Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Active Roles Sync Service 8.2 - Administration Guide

Synchronization Service overview Deploying Synchronization Service Deploying Synchronization Service for use with AWS Managed Microsoft AD Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

How to automate password synchronization

To automatically synchronize passwords from an Active Directory domain to another data system, complete these steps:

  1. Install Capture Agent on each domain controller in the Active Directory domain you want to be the source for password synchronization operations.

    Capture Agent tracks changes to the user passwords in the source Active Directory domain and provides this information to Synchronization Service, which in turn synchronizes passwords in the target connected systems you specify.

    For more information on how to install Capture Agent, see Managing Capture Agent.

  2. Connect the Synchronization Service to the Active Directory domain where you installed Capture Agent.

    Alternatively, you can configure a connection to Active Roles Synchronization Service that manages the source Active Directory domain.

  3. Connect the Synchronization Service to the data system where you want to synchronize user object passwords with those in the source Active Directory domain.

    • For some target data systems (such as SQL Server) you must specify the data you want to participate in the password synchronization by configuring an SQL query.

    • If the target data system is an LDAP directory service accessed via the generic LDAP connector, you must specify the target object type for which you want to synchronize passwords and the attribute where you want to store object passwords.

  4. Ensure that user objects in the source Active Directory domain are properly mapped to their counterparts in the target connected system.

    For more information about mapping objects, see Mapping objects.

    Synchronization Service automatically maps objects between the source Active Directory domain and the target connected system if you configure sync workflows to manage the creation and deprovision operations between the source Active Directory domain (or Active Roles Synchronization Service that manages that domain) and the target connected system.

    For more information on sync workflows, see Synchronizing identity data.

  5. Create a password synchronization rule for the target connected system.

    For more information, see Creating a password sync rule.

After you complete the above steps, the Synchronization Service starts to automatically track user password changes in the source Active Directory domain and synchronize passwords in the target connected system.

If necessary, you can fine-tune the password synchronization settings by completing these optional tasks:

Managing Capture Agent

Capture Agent is required to track changes to the user passwords in the Active Directory domain you want to be the authoritative source for password synchronization operations. To synchronize passwords, you must install Capture Agent on each domain controller in the source Active Directory domain.

Whenever a password changes in the source Active Directory domain, the agent captures that change and provides the changed password to the Synchronization Service. In turn, the Synchronization Service uses the provided information to synchronize passwords in the target connected systems according to your settings.

Installing Capture Agent manually

You can manually deploy Synchronization Service Capture Agent on each domain controller in the source Active Directory domain. Alternatively, you can also perform an unattended installation for the Capture Agent component.

To manually install Capture Agent

  1. On the domain controller, open the Active Roles Synchronization Service installation media.

  2. In the installation media, navigate to the following directory: \Tools\Sync Service Capture Agent

  3. Run SyncServiceCaptureAgent_8.2.0_x64.msi.

  4. Follow the instructions of the setup wizard.

  5. After installing Capture Agent, restart the domain controller.

To perform an unattended installation

  1. On the domain controller, open the Windows Command Prompt.

  2. Run the following command:

    msiexec /i "<path-to-SyncServiceCaptureAgent_8.2.0_x64.msi>" /qb INSTALLDIR="<path-to-installation-folder>" REBOOT="<reboot-value>"

These commands use the following arguments:

  • (Optional) INSTALLDIR: Specifies the Capture Agent installation folder. If this argument is not used, the Capture Agent component is installed to the following default folder:

    %ProgramFiles%\One Identity\Active Roles\8.2\SyncServiceCaptureAgent

  • REBOOT: Specifies whether to force or suppress restart after installation with the following available values:

    • Force: Prompts to restart the system after installation.

    • Suppress: Suppresses restart prompts after installation.

    • ReallySuppress: Suppresses all restart prompts and restart attempts during installation.

    NOTE: After installing Capture Agent, restart the domain controller.

    For more information on these values, see REBOOT property in the Microsoft Windows Installer documentation.

Using Group Policy to install Capture Agent

You can use this method to automatically deploy Capture Agent on each domain controller in the source Active Directory domain. This method is applicable in the following scenarios only:

Table 106: Prerequisites by scenario

Supported scenario

Prerequisites

Scenario 1: AD domain includes either 32- or 64-bit domain controllers

  • All the domain controllers must be held in a single organizational unit (for example, the built-in Domain Controllers OU).

  • At least one group policy object must be linked to the OU holding the domain controllers (for example, the built-in Default Domain Controllers Policy Group Policy object).

Scenario 2: AD domain includes both 32-bit and 64-bit domain controllers

  • The domain controllers must be held in two separate organizational units, each containing domain controllers of the same bitness.

  • At least one group policy object must be linked to each of the two Organizational Units.

To install Capture Agent by using Group Policy

  1. Save the SyncServiceCaptureAgent_8.2.0_x86.msi and SyncServiceCaptureAgent_8.2.0_x64.msi files to a network share accessible from each domain controller in the source Active Directory domain.

  2. Depending on your scenario, complete the steps in the table:

    Table 107: Steps by scenario

    Scenario 1: AD domain includes either 32-bit or 64-bit domain controllers

    Scenario 2: AD domain includes both 32-bit and 64-bit domain controllers

    1. Use Group Policy Editor to open the group policy object linked to the OU holding the domain controllers on which you want to install Capture Agent.

    2. In the Group Policy Object Editor console tree, do one of the following:

      • In Windows Server 2016 or later, expand the Computer Configuration node, then expand Policies, and select Software Settings.

    3. In the details pane, click Software Installation, on the Action menu point to New, and then click Package.

    4. Use the dialog to open one of the following files:

      • SyncServiceCaptureAgent_8.2.0_x86.msi if all your domain controllers are 32-bit.

      • SyncServiceCaptureAgent_8.2.0_x64.msi if all your domain controllers are 64-bit.

    5. In the Deploy Software dialog, select Assigned, and then click OK.

    1. Use Group Policy Object Editor to open the group policy object linked to the OU holding the 32-bit domain controllers.

    2. Do one of the following in the Group Policy Object Editor console tree:

      • In Windows Server 2016 or later, expand the Computer Configuration node, then expand Policies, and select Software Settings.

    3. In the details pane, click Software Installation, on the Action menu point to New, and then click Package.

    4. Use the dialog to open the SyncServiceCaptureAgent_8.2.0_x86.msi file.

    5. In the Deploy Software dialog, select Assigned, and then click OK.

    6. Repeat every step for the group policy object linked to the OU holding the 64-bit domain controllers. Use the SyncServiceCaptureAgent_8.2.0_x64.msi file to install Capture Agent on these domain controllers.

  3. Run the following command at a command prompt to refresh the Group Policy settings:

    gpupdate /force

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation