Chatee ahora con Soporte
Chat con el soporte

Active Roles 8.1.1 - Synchronization Service Administration Guide

Synchronization Service overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector Objects and operations supported by the SCIM Connector Example of using the Generic SCIM Connector for data synchronization
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Deploying Synchronization Service

This section elaborates on the following topics:

  • Installing Synchronization Service

  • Configuring Synchronization Service

  • Configuring Azure BackSync

  • Upgrade from Quick Connect

  • Communication ports

Installing Synchronization Service

To install Synchronization Service

  1. Make sure the system on which you wish to install Synchronization Service meets the system requirements provided in the Active Roles Release Notes.

  2. From the Active Roles installation package, run the Setup.exe file to launch the Active Roles setup.

  3. Follow the instructions in the setup wizard.

  4. On the Component Selection page, select Synchronization Service and click Next. This installs the Synchronization Service, the Synchronization Service Console, the built-in connectors, and the Management Shell.

    The Synchronization Service Console is a graphical user interface providing access to the Synchronization Service functionality. Synchronization Service manages data flows between connected data systems.

    Connectors enable Synchronization Service to access specific data systems to read and synchronize identity data.

    Management Shell is an automation and scripting shell that provides a command-line management interface for synchronizing data between external data systems via Synchronization Service. For more information, see Management Shell.

  5. On the Ready to Install page, click Install.

  6. Click Finish to exit the wizard.

To install Synchronization Service Management Shell

  1. Open the Windows Command Prompt with Administrator privileges.

  2. In the command prompt, navigate to <Installer Location> > Components > ActiveRoles Synchronization Service folder.

  3. In the command prompt, to install the Synchronization Service Management Shell, enter the following command:

    SyncService.msi INSTALLSYNCSHELL=1

    To uninstall, navigate to Add or remove programs, click Active Roles Synchronization Service Management Shell, then click Uninstall.

    NOTE: Consider the following when installing Synchronization Service Management Shell:

    • Running the SyncService.msi component with INSTALLSYNCSHELL=0 or double-clicking the SyncService.msi file directly installs both the Synchronization Service and the Synchronization Service Management Shell components.

    • When both the service and shell components for Synchronization Service are required, One Identity recommends to use the standard method of installing Synchronization Service.

    • To install only the Synchronization Service Management Shell component, use the command prompt.

Configuring Synchronization Service

To configure Synchronization Service, you can use one of the following methods:

  • Specify new SQL Server or Azure SQL Server databases for storing the Synchronization Service data.

    With this method, you can store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.

  • Share existing configuration settings between two or more instances of Synchronization Service.

Prerequisites
  • If you are using an Azure SQL Server, set the db_owner database role to the user of the Azure SQL Server.

  • If you are using an SQL Server, set the dbcreator server role to the user of the SQL Server.

    dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server requires for the initial configuration of Synchronization Service.

    After creating the new database, you can revoke the dbcreator role because the db_owner role that is automatically assigned to the same user of the SQL Server is sufficient for the Synchronization Service database connection.

To configure Synchronization Service using a new database

  1. Start the Synchronization Service Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:

    • The account under which you want Synchronization Service to run.

    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.

  4. Select Create a new configuration and click Next.

  5. On the Database Connection page, specify an SQL Server database.

    • SQL Server: Enter the name of the SQL Server computer that hosts the database you want to participate in data synchronization operations.

    • Database: Enter a name for the new SQL Server database.

  6. (Optional) Select Store sync data in a separate database.

    • If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the check box.

    • If you want to store the configuration settings and synchronization data in two separate databases, select the check box, then specify the database in which you want to store the synchronization data.

  7. On the Database Connection page, select an SQL Server authentication method, and click Next.

    NOTE: For all Azure SQL Server variants, select Use SQL Server authentication because Windows authentication is not supported.

    • Use Windows authentication: Allows you to access the SQL Server in the security context of the account under which the Synchronization Service is running.

    • Use SQL Server authentication: Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify.

  8. On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.

To configure Synchronization Service using an existing database

  1. Start the Synchronization Service Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:

    • The account under which you want Synchronization Service to run.

    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.

  4. Select Use an existing configuration and click Next.

  5. On the Configuration File page, select I have the configuration file to provide the configuration file you exported from an existing Synchronization Service instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.

  6. If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using the Configuration Wizard. To start the wizard, start the Synchronization Service Console and click the gear icon in the upper right corner of the Synchronization Service Console.

Configuring Azure BackSync

In hybrid environments, on-premises Active Directory (AD) objects are synchronized to Azure AD, for example via Azure AD Connect. When you deploy Active Roles in such a hybrid environment, this synchronization works only if existing user and group information (such as the Azure objectID) are also synchronized back from Azure AD to the on-premises AD. Active Roles uses Azure back-synchronization (also known as Azure BackSync) for this purpose.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure BackSync:

  • Azure AD Connect must be installed and configured.

  • Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed and configured.

  • The Directory Writers role must be enabled in Azure AD. To enable the role, use the following script:

    $psCred=Get-Credential
    Connect-AzureAD -Credential $psCred
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }
    
    # Enable an instance of the DirectoryRole template
    
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
    

In addition, the user account you use to configure Azure BackSync must have the following roles:

  • User Administrator

  • Exchange Administrator

  • Application Administrator

Automatic and Manual Azure BackSync

You can perform Azure back-synchronization with Active Roles Synchronization Service, either automatically or manually:

  • You can configure automatic Azure back-synchronization via the (Settings) > Configure Azure BackSync option of Active Roles Synchronization Service. For more information, see Configuring automatic Azure BackSync.
  • You can also configure manual Azure back synchronization, using existing Active Roles Synchronization Service feature components. For more information, see Configuring manual Azure BackSync.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación