Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Active Roles Sync Service 8.2 - Administration Guide

Synchronization Service overview Deploying Synchronization Service Deploying Synchronization Service for use with AWS Managed Microsoft AD Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Communication ports required to synchronize data between two Active Directory domains

When synchronizing data between two Active Directory domains, Synchronization Service uses the following ports to access domain controllers in the domains:

Table 3: Required communication ports

Port

Protocol

Type of traffic

Direction of traffic

53

TCP/UDP

DNS

Inbound

88

TCP/UDP

Kerberos

Outbound

389

TCP/UDP

LDAP

Outbound

636

TCP

LDAP over SSL (LDAPS)

Outbound

Synchronizing user passwords between two Active Directory domains

You can automatically synchronize user passwords from one Active Directory domain to the other by using Synchronization Service. The next procedure assumes that Synchronization Service is already connected to the source and target domains. For more information, see Creating an Active Directory connection.

To synchronize user passwords between two Active Directory domains

  1. Install Capture Agent on all domain controllers in the source and target Active Directory domains.

  2. Use the pwdHash attribute to perform an initial synchronization of user passwords between the source and target domains:

    1. Create a new or choose an existing creating or updating synchronization step for the source and target domains.

      If you use an updating synchronization step, ensure that user objects in the source domain are properly mapped to their counterparts in the target domain. For more information on mapping objects, see Mapping objects.

      In the creating or updating synchronization step, configure a rule to synchronize the pwdHash attribute value from the user objects in the source domain to their counterparts in the target domain.

    2. Run the creating or updating synchronization step to perform an initial synchronization of user passwords from the source to the target domain.

    The step to perform an initial synchronization allows you to synchronize user passwords only once. If you want to synchronize all subsequent password changes on a permanent basis, complete the step to create a recurring run schedule.

  3. Create a recurring run schedule for the synchronization step you configured previously. For instructions, see Running a sync workflow on a recurring schedule.

    • To synchronize all subsequent password changes from the source to the target domain, do one of the following:

      • Configure a password sync rule to automate the password synchronization between the two Active Directory domains. For more information, see Automated password synchronization.

Synchronizing SID history of users or groups

You can use Synchronization Service to synchronize SID history between user or group objects in two Active Directory domains. For example, you can synchronize SID history when migrating users from one Active Directory domain to the other.

NOTE: Consider the following when synchronizing SID history:

  • To read SID data in the source Active Directory domain, you can use the sIDHistory or objectSid attribute.

  • To write SID data to the target Active Directory domain, always use the sIDHistory attribute.

To synchronize SID history of users or groups

  1. Install Capture Agent on all domain controllers in the source and target Active Directory domains you want to participate in the SID history synchronization.

    For more information on how to install Capture Agent, see Managing Capture Agent.

  2. Use the Specified domain controller option to connect Synchronization Service to the source and target domains.

    For more information on how to connect Synchronization Service to an Active Directory domain, see Creating an Active Directory connection.

  3. Create a new or choose an existing creating or updating synchronization step for the source and target domains.

    If you use an updating synchronization step, ensure that user objects in the source domain are properly mapped to their counterparts in the target domain. For more information on mapping objects, see Mapping objects.

  4. Configure the synchronization step to do the following:

    • Read SID data in the source Active Directory domain. For this purpose, you can use the sIDHistory attribute or the objectSid attribute, or both.

    • Write SID data to the target Active Directory domain by using the sIDHistory attribute.

    To read attribute values in the source domain and write them to the target domain, you can configure attribute modification rules in your sync workflow step. For more information, see Modifying attribute values by using rules.

  5. Run the created step to synchronize SID history.

Working with an AD LDS (ADAM) instance

This section explains how to create or modify a connection to an AD LDS (ADAM) instance so that Synchronization Service could work with data in that data system.

To create a connection to an AD LDS (ADAM) instance, you need to use Synchronization Service in conjunction with a special connector called AD LDS (ADAM) Connector. This connector is included in the Synchronization Service package.

The AD LDS (ADAM) Connector supports the following features:

Table 4: AD LDS (ADAM) Connector – Supported features

Feature

Supported

Bidirectional synchronization

Specifies whether you can both read and write data in the connected data system.

Yes

Delta processing mode

Specifies whether the connection can process only the data that has changed in the connected data system since the last synchronization operation. This reduces the overall synchronization duration.

Yes

Password synchronization

Specifies whether you can synchronize user passwords from an Active Directory (AD) domain to the connected data system.

Yes

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation