지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.5.3 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported out of the box
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory Working with SCIM
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Step 2: Configure Synchronization Service

Step 2: Configure Synchronization Service

To configure Synchronization Service you installed in Step 1: Install Synchronization Service, you can use one of the following methods:

  • Specify new SQL Server or Azure SQL Server databases for storing the Synchronization Service data.
    With this method, you can select to store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.
  • Share existing configuration settings between two or more instances of Synchronization Service.
Prerequisite:
  • If you are using an Azure SQL Server, set the db_owner database role to the user of the Azure SQL Server.

  • If you are using an SQL Server, set the dbcreator server role to the user of the SQL Server.

    dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server requires for the initial configuration of Synchronization Service.

    After creating the new database, you can revoke the dbcreator role because the db_owner role automatically assigned to the same user of the SQL Server is sufficient for Synchronization Service database connection.

To configure Synchronization Service using a new database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Create a new configuration and click Next.
  5. On the Database Connection page, specify an SQL Server database.

    • SQL Server: Enter the name of the SQL Server computer that hosts the database you want to participate in data synchronization operations.

    • Database: Enter a name for the new SQL Server database.

  6. (Optional)Select the Store sync data in a separate database check box.

    • If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the checkbox.

    • If you want to store the configuration settings and synchronization data in two separate databases, select the check box, and then specify the database in which you want to store the synchronization data.

  7. On the Database Connection page, select an SQL Server authentication method, and click Next.

    NOTE: For all Azure SQL Server variants, select Use SQL Server authentication because Windows authentication is not supported.

    • Use Windows authentication: Allows you to access the SQL Server in the security context of the account under which the Synchronization Service is running.

    • Use SQL Server authentication: Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify.

  8. On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.

To configure Synchronization Service using an existing database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Use an existing configuration and click Next.
  5. On the Configuration File page, select the I have the configuration file check box to provide the configuration file you exported from an existing Synchronization Service instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.
  6. If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using this Configuration wizard. To start the wizard, start the Administration console and click the gear icon in the upper right corner of the console.

Step 3: Configure Azure Backsync

In hybrid environments, on-premises Active Directory objects are synchronized to Azure AD, for example via Azure AD Connect. When you deploy Active Roles in such a hybrid environment, this synchronization works only if existing user and group information (such as the Azure objectID) are also synchronized back from Azure AD to the on-premises AD. Active Roles uses Azure back-synchronization (also known as Azure BackSync) for this purpose.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure BackSync:

  • Azure AD Connect must be installed and configured.

  • Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed and configured.

  • The Directory Writers role must be enabled in Azure Active Directory. To enable the role, use the following script:

    $psCred=Get-Credential
    Connect-AzureAD -Credential $psCred
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }
    
    # Enable an instance of the DirectoryRole template
    
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
    

In addition, the user account you use to configure Azure BackSync must have the following roles:

  • User Administrator

  • Privileged Role Administrator

  • Exchange Administrator

  • Application Administrator

Automatic and Manual Azure BackSync

You can perform Azure back-synchronization via the Active Roles Synchronization Service Console, either automatically or manually:

  • You can configure automatic Azure back-synchronization via the (Settings) > Configure Azure BackSync option of the Active Roles Synchronization Service Console. For more information, see Configuring automatic Azure BackSync.
  • You can also configure manual Azure back synchronization, using existing Active Roles Synchronization Service feature components. For more information, see Configuring manual Azure BackSync.

Configuring automatic Azure BackSync

You can configure automatic Azure back-synchronization (Azure BackSync) via the (Settings) > Configure Azure BackSync option of the Active Roles Synchronization Service Console. After you finish configuration, the Azure BackSync registration, its required connections, mappings and workflows will be created automatically by the Active Roles Synchronization Service.

For more information on setting up manual Azure back-synchronization, see Configuring automatic Azure BackSync.

To configure an automatic Azure BackSync workflow in Active Roles Synchronization Service

  1. Open the Configure BackSync operation in Azure with on-prem Active Directory objects window of the Active Roles Synchronization Service Console. To do so, click (Settings) > Configure Azure BackSync.

  2. Select the number of Azure AD services in your Azure tenant:

    • If you have a single Azure AD in your Azure tenant, select I have one Azure AD in my Azure tenant.

    • If you have multiple Azure AD services in your Azure tenant, select I have more than one Azure AD in my Azure tenant.

  3. Authenticate your access to Azure AD:

    1. If you have selected I have one Azure AD in my Azure tenant, authenticate your access to Azure AD by clicking Log in to Azure.

    2. If you have selected I have more than one Azure AD in my Azure tenant, then in the Tenant ID text box, specify the GUID of the Azure AD for which you want to set up synchronization.

      TIP: For more information on how to find the GUID of an Azure AD service, see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.

      After specifying the tenant ID, click Log in to Azure to authenticate your access to Azure AD.

      NOTE: If I have more than one Azure AD in my Azure tenant is selected, the Log in to Azure button will be enabled only if you specify a well-formed Azure AD GUID in the Tenant ID text box.

  4. Specify whether you want to use a proxy server for the connection:
    • Use WinHTTP settings: Configures the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

  5. Under Connect to, specify the domain name of the computer where the Active Roles Synchronization Service Console is running.

  6. Select the validation method used to access the Active Roles Administration Service. Depending on how Active Roles has been deployed in your organization, you can either use Synchronization Service account or Windows account-based validation. If you have selected Windows account authentication, enter your Windows user name and password.

  7. To test the configured Active Roles connection, click Test Active Roles Connection. Successful validation will be indicated by a success message.

  8. To apply your changes, click Configure BackSync.

    NOTE: If the Azure BackSync settings have already been configured previously, Active Roles Synchronization Service will display a warning message to confirm if you want to override the existing Azure BackSync settings with the new settings.

    • To override the existing settings, click Override BackSync Settings.

    • To keep the existing settings, click Cancel.

  9. An Application Consent dialog will appear, prompting you for authentication. To consent Active Roles, click OK.

    Active Roles Synchronization Service will then automatically perform Azure application registration, and will create the required connections, mappings, and workflow steps for back-synchronization. For more information on the automatically created Azure BackSync settings, see Settings updated after Azure backsync configuration operation.

  10. To make the new Azure BackSync workflow appear under Sync Workflows, close and reopen the Active Roles Synchronization Service Console. The new Azure BackSync workflow will appear with the following default name: AutoCreated_AzureADBackSyncWorkFlow_<tenant-name>.

Configuring manual Azure BackSync

You can configure manual Azure back-synchronization (Azure BackSync) by using the existing features of Active Roles Synchronization Service components. When setting up manual Azure BackSync, you must configure synchronization workflows to identify Azure AD-specific users or groups, and to map them to the corresponding on-premises AD users or groups. After a manual Azure BackSync operation is completed, Active Roles will display the configured Azure attributes for the synchronized objects.

For more information on setting up automatic Azure back-synchronization, see Configuring automatic Azure BackSync.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure BackSync manually:

  • Azure AD Connect must be installed and configured.

  • Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed and configured.

  • You must authenticate the Azure tenant of the Azure AD for which you configure back-synchronization. Also, you must consent Active Roles as an Azure application.

    For more information, see Configuring Active Roles to manage Azure AD using the GUI in the Active Roles Administration Guide.

  • For the container where Active Roles performs back-synchronization, you must enforce the built-in Azure AD policy that automatically sets the attribute edsvaazureOffice365enabled to true.

  • Your Active Roles user must have write permissions for the following attributes:
    • edsvaAzureOffice365Enabled

    • edsaAzureContactObjectId

    • edsvaAzureObjectID

    • edsvaAzureAssociatedTenantId

  • Your Active Roles user must also have local administrator privileges on the machine where Active Roles Synchronization Service is running.

To configure a manual Azure BackSync workflow

  1. Create a connection to Azure AD using the Azure AD Connector. The configuration requires the following data:

    • The Azure domain name.

    • The Client ID in Azure AD.

    • The Client Key to establish the connection to Azure AD.

  2. Create an Azure Web Application (or use any relevant existing Azure Web Application) under the Azure tenant of your Azure AD. The application must have Application Permissions to read and write directory data in Azure AD.

    TIP: You can assign the required permissions to the application by running a Windows PowerShell script. For more information, see Creating a Microsoft Azure Active Directory connection

  3. Open the application properties and copy the following:
    • Client ID

    • The valid Client Key of the application.

  4. Use the Client ID and Client Key when creating a new Azure AD connection or modifying an existing one. For more information, see Creating a Microsoft Azure Active Directory connection

    NOTE: Two applications are required for Azure BackSync operations:

    • The Web Application that you created in this step, or is already available for the Synchronization Service Azure AD Connector.

    • An Azure application that you created while configuring Azure AD in the Active Roles Administration Service.

      For details, see Configuring Active Roles to manage Azure AD using the GUI in the Active Roles Administration Guide).

    Both applications are required for Azure BackSync operations.

  5. Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and the version of Active Roles you use. Define the scope to select the container from which Active Roles will select the objects for synchronization.

  6. In the Active Roles Synchronization Service Console, create a new sync workflow with Sync Workflows > Add sync workflow. Use the Azure AD and Active Roles connections configured previously, and add a synchronization step to synchronize the Azure AD users or groups with the on-premises users or groups in Active Roles.

  7. In the on-premises Active Roles users or groups, set the edsvaAzureAssociatedTenantIdattribute attribute to the value of the Azure tenant ID.

    NOTE: If you did not configure edsvaAzureAssociatedTenantIdattribute, an error will be logged for each object in the Event Viewer.

  8. Configure the Forward Sync Rule to synchronize the following:

    • The Azure Object ID property of the Azure AD user or group to the edsvaAzureObjectID property of the corresponding on-premises Active Roles user or group.

    • Set the edsvaAzureOffice365Enabled attribute in the on-premises Active Roles user or group to true.

    • Set the edsvaAzureAssociatedTenantId attribute to the value of the Azure tenant ID.

  9. Create a Mapping Rule. A mapping rule has two functions:

    • It uniquely identifies the synchronized users or groups both in Azure AD in the on-premises AD.

    • It maps the specified properties from Azure AD to Active Roles appropriately.

    For example, the property userprincipalname can be used to map users between the on-premises AD and Azure AD in a federated environment.

    CAUTION: Based on the environment, make sure to create the correct mapping rule to identify the user or group uniquely. Incorrect mapping rules may create duplicate objects, resulting in Azure BackSync not working as expected.

    NOTE: Consider the following when configuring manual Azure back-synchronization:

    • You must perform the initial configuration and back-synchronization of Azure AD user IDs only once.

    • Azure AD groups cannot be created in Federated or Synchronized environments. Instead, Azure AD groups are created in Active Roles and are synchronized to Azure AD using native Microsoft tools, such as AAD Connect. To manage the Azure AD group through Active Roles, you must perform periodic back-synchronization to the on-premises AD.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택