지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 8.0.1 LTS - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365
Creating a Microsoft 365 connection Modifying a Microsoft 365 connection Microsoft 365 data supported for data synchronization
ClientPolicy object attributes supported for Microsoft 365 data synchronization ConferencingPolicy object attributes supported for Microsoft 365 data synchronization Contact object attributes supported for Microsoft 365 data synchronization DistributionGroup object attributes supported for Microsoft 365 data synchronization Domain object attributes supported for Microsoft 365 data synchronization DynamicDistributionGroup object attributes supported for Microsoft 365 data synchronization ExternalAccessPolicy object attributes supported for Microsoft 365 data synchronization HostedVoicemailPolicy object attributes supported for Microsoft 365 data synchronization LicensePlanService object attributes supported for Microsoft 365 data synchronization Mailbox object attributes supported for Microsoft 365 data synchronization MailUser object attributes supported for Microsoft 365 data synchronization PresencePolicy object attributes supported for Microsoft 365 data synchronization SecurityGroup object attributes supported for Microsoft 365 data synchronization SPOSite object attributes supported for Microsoft 365 data synchronization SPOSiteGroup object attributes supported for Microsoft 365 data synchronization SPOWebTemplate object attributes supported for Microsoft 365 data synchronization SPOTenant object attributes supported for Microsoft 365 data synchronization User object attributes supported for Microsoft 365 data synchronization VoicePolicy object attributes supported for Microsoft 365 data synchronization Microsoft 365 Group attributes supported for Microsoft 365 data synchronization Changing the display names of synchronized Microsoft 365 licenses and services
Objects and attributes specific to Microsoft 365 services How the Microsoft 365 Connector works with data
Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Use Group Policy object to modify Capture Agent settings

  1. Under Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\Active Roles, select Sync Service Capture Agent Settings.

  2. In the details pane, configure the appropriate Group Policy settings.

    The names of Group Policy settings correspond to the names of the Capture Agent parameters provided in the table in Configuring Capture Agent.

  3. Run the following command at a command prompt for the changes to take effect:

    gpupdate /force

Configuring Active Roles Synchronization Service

Configuring Synchronization Service

You can modify the default values of the Synchronization Service parameters related to password synchronization. These parameters and their default values are described in the next table.

 

Table 125: Synchronization Service parameters

Parameter

Description

Default Value

Interval between attempts to reset password

The Capture Agent sends information on changes made to Active Directory user passwords to Synchronization Service. After receiving this information, Synchronization Service tries to reset passwords in the target connected systems you specified.

This parameter determines the time interval (in minutes) between attempts to reset passwords in the target connected systems.

10 minutes

Synchronization Service connection point update period

Synchronization Service publishes its connection point in Active Directory.

This parameter determines the frequency of updates (in minutes) of the Synchronization Service connection point.

60 minutes

Certificate to encrypt Capture Agent traffic

This parameter specifies the thumbprint of the certificate used to encrypt the password sync traffic between Capture Agent and Synchronization Service. The same certificate must be used for the Capture Agent and the Synchronization Service.

By default, a built-in certificate is used.

You can modify the Synchronization Service parameters using Group Policy and the Administrative Template supplied with Synchronization Service.

To modify Synchronization Service parameters using Group Policy

  1. On the computer running the Synchronization Service, start Group Policy Object Editor, and then connect to the Local Computer Policy Group Policy object.
  2. In the Group Policy Object Editor console, expand the Local Computer Policy node, expand the Computer Configuration node, and select Administrative Templates.
  3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
  4. In the Add/Remove Templates dialog box, click Add, and then use the Policy Templates dialog box to open the SyncService.adm file that holds the Administrative Template.

    By default, the SyncService.adm file is stored in <Active Roles installation folder>\SyncService\Administrative Templates

  1. Under Computer Configuration\Administrative Templates\Active Roles, select Sync Service Settings, and then in the details pane, configure the appropriate group policy settings.

    The names of group policy settings correspond to the names of the Synchronization Service parameters provided in the table in Configuring Capture Agent.

  1. For the changes to take effect, refresh the Group Policy settings by running the following command at a command prompt: gpupdate /force

Specifying a custom certificate for encrypting password sync traffic

By default, Synchronization Service uses a built-in certificate to encrypt password sync traffic between the Capture Agent and the Synchronization Service. If necessary, you can use a custom certificate for this purpose.

NOTE:

  • SSL certificates signed with MD5 algorithm are not supported.
  • Backward compatibility for Quick Connect v5.5 with Active Roles Synchronization Service Capture Agent v8.0.1 can be achieved through custom certificate signed with SHA algorithm.

This section illustrates how to use a custom certificate for encrypting the password synchronization traffic in Windows Server (2016 or later).

Complete the following steps:

Step 1: Obtain and install a certificate

To obtain and install a certificate, you have to make a certificate request. There are two methods to request a certificate in Windows Server (2016 or later):

  • Request certificates using the Certificate Request Wizard. To request certificates from a Windows Server enterprise certification authority, you can use the Certificate Request Wizard.
  • Request certificates using the Windows Server Certificate Services Web interface. Each certification authority that is installed on a computer running Windows Server has a Web interface that allows the users to submit certificate requests. By default, the Web interface is accessible at http://servername/certsrv, where servername refers to the name of the computer running Windows Server.

This section provides steps to request certificates using the Windows Server Certificate Services Web interface. For detailed information about the Certificate Request Wizard, refer to the documentation on Certification Authority.

To request a certificate using the Windows Server Certificate Services Web interface

  1. Use a Web browser to open to http://servername/certsrv, where servername refers to the name of the Web server running Windows Server where the certification authority that you want to access is located.
  2. On the Welcome Web page, click Request a certificate.
  3. On the Request a Certificate Web page, click advanced certificate request.
  4. On the Advanced Certificate Request Web page, click Create and submit a certificate request to this CA.
  5. On the Web page that opens, do the following:
    • Select the Store certificate in the local computer certificate store check box.
    • Under Additional Options, select the PKCS10 option, and in the Friendly Name text box, specify a name for your certificate (such as My QC Certificate).

    Keep default values for all other options.

  1. Click Submit.
  2. On the Certificate Issued Web page, click Install this certificate.

After you install the certificate, it becomes available in the Certificates snap-in, in the Personal/Certificates store.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택