Chat now with support
Chat with Support

Active Roles 7.3.3 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported out of the box
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Sample queries to modify SQL Server data Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Step 2: Configure Synhronization Service

Step 2: Configure Synchronization Service

To configure Synchronization Service you installed in Step 1: Install Synchronization Service, you can use one of the following methods:

  • Specify new SQL Server databases for storing the Synchronization Service data.
    With this method, you can select to store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.
  • Share existing configuration settings between two or more instances of Synchronization Service.

To configure Synchronization Service from scratch using a new database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Create a new configuration and click Next.
  5. On the Database Connection page, specify an SQL Server database and authentication method, and click Next.

    If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the Store sync data in a separate database check box, and then specify the database name.

    If you want to store the configuration settings and synchronization data in two separate databases, select that check box, and then specify the database in which you want to store the synchronization. data.

  1. On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.

To configure Synchronization Service using an existing database

  1. Start the Synchronization Service Administration Console.
  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.
  3. On the Service Account and Mode page, specify the following and click Next:
    • The account under which you want Synchronization Service to run.
    • The mode (local or remote) in which you want to use Synchronization Service. Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
  4. Select Use an existing configuration and click Next.
  5. On the Configuration File page, select the I have the configuration file check box to provide the configuration file you exported from an existing Synchronization Service instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.
  6. If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using this Configuration wizard. To start the wizard, start the Administration console and click the gear icon in the upper right corner of the console.

Step 3: Configure Azure Backsync

Step 3: Configure Sync Workflow to back-synchronize Azure AD Objects to Active Roles

Pre-requisites to configure the back-synchronization:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • The user account used to perform Back sync configuration must have the following privileges:

    • User Administrator
    • Privileged Role Administrator
    • Exchange Administrator
    • Application Administrator
  • The Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed for the backsync feature to work successfully.
  • Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

To configure Azure backsync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-prem Active Directory objects dialog box is displayed.

  2. In the dialog box that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:
    • Use Internet Explorer settings: Causes the connector to automatically detect and use the proxy server settings specified in Microsoft Internet Explorer installed on the Synchronization Service computer.

    • Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

    On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    1. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  1. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically. For more information on the automatically created backsync settings, see Settings updated after Azure backsync configuration operation.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.

     

Settings updated after Azure backsync configuration operation

Settings updated after Azure backsync configuration operation

This section gives descriptions about the Azure App registration, connections, mappings, and workflow steps that are created automatically as a result of the Azure backsync configuration operation.

App registration

The Azure App is created automatically with the default name as ActiveRoles_AutocreatedAzureBackSyncApp_V2.

NOTE: After the Azure App is registered in Azure, you must not delete or modify the application. The backsync operation will not work as expected in case you modify or delete the registered Azure App.
Sync Workflows

On the Synchronization Service Administration Console, click Sync Workflows to view the sync workflow named AutoCreated_AzureADBackSyncWorkflow that is created as a result of the Azure BackSync configuration. The workflow displays the following synchronization update steps from Azure AD to Active Roles for users, groups, and contacts.

  • Step 1: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlow for users.
  • Step 2: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlow for groups.
  • Step 3: AutoCreated_UpdateFrom O365ToARSForBackSyncWorkFlow for contacts.

NOTE:
  • The Forward Sync Rules to synchronize the following are automatically configured and displayed in the synchronization update steps for user and group:
    • Azure ObjectID property of a user or group is mapped to the Active Roles user or group edsvaAzureObjectID property.
    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.
  • The Forward Sync Rule to synchronize the following are automatically configured and displayed in the synchronization update steps for contacts:

    • Azure ExternalDirectoryObjectID property of a contact is mapped to the Active Roles contact edsaAzureContactObjectId property.

    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.

Connections

On the Synchronization Service Administration Console, click Connections to view the connections from Active Roles, Azure AD, and Office 365 to external data systems. The following connections are configured and displayed by default:

  • AutoCreated_ARSConnectorForBackSyncWorkFlow
  • AutoCreated_AzureADConnectorForBackSyncWorkFlow
  • AutoCreated_O365ConnectorForBackSyncWorkFlow
Mapping

On the Synchronization Service Administration Console, click Mapping to view the Mapping rules which identify the users, groups, or contacts in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

On the Mapping tab, click a connection name to view or modify the mapping settings for the corresponding connection. The user, group, and contact mapping pair information is displayed by default as a result of the Azure BackSync configuration. For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • For more information to manage mapping pairs for the connections see the Mapping Tab section.

  • The mapping rules are created by default. Based on the environment, make sure that the default mapping rules identify the user or group uniquely. Else, make sure to correct the Mapping rule as required. In-correct mapping rules may create duplicate objects and the back-sync operation may not work as expected.

  • Initial configuration and execution of back-sync operation for Azure AD users ID and group ID is a one-time activity. If required, you can re-configure the Azure backsync settings which will override the previously configured backsync settings.

 

 

Upgrade from Quick Connect

Upgrade from Quick Connect and Synchronization Service

If you have synchronization workflows configured and run by Quick Connect (predecessor of Synchronization Service), or earlier versions of Synchronization Service, then you can transfer those synchronization workflows to Active Roles and have them run by Synchronization Service.

You can transfer synchronization workflows from the following Quick Connect or Synchronization Service versions:

  • Quick Connect Sync Engine 5.2.0, 5.3.0, 5.4.0, 5.4.1, or 5.5.0
  • Quick Connect Express for Active Directory 5.3.0, 5.4.0, 5.4.1, 5.5.0, or 5.6.0
  • Quick Connect for Cloud Services 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, or 3.7.0
  • Quick Connect for Base Systems 2.2.0, 2.3.0, or 2.4.0
  • Synchronization Service 7.0, 7.1, 7.2, or 7.3
Related Documents