This section elaborates on the following topics:
-
Installing Synchronization Service
-
Configuring Synchronization Service
-
Configuring Azure BackSync
-
Upgrade from Quick Connect
-
Communication ports
Synchronization Service overview
Synchronization Service features and benefits
Deploying Synchronization Service
Bidirectional synchronization
Delta processing mode
Synchronization of group membership
Windows PowerShell scripting
Attribute synchronization rules
Rule-based generation of distinguished names
Scheduling capabilities
Extensibility
Azure BackSync configuration
Technical overview
Installing Synchronization Service
Configuring Synchronization Service
Configuring Azure BackSync
Getting started
Configuring manual Azure BackSync
Configuring automatic Azure BackSync
Settings updated after Azure BackSync configuration operation
Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync
Upgrade from Quick Connect and Synchronization Service
Communication ports
Synchronization Service Console
Connections to external data systems
Gear icon
Sync Workflows tab
Sync History tab
Connections tab
Mapping tab
Password Sync tab
Configuring diagnostic logging
How to synchronize identity data
Management Shell
External data systems supported with built-in connectors
Synchronizing identity data
Working with Active Directory
Using connectors installed remotely
Creating an Active Directory connection
Modifying an Active Directory connection
Communication ports required to synchronize data between two Active Directory domains
Synchronizing user passwords between two Active Directory domains
Synchronizing SID history of users or groups
Working with an AD LDS (ADAM) instance
Creating an AD LDS (ADAM) instance connection
Modifying an existing AD LDS (ADAM) instance connection
Working with Skype for Business Server
Creating a new Skype for Business Server connection
Modifying an existing Skype for Business Server connection
Supported Skype for Business Server data
Attributes required to create a Skype for Business Server user
Getting or setting the Telephony option value in Skype for Business Server
Working with Oracle Database
Creating an Oracle Database connection
Modifying an existing Oracle Database connection
Working with Oracle Database user accounts
Specifying connection settings for Oracle Database
Configuring advanced settings for an Oracle Database or Oracle Database user account connection
Specifying attributes to identify objects for Oracle Database
Sample SQL queries for working with an Oracle Database
Creating an Oracle Database user accounts connection
Modifying an existing Oracle Database user account connection
Working with Exchange Server
Specifying connection settings for an Oracle Database user account connection
Configuring advanced settings for an Oracle Database or Oracle Database user account connection
Sample SQL queries for working with Oracle Database user accounts
Creating a new connection to Exchange Server
Modifying an existing connection to Exchange Server
Exchange Server data supported out of the box
Working with Active Roles
Working with One Identity Manager
ActiveSyncMailboxPolicy object attributes
AddressBookPolicy object attributes
AddressList object attributes
DistributionGroup object attributes
DynamicDistributionGroup object attributes
ExchangeServer object attributes
GlobalAddressList object attributes
Mailbox object attributes
MailContact object attributes
MailboxDatabase object attributes
MailUser object attributes
OfflineAddressBook object attributes
OrganizationConfig object attributes
OwaMailboxPolicy object attributes
PublicFolder object attributes
PublicFolderDatabase object attributes
RoleAssignmentPolicy object attributes
StorageGroup object attributes
UmDialPlan object attributes
UmMailboxPolicy object attributes
Scenario: Migrate mailboxes from one Exchange Server to another
Creating a One Identity Manager connection
Modifying a One Identity Manager connection
One Identity Manager Connector configuration file
Working with a delimited text file
Working with Microsoft SQL Server
Creating a Microsoft SQL Server connection
Modifying an existing Microsoft SQL Server connection
Working with Micro Focus NetIQ Directory
Specifying connection settings for a Microsoft SQL Server connection
Specifying how to select and modify data for a Microsoft SQL Server connection
Advanced
Specifying attributes to identify objects for a Microsoft SQL Server connection
Sample queries to modify SQL Server data
Creating a Micro Focus NetIQ Directory connection
Modifying an existing Micro Focus NetIQ Directory connection
Working with Salesforce
Creating a Salesforce connection
Modifying an existing Salesforce connection
Salesforce data supported for synchronization
Working with ServiceNow
Additional user object attributes for a Salesforce connection
Additional group object attributes for a Salesforce connection
Scenario: Provisioning users from an Active Directory domain to Salesforce
Creating a ServiceNow connection
Modifying an existing ServiceNow connection
ServiceNow data supported for synchronization
Working with Oracle Unified Directory
Creating an Oracle Unified Directory connection
Modifying an existing Oracle Unified Directory Server connection
Working with an LDAP directory service
Creating an LDAP directory service connection
Modifying an existing Generic LDAP directory service connection
Working with an OpenLDAP directory service
Specify connection settings for a Generic LDAP directory service connection
Specify directory partitions for a Generic LDAP directory service connection
Specify naming attributes for a Generic LDAP directory service connection
Specify attributes to identify objects for a Generic LDAP directory service connection
Specify password sync parameters for LDAP directory service
Creating an OpenLDAP directory service connection
Modifying an existing OpenLDAP directory service connection
Working with IBM DB2
Working with IBM AS/400
Creating an IBM AS/400 connection
Modifying an existing IBM AS/400 connection
Additional considerations for an IBM AS/400 connection
Working with IBM RACF
Creating an IBM RACF connection
Modifying an IBM RACF connection
Example of mapping for dataset information
Creating SQL database and table
Povisioning datasets
Updating datasets
Deprovisioning datasets
Working with TSO command
Working with MySQL database
Working with an OLE DB-compliant relational database
Creating an OLE DB-compliant relational database connection
Modifying an existing OLE DB-compliant data source connection
Working with SharePoint
Creating a SharePoint connection
SharePoint data supported for data synchronization
Working with Microsoft 365
AlternateURL object attributes
ClaimProvider object attributes
Farm object attributes
Group object attributes
Language object attributes
Policy object attributes
PolicyRole object attributes
Prefix object attributes
RoleAssignment object attributes
RoleDefinition object attributes
Site object attributes
User object attributes
Web object attributes
WebApplication object attributes
WebTemplate object attributes
Considerations for creating objects in SharePoint
Creating a Microsoft Office 365 connection
Modifying a Microsoft Office 365 connection
Microsoft 365 data supported out of the box
Working with Microsoft Azure Active Directory
ClientPolicy object attributes
ConferencingPolicy object attributes
Contact object attributes
DistributionGroup object attributes
Domain object attributes
DynamicDistributionGroup object attributes
ExternalAccessPolicy object attributes
HostedVoicemailPolicy object attributes
LicensePlanService object attributes
Mailbox object attributes
MailUser object attributes
PresencePolicy object attributes
SecurityGroup objects attributes
SPOSite object attributes
SPOSiteGroup object attributes
SPOWebTemplate object attributes
SPOTenant object attributes
User object attributes
VoicePolicy object attributes
Microsoft 365 group attributes
Objects and attributes specific to Microsoft 365 services
How Microsoft Office 365 Connector works with data
Modern Authentication
Creating a Microsoft Azure Active Directory connection
Modifying a Microsoft Azure Active Directory connection
Microsoft Azure Active Directory data supported for synchronization
Configuring data synchronization with the SCIM Connector
Supported SCIM Connector objects and operations
Creating a SCIM connection with the SCIM Connector
Viewing or modifying the settings of a SCIM Connector
Configuring data synchronization with the Generic SCIM Connector
Configuring the Generic SCIM Connector for Starling Connect connections
Viewing or modifying the settings of a Generic SCIM Connector connection
Objects and operations supported by the SCIM Connector
Example of using the Generic SCIM Connector for data synchronization
Installing Synchronization Service and built-in connectors remotely
Creating a connection using a remotely installed connector
Creating a connection
Renaming a connection
Deleting a connection
Modifying synchronization scope for a connection
Using connection handlers
Specifying password synchronization settings for a connection
Creating a sync workflow
Running a sync workflow
Mapping objects
Automated password synchronization
Running a sync workflow manually
Running a sync workflow on a recurring schedule
Disabling a sync workflow run schedule
Renaming a sync workflow
Deleting a sync workflow
Adding a creating step
Creating an update step
Creating a deprovisioning step
Modifying an existing sync workflow step
Deleting a sync workflow step
Changing the order of steps in a sync workflow
Generating object names by using rules
Modifying attribute values by using rules
Using value generation rules
Using sync workflow step handlers
Example: Synchronizing group memberships
Example: Synchronizing multivalued attributes
Using sync workflow alerts
How to automate password synchronization
Managing Capture Agent
Synchronization history
Installing Capture Agent manually
Using Group Policy to install Capture Agent
Uninstalling Capture Agent
Managing password sync rules
Creating a password sync rule
Deleting a password sync rule
Modifying settings for a password sync rule
Fine-tuning automated password synchronization
Configuring Capture Agent
Creating and linking a Group Policy object
Adding an administrative template to Group Policy object
Using Group Policy object to modify Capture Agent settings
Modifying Synchronization Service parameters
Specifying a custom certificate for encrypting password sync traffic
Obtaining and installing a certificate
Exporting the custom certificate to a file
Importing certificate into certificates store
Copying the certificate's thumbprint
Providing the certificate’s thumbprint to Capture Agent
Providing the certificate’s thumbprint to Synchronization Service
Using PowerShell scripts with password synchronization
Viewing sync workflow history
View mapping history
Searching synchronization history
Cleaning up synchronization history
Scenarios of use
Scenario: Create users from a .csv file to an Active Directory domain
Developing PowerShell scripts for attribute synchronization rules
Using PowerShell script to transform passwords
Creating a sync workflow
Adding a creating step
Running the configured creating step
Committing changes to Active Directory
Scenario: Using a .csv file to update user accounts in an Active Directory domain
Creating an updating step
Running the configured updating step
Committing changes to Active Directory
Scenario: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain
Creating a connection to One Identity Manager
Configuring One Identity Manager modules, Custom Target System and Container Information
Creating a workflow for provisioning
Creating a provisioning step
Specifying synchronization rules
Running the workflow
Committing changes to One Identity Manager
Verify on One Identity Manager
Scenario: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain
Scenario: Provisioning of groups between One Identity Manager Custom Target Systems and an Active Directory domain
Scenario: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain
Deploying Synchronization Service
Deploying Synchronization Service
Installing Synchronization Service
To install Synchronization Service
-
Make sure the system on which you wish to install Synchronization Service meets the system requirements provided in the Active Roles Release Notes.
-
From the Active Roles installation package, run the Setup.exe file to launch the Active Roles setup.
-
Follow the instructions in the setup wizard.
-
On the Component Selection page, select Synchronization Service and click Next. This installs the Synchronization Service, the Synchronization Service Console, the built-in connectors, and the Management Shell.
The Synchronization Service Console is a graphical user interface providing access to the Synchronization Service functionality. Synchronization Service manages data flows between connected data systems.
Connectors enable Synchronization Service to access specific data systems to read and synchronize identity data.
Management Shell is an automation and scripting shell that provides a command-line management interface for synchronizing data between external data systems via Synchronization Service. For more information, see Management Shell.
-
On the Ready to Install page, click Install.
-
Click Finish to exit the wizard.
To install Synchronization Service Management Shell
-
Open the Windows Command Prompt with Administrator privileges.
-
In the command prompt, navigate to <Installer Location> > Components > ActiveRoles Synchronization Service folder.
-
In the command prompt, to install the Synchronization Service Management Shell, enter the following command:
SyncService.msi INSTALLSYNCSHELL=1
To uninstall, navigate to Add or remove programs, click Active Roles Synchronization Service Management Shell, then click Uninstall.
NOTE: Consider the following when installing Synchronization Service Management Shell:
-
Running the SyncService.msi component with INSTALLSYNCSHELL=0 or double-clicking the SyncService.msi file directly installs both the Synchronization Service and the Synchronization Service Management Shell components.
-
When both the service and shell components for Synchronization Service are required, One Identity recommends to use the standard method of installing Synchronization Service.
-
To install only the Synchronization Service Management Shell component, use the command prompt.
-
Configuring Synchronization Service
To configure Synchronization Service, you can use one of the following methods:
-
Specify new SQL Server or Azure SQL Server databases for storing the Synchronization Service data.
With this method, you can store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.
-
Share existing configuration settings between two or more instances of Synchronization Service.
Prerequisites
-
If you are using an Azure SQL Server, set the db_owner database role to the user of the Azure SQL Server.
-
If you are using an SQL Server, set the dbcreator server role to the user of the SQL Server.
dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server requires for the initial configuration of Synchronization Service.
After creating the new database, you can revoke the dbcreator role because the db_owner role that is automatically assigned to the same user of the SQL Server is sufficient for the Synchronization Service database connection.
To configure Synchronization Service using a new database
- Start the Synchronization Service Console.
- Follow the steps in the wizard that starts automatically to configure Synchronization Service.
-
On the Service Account and Mode page, specify the following and click Next:
-
The account under which you want Synchronization Service to run.
-
The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
-
-
Select Create a new configuration and click Next.
-
On the Database Connection page, specify an SQL Server database.
-
SQL Server: Enter the name of the SQL Server computer that hosts the database you want to participate in data synchronization operations.
-
Database: Enter a name for the new SQL Server database.
-
-
(Optional) Select Store sync data in a separate database.
-
If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the check box.
-
If you want to store the configuration settings and synchronization data in two separate databases, select the check box, then specify the database in which you want to store the synchronization data.
-
-
On the Database Connection page, select an SQL Server authentication method, and click Next.
NOTE: For all Azure SQL Server variants, select Use SQL Server authentication because Windows authentication is not supported.
-
Use Windows authentication: Allows you to access the SQL Server in the security context of the account under which the Synchronization Service is running.
-
Use SQL Server authentication: Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify.
-
-
On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.
To configure Synchronization Service using an existing database
- Start the Synchronization Service Console.
- Follow the steps in the wizard that starts automatically to configure Synchronization Service.
-
On the Service Account and Mode page, specify the following and click Next:
-
The account under which you want Synchronization Service to run.
-
The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
-
-
Select Use an existing configuration and click Next.
-
On the Configuration File page, select I have the configuration file to provide the configuration file you exported from an existing Synchronization Service instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.
-
If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.
After you configure Synchronization Service, you can change its settings at any time using the Configuration Wizard. To start the wizard, start the Synchronization Service Console and click the gear icon in the upper right corner of the Synchronization Service Console.
Configuring Azure BackSync
In hybrid environments, on-premises Active Directory (AD) objects are synchronized to Azure AD, for example via Azure AD Connect. When you deploy Active Roles in such a hybrid environment, this synchronization works only if existing user and group information (such as the Azure objectID) are also synchronized back from Azure AD to the on-premises AD. Active Roles uses Azure back-synchronization (also known as Azure BackSync) for this purpose.
Prerequisites
The hybrid environment must meet the following requirements to configure Azure BackSync:
-
Azure AD Connect must be installed and configured.
-
Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed and configured.
-
The Directory Writers role must be enabled in Azure AD. To enable the role, use the following script:
$psCred=Get-Credential Connect-AzureAD -Credential $psCred $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" } # Enable an instance of the DirectoryRole template Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
In addition, the user account you use to configure Azure BackSync must have the following roles:
-
User Administrator
-
Exchange Administrator
-
Application Administrator
Automatic and Manual Azure BackSync
You can perform Azure back-synchronization with Active Roles Synchronization Service, either automatically or manually:
- You can configure automatic Azure back-synchronization via the
(Settings) > Configure Azure BackSync option of Active Roles Synchronization Service. For more information, see Configuring automatic Azure BackSync.
- You can also configure manual Azure back synchronization, using existing Active Roles Synchronization Service feature components. For more information, see Configuring manual Azure BackSync.