Using LDAP Authentication in a PowerCenter Domain

Quick Introduction System Requirements Main features Getting Started Connecting to Active Directory... 4

How To Authenticate On An Xtma On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Password Protected (For An Ipad) On An Ipa Or Ipa (For Mac) With A Log

Active Directory Integration twitter.com/onelogin ONELOGIN WHITEPAPER

VMware Identity Manager Administration

Cloudwork Dashboard User Manual

Security Provider Integration LDAP Server

SharePoint AD Information Sync Installation Instruction

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

Configuring Sponsor Authentication

CA Performance Center

White Paper: Cisco Unity Data and the Directory

Getting Started with Clearlogin A Guide for Administrators V1.01

Deploying ModusGate with Exchange Server. (Version 4.0+)

Identity Management in Quercus. CampusIT_QUERCUS

Steps for Basic Configuration

Active Directory Account Provisioning (ADAP)

Step-by-Step Guide to Active Directory Bulk Import and Export

The following gives an overview of LDAP from a user's perspective.

Copyright 2016 Lexmark. All rights reserved. Lexmark is a trademark of Lexmark International, Inc., registered in the U.S. and/or other countries.

HELP DOCUMENTATION UMRA REFERENCE GUIDE

Active Directory at the University of Michgan. The Michigan Way Since 2000

Introducing MachPanel v.5

Automatic Deployment and Authentication Guide

User Management Resource Administrator. Managing LDAP directory services with UMRA

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

[MS-FSADSA]: Active Directory Search Authorization Protocol Specification

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

AADSync Installation Guide

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Integrating Webalo with LDAP or Active Directory

User-ID Best Practices

Collax Mail Server. Howto. This howto describes the setup of a Collax server as mail server.

SSL VPN Portal Options

Technology Primer. OPS Manager, Release 7.4. Integrating Your Directory Server with our Directory Service Solution

GoToMeeting, GoToWebinar & GoToTraining. Active Directory Connector Administration Guide Hollister Avenue Goleta CA 93117

Customer admin guide. UC Management Centre

Open LDAP Tutorial. Sendio Security Platform Appliance. March 08 Services Update

Adeptia Suite LDAP Integration Guide

An identity management solution. TELUS AD Sync

Configuring and Using the TMM with LDAP / Active Directory

LDAP and Active Directory Guide

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

EVERYTHING LDAP. Gabriella Davis

User identity, Account Provisioning, Directory Synchronization, Federation

Configuring Spectralink IP-DECT Server 400/6500 and DECT Server 2500/8000 for Cisco Unified Call Manager

WINDOWS 2000 Training Division, NIC

NETASQ ACTIVE DIRECTORY INTEGRATION

Using the vcenter Orchestrator Plug-In for Microsoft Active Directory

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

Smart Card Authentication. Administrator's Guide

TIBCO Spotfire Platform IT Brief

AD Information Sync 3.0 User Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

FirstClass Directory Services 10 (Build 11)

BlackBerry Enterprise Service 10. Version: Configuration Guide

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Active Directory Adapter with 64-bit Support User Guide

Smart Card Authentication Client. Administrator's Guide

Attention: This is an old version of the GALsync manual, which was published for GALsync 5.1.

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

Network and IT Guidance for the BAS Professional Technical Bulletin

Setting up LDAP settings for LiveCycle Workflow Business Activity Monitor

Configuring User Identification via Active Directory

Transcription:

Technical Overview Document Revision: March 15, 2010

AD Sync Technical Overview Page 2 of 7 Description of (AD Sync) is a utility that performs a one way synchronization from a customer s Active Directory (AD) database to the Apptix OnDemand (AOD) hosted AD database. This utility provides customers a single point to create, modify or delete Exchange, SharePoint and Office Communicator accounts. AD Sync will make the end user experience even better with password synchronization which synchronizes their local domain password with the AOD domain, providing end users with one password. New customers migrating to Apptix will benefit greatly by being able to easily duplicate their Active Directory structure with Apptix using the AD Sync utility. The unobtrusive Sync Agent is installed on a server in the customer s network, and securely transmits all of the AD changes over a secure Internet connection. All synchronization is one-way from the customer s AD to Apptix s platform, which reduces the permissions needed by Apptix at the customer AD, and prevents Apptix from writing any data to the customer AD. Configurable Instant Services Provisioning allows unattended provisioning of the Exchange mailboxes, SharePoint site access rights, and OCS user accounts to the newly registered AD users. Features and Benefits of AD Sync The following features are available in the AD Sync utility. 1. User Accounts Synchronization - AD Sync allows for the customer administrators to manage a local copy of the corporate AD and synchronize the following AD events to the hosted AD version on AOD: New Users, Contacts Deleted Users, Contacts Change to Distribution Lists Password changes Updated attributes such as mailing address, phone number, etc. 2. Synchronizing user password changes - The Password Filter and Password Change Listener securely deliver the password change requests to AOD to ensure the unified sign-in experience. During the initial synchronization the passwords for the new users are auto-generated. After that, when a user changes password in external AD, it is passed to AOD by AD Password Change Filter component. If the customer opts to not synchronize passwords, the Password Filter and Password Change Listener are do not need to be installed. 3. Partial Domain synchronization - customers can choose a set of Active Directory Organization Units to be synchronized to AOD and apply additional filter conditions for the user accounts / contacts. 4. Selective Attribute synchronization - customers can limit the set of attributes to be synchronized. See the section below that outlines these attributes. 5. Address Book Synchronization - Changes to contacts in local Exchange Address Book would be automatically propagated to the hosted Exchange Address Book 6. Configurable Synchronization - All data synchronization can be configured by the administrator from Apptix s Control Panel. The administrator has the ability to configure what data is synchronized, and when the data is synchronized. The following list outlines some of the configurations that can be made to the data synchronization Configurable delays between synchronization times/delays (3 hours by default) Configurable new user creation options (to create Exchange mailbox, SharePoint accounts, OCS) Configurable behavior on user deletion (e.g. to delete associated Exchange mailbox or just disable) Password synchronization can be enabled or disabled Synchronization of Contacts can be enabled or disabled Synchronization of Distribution list changes can be enabled or disabled One or more customer Organization Units (OUs) within customer AD can be selected for synchronization Filters on users, contact, distribution lists or any attributes can be configured to ignore during synchronization 7. Instant User Provisioning - Newly created AD users can be instantly provisioned in AOD without manual intervention by the local administrator

AD Sync Technical Overview Page 3 of 7 8. Instant Services Provisioning Services can be enabled automatically and seamlessly for users that are added to AOD. The services that can be provisioned in AOD include: a. Exchange Mailbox b. SharePoint Site Access Rights c. OCS User Account 9. Security - All synchronization is a secure, one-way synch from the customer s network into the AOD platform. Apptix will never write data from the hosted AD to the customer s AD. This reduces the permissions and service accounts Apptix needs at the local AD level. a. SSL encryption over public networks b. Encryption for passwords within local network Synchronization of user data can be established prior to, or after, the user s mailbox is created and in use in AOD. Likewise, the synchronization can be disabled at any time, and re-established with no affect on the accounts and services of the end user. NOTE: AD Sync is not a single sign-on tool. The utility allows for passwords to be synchronized from the customer s local AD to the Apptix AOD AD. The end users will still need to login to the hosted services (Exchange, SharePoint, OCS, etc), only now, their password will be the same as their local domain password. Selective Attribute Synchronization Customers can restrict the set of attributes that are synchronized to the online services. The following table provides the complete list of the attributes supported for User and Contact objects: Synchronizable attributes. - mandatory, - optional, - - not applicable. POA AD Attribute(s) Involved User Contact Comments Attribute Display name displayname mailnickname The 1 st non empty combination of AD properties is used givenname + sn External DN distinguishedname - usnchanged Attribute is used internally for an entity changing detection. Login userprincipalname mailnickname SAMAccountName - The first non empty AD property is used Enabled useraccountcontrol - External targetaddress - email Alias mailnickname AD property is available in case when Exchange is installed in a customer s AD. First Name givenname Last Name sn Description description Office physicaldeliveryofficename Telephone telephonenumber Web Page wwwhomepage Primary Email mail -

AD Sync Technical Overview Page 4 of 7 POA AD Attribute(s) Involved User Contact Comments Attribute Password objectsid - The objectsid property is mandatory if password synchronization is enabled. Passwords changes are traced with special password filter installed on each Domain Controller. Street streetaddress City l State / st Province Zip / Postal postalcode code Country c Country co Home homephone Phone Pager pager Mobile mobile Phone Fax facsimiletelephonenumber IP Phone ipphone Title title Department department Company Company - Initials - postofficebox - info Email proxyaddresses addresses / SIP addresses Group membership memberof There will be implemented a complex logic for membership Show in Address Book relations importing msexchhidefromaddresslists - The show_in_address_book is equal to (NOT msexchhidefromaddresslists). Technical Description of AD Sync Upon the completion of the customer qualifications section of this document, Apptix s Implementation Team will review the document, and contact the customer directly to discuss and schedule a time and date to install the AD Sync utility. This utility is not a self-provisioning utility. Apptix s Implementation Team will work with the customer to ensure that the utility is properly activated within AOD, and the agents are correctly installed in the customer s network. NOTE: Once AD Sync is activated and configured all modifications to the hosted AOD AD, must be made at the local AD level. The ability to modify the hosted AD will no longer be available to the customer administrators. The AD Sync Utility is made up of the following two (2) agents to be installed in the customer s AD: 1. Password Filter installed on domain controllers 2. Synchronization Agent Node installed on a member server, or virtual machine, within the local domain

AD Sync Technical Overview Page 5 of 7 How AD Sync Works Customer Premise Apptix Datacenter 1. The Password Filter runs on every Domain Controller in the customer s domain. It intercepts all the password changes and sends the new password data to the Password Change Listener. 2. The Password Change Listener runs on an Agent Node server, in the customer s domain. It encrypts the new passwords and writes them into the Password Synchronization Queue. The new password is delivered by the Synchronization Agent, which runs on the same Agent Node server. 3. The Synchronization Agent scans the customer s Active Directory for changes, and communicates the changes via a secure web connection, to the Web Service Node within AOD. 4. The Web Service Node is in Apptix Datacenter. This node updates the hosted AOD Active Directory with the changes received from the Agent Node, and provisions the new services within the platform. Hardware Requirements The following hardware is required to run the Password Filter Agent: 1. Runs on every domain controller in customer s domain 2. Windows 2003 Server, or better, running as a Domain Controller 3. Optional, depending on if the customer chooses to synchronize passwords 4. A reboot of the domain controller is necessary after installation The following hardware is required to run the Synchronization Agent Node: 1. A standalone server or virtual machine 2. Windows 2003 Server Release 2 or higher 3. A member of the customer s local domain 4. Not a Domain Controller 5. Trusted SSL certificate at the machine level

AD Sync Technical Overview Page 6 of 7 Firewall Rules To ensure proper communication between the servers on the customer s premises, the following rules should be enabled: Intra Communications From To Protocol Port Synchronization Agent Node Customer AD Domain Controller TCP 389 (LDAP), 3268 (Global Catalog) TCP, UDP 88 (Kerberos) Customer AD Domain Controller Synchronization Agent Node TCP, UDP 135 (DCOM Outgoing Connections From To Protocol Port Synchronization Agent Node AOD Web Service Node TCP 443 (HTTPS)

AD Sync Technical Overview Page 7 of 7 Customer Qualifications Checklist Below are questions that should be answered prior to Apptix s Implementation Team engaging with the customer. 1. Are you a new or existing Apptix customer? o New Apptix customer o Existing Apptix Customer AOD Account Number: Customer Name: 2. What version of Windows is your organization running? o Windows 2003 o Windows 2008 3. How many domains do you have, and what are their names? Number of domains: Name of domains: 4. How many domain controllers do you have? 5. How many Organizational Units (OU) do you have? 6. Will all of the OUs be synchronized with the AD Sync Utility? 7. How many users exist in your local AD? 8. How many users exist in your AOD account? (new customers only) 9. Do you have an available member server or virtual machine to run the Synchronization Agent Node? 10. What services are you looking to auto-provision (check all that apply)? o Exchange o SharePoint o Office Communication Services 2007 11. Are you going to auto provision new users from your local AD to AOD? 12. Are you going to synchronize contacts and distribution lists? Approximately how many? 13. Are you going to synchronize passwords? 14. Please provide a diagram of your existing AD structure. 15. Please provide an LDIF (LDAP (Lightweight Directory Access Protocol) Data Interchange Format) dump from your existing AD.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information