Synchronization Service Overview
About Synchronization Service
Features and benefits
Deploying Synchronization Service
Getting started
Bidirectional synchronization
Delta processing mode
Synchronization of group membership
Windows PowerShell scripting
Attribute synchronization rules
Rule-based generation of distinguished names
Scheduling capabilities
Extensibility
Technical overview
Synhronization Service Administration Console
Connections to external data systems
Sync Workflows tab
Sync History tab
Connections tab
Mapping tab
Password Sync tab
Configuring diagnostic logging
Steps to synchronize identity data
Management Shell
External data systems supported out of the box
Synchronizing identity data
Working with Active Directory
Using connectors installed remotely
Creating an Active Directory connection
Modifying an existing Active Directory connection
Communication ports required to synchronize data between two AD domains
Synchronizing user passwords between two AD domains
Synchronizing SID history of users or groups
Working with an AD LDS (ADAM) instance
Creating an AD LDS (ADAM) instance connection
Modifying an existing AD LDS (ADAM) instance connection
Working with Skype for Business Server
Creating a new Skype for Business Server connection
Modifying an existing Skype for Business Server connection
Skype for Business Server data supported out of the box
Working with Exchange Server
User object attributes
ArchivingPolicy object attributes
ClientPolicy object attributes
ClientVersionPolicy object attributes
ConferencingPolicy object attributes
DialPlanPolicy object attributes
ExternalAccessPolicy object attributes
LocationPolicy object attributes
MobilityPolicy object attributes
PersistentChatPolicy object attributes
PinPolicy object attributes
VoicePolicy object attributes
LyncSettings object attributes
Attributes required to create a Skype for Business Server user
Getting or setting the Telephony option value in Skype for Business Server
Creating a new connection to Exchange Server
Modifying an existing connection to Exchange Server
Exchange Server data supported out of the box
Working with Active Roles
Working with Quest One Identity Manager
ActiveSyncMailboxPolicy object attributes
AddressBookPolicy object attributes
AddressList object attributes
DistributionGroup object attributes
DynamicDistributionGroup object attributes
ExchangeServer object attributes
GlobalAddressList object attributes
Mailbox object attributes
MailContact object attributes
MailboxDatabase object attributes
MailUser object attributes
OfflineAddressBook object attributes
OrganizationConfig object attributes
OwaMailboxPolicy object attributes
PublicFolder object attributes
PublicFolderDatabase object attributes
RoleAssignmentPolicy object attributes
StorageGroup object attributes
UmDialPlan object attributes
UmMailboxPolicy object attributes
Scenario: Migrate mailboxes from one Exchange Server to another
Creating a Quest One Identity Manager connection
Working with One Identity Manager
Step 1: Provide access to Quest One Identity Manager DLLs
Step 2: Configure a connection to Quest One Identity Manager
Modifying a Quest One Identity Manager connection
Quest One Identity Manager Connector configuration file
Creating a One Identity Manager connection
Modifying a One Identity Manager connection
One Identity Manager Connector configuration file
Working with a delimited text file
Working with Microsoft SQL Server
Sample queries to modify SQL Server data
Working with an OLE DB-compliant relational database
Creating an OLE DB-compliant relational database connection
Modifying an existing OLE DB-compliant data source connection
Working with SharePoint
Creating a SharePoint connection
SharePoint data supported out of the box
Working with Microsoft Office 365
AlternateURL object attributes
ClaimProvider object attributes
Farm object attributes
Group object attributes
Language object attributes
Policy object attributes
PolicyRole object attributes
Prefix object attributes
RoleAssignment object attributes
RoleDefinition object attributes
Site object attributes
User object attributes
Web object attributes
WebApplication object attributes
WebTemplate object attributes
Considerations for creating objects in SharePoint
Creating a Microsoft Office 365 connection
Modifying a Microsoft Office 365 connection
Microsoft Office 365 data supported out of the box
Working with Microsoft Azure Active Directory
ClientPolicy object attributes
ConferencingPolicy object attributes
Contact object attributes
DistributionGroup object attributes
Domain object attributes
DynamicDistributionGroup object attributes
ExternalAccessPolicy object attributes
HostedVoicemailPolicy object attributes
LicensePlanService object attributes
Mailbox object attributes
MailUser object attributes
PresencePolicy object attributes
SecurityGroup object attributes
SPOSite object attributes
SPOSiteGroup object attributes
SPOWebTemplate object attributes
SPOTenant object attributes
User object attributes
Attributes Related to License Plans and Services
Other attributes
VoicePolicy object attributes
Objects and attributes specific to Microsoft Office 365 services
How Microsoft Office 365 Connector works with data
Creating a Microsoft Azure Active Directory connection
Step 1: Configure an application in Microsoft Azure Active Directory
Step 2: Create a connection to Microsoft Azure Active Directory
Modifying a Microsoft Azure Active Directory connection
Microsoft Azure Active Directory data supported out of the box
Steps to install Synchronization Service and built-in connectors remotely
Creating a connection using a remotely installed connector
Creating a connection
Renaming a connection
Deleting a connection
Modifying synchronization scope for a connection
Using connection handlers
Specifying password synchronization settings for a connection
Getting started with identity data synchronization
Managing sync workflows
Mapping objects
Creating a sync workflow
Running a sync workflow
Managing sync workflow steps
Running a sync workflow manually
Running a sync workflow on a recurring schedule
Disabling a sync workflow run schedule
Renaming a sync workflow
Deleting a sync workflow
Adding a creating step
Creating an updating step
Creating a deprovisioning step
Modifying a step
General Options tab
Source tab
Target tab
Creation Rules tab
Deprovisioning Rules tab
Updating Rules Tab
Step Handlers tab
Deleting a step
Changing the order of steps in a sync workflow
Generating object names by using rules
Modifying attribute values by using rules
Using value generation rules
Using sync workflow step handlers
Example: Synchronizing group memberships
Example: Synchronizing multivalued attributes
Using sync workflow alerts
About mapping objects
Steps to map objects
Automated password synchronization
Step 1: Create mapping pairs
Step 2: Create mapping rules
Step 3 (optional): Change scope for mapping rules
Step 4: Run map operation
Steps to unmap objects
About automated password synchronization
Steps to automate password synchronization
Managing Capture Agent
Synchronization history
Installing Capture Agent manually
Using Group Policy to install Capture Agent
Uninstalling Capture Agent
Managing password sync rules
Creating a password sync rule
Deleting a password sync rule
Modifying settings of a password sync rule
Fine-tuning automated password synchronization
Configuring Capture Agent
Step 1: Create and link a Group Policy object
Step 2: Add administrative template to Group Policy object
Step 3: Use Group Policy object to modify Capture Agent settings
Configuring Active Roles Synchronization Service
Specifying a custom certificate for encrypting password sync traffic
Step 1: Obtain and install a certificate
Step 2: Export custom certificate to a file
Step 3: Import certificate into certificates store
Step 4: Copy certificate’s thumbprint
Step 5: Provide certificate’s thumbprint to Capture Agent
Step 6: Provide certificate’s thumbprint to Synchronization Service
Using PowerShell scripts with password synchronization
About synchronization history
Viewing sync workflow history
Viewing mapping history
Searching synchronization history
Cleaning up synchronization history
Scenarios of use
About scenarios
Scenario 1: Create users from a .csv file to an Active Directory domain
Appendix A: Developing PowerShell scripts for attribute synchronization rules
Appendix B: Using a PowerShell script to transform passwords
Step 1: Create a sync workflow
Step 2: Add a creating step
Step 3: Run the configured creating step
Step 4: Commit changes to Active Directory
Scenario 2: Use a .csv file to update user accounts in an Active Directory domain
Step 1: Create an updating step
Step 2: Run the created updating step
Step 3: Commit changes to Active Directory
Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain
Step 1: Create connection to One Identity Manager
Step 2: Configure One Identity Manager modules, Custom Target System and Container Information
Step 3: Create Workflow for Provisioning
Step 4: Create Provisioning
Step 5: Specify the synchronization rules
Step 6: Execute Workflow
Step 7: Commit changes to One Identity Manager
Step 8: Verify on One Identity Manager
Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain
Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain
Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain
Working with One Identity Manager
Connections to external data systems > External data systems supported out of the box > Working with One Identity Manager
To create a connection to One Identity Manager, you need to use Synchronization Service in conjunction with a special connector called One Identity Manager Connector. This connector is included in the Synchronization Service package.
The One Identity Manager Connector supports the following Synchronization Service features:
|
Feature |
|
|
Bidirectional synchronization Allows you to read and write data in the connected data system. |
Yes |
|
Delta processing mode Allows you to process only the data that has changed in the connected data system since the last synchronization operation, thereby reducing the overall synchronization operation time. |
Yes |
|
Password synchronization Allows you to synchronize user passwords from One Identity Manager domain to the connected data system. |
No |
In this section:
- Creating a One Identity Manager connection
- Modifying a One Identity Manager connection
- One Identity Manager Connector configuration file
See also:
- Renaming a connection
- Deleting a connection
- Modifying synchronization scope for a connection
- Specifying password synchronization settings for a connection
Creating a One Identity Manager connection
Connections to external data systems > External data systems supported out of the box > Working with One Identity Manager > Creating a One Identity Manager connection
Synchronization Service supports One Identity Manager out of the box, so you can create a connection to Identity Manager just after you install Synchronization Service.
To create a new connection
- In the Synchronization Service Administration Console, open the Connections tab.
- Click Add connection, and then use the following options:
- Connection name. Type a descriptive name for the connection.
- Use the specified connector. Select One Identity Manager Connector.
- Click Next.
- On the Specify connection settings page, use the following options:
- Application Server URL. Specify the address of the One Identity Manager application server to which you want to connect.
- Authentication module. Identifies the One Identity Manager authentication module that is to be used to verify the connection’s user ID and password.
- User name. Specify the user ID for this connection.
- Password. Specify the password of the user ID for this connection.
- Test Connection. Click to verify the specified connection settings.
- Click Next.
The One Identity Manager modules, target systems, and containers are displayed.
- Select the required One Identity Manager modules.
NOTE: The One Identity Manager target systems and One Identity Manager containers are applicable only for the Target System Base module (UNS..B tables).
- Click Finish to create a connection to One Identity Manager.
Modifying a One Identity Manager connection
Connections to external data systems > External data systems supported out of the box > Working with One Identity Manager > Modifying a One Identity Manager connection
To modify connection settings
- In the Synchronization Service Administration Console, open the Connections tab.
- Click Connection settings below the existing One Identity Manager connection you want to modify.
- Expand Specify connection settings and use the following options to modify the settings as necessary:
- Application Server URL. View or change the address of the One Identity Manager application server for this connection.
- Authentication module. Identifies the One Identity Manager authentication module that is used to verify the connection’s user ID and password.
- User name. View or change the user ID for this connection.
- Password. Specify the password of the user ID for this connection.
- Test Connection. Click to verify the specified connection settings.
- Click Next.
The One Identity Manager modules, target systems, and containers are displayed.
- Select the required One Identity Manager modules.
NOTE: The One Identity Manager target systems and One Identity Manager containers are applicable only for the Target System Base module (UNS..B tables).
- Click Finish to create a connection to One Identity Manager.
One Identity Manager Connector configuration file
Connections to external data systems > External data systems supported out of the box > Working with One Identity Manager > One Identity Manager Connector configuration file
One Identity Manager connector saves its configuration settings in the file OneIdentityManagerConnectorConfiguration.xml located in the folder <Active Roles installation folder>\One Identity ManagerConnector. You can edit the XML elements in the file to configure the various parameters of the One Identity Manager Connector. The table below describes the XML elements you can edit.
|
XML element |
Description |
|
<ExcludeDeletedObjects> |
Specifies how Active Roles will treat objects marked as deleted in Identity Manager. This element can take one of the following values:
Example: <ExcludeDeletedObjects> |
|
<PasswordAttributes> |
Specifies the default Identity Manager attribute to be used for storing passwords for objects of a particular type. Specifying an attribute for storing passwords in the Active Roles GUI overrides the value set in this XML element. Example: <PasswordAttributes> |
|
<ReadFullSync> |
Specifies a value of the FullSync variable for Read operations performed in Identity Manager. |
|
<CreateFullSync> |
Specifies a value of the FullSync variable for Create operations performed in Identity Manager. |
|
<ModifyFullSync> |
Specifies a value of the FullSync variable for Modify operations performed in Identity Manager. |
|
<DeleteFullSync> |
Specifies a value of the FullSync variable for Delete operations performed in Identity Manager. |
|
<ObjRefFullSync> |
Specifies a value of the FullSync variable for Modify Object Reference operations performed in Identity Manager. |
|
<SyncStatusFullSync> |
Specifies a value of the FullSync variable for Sync Status operations performed in Identity Manager. |
For more information about the FullSync variable and the values it can take, see the One Identity Manager documentation.