Chat now with support
Chat with Support

Identity Manager 9.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Information required to set up a synchronization project

Important: The domain controller and the domain must be resolved by DNS query for successful authentication. If the DNS cannot be resolved, the target system connection is refused.

Have the following information available for setting up a synchronization project.

Table 5: Information required to set up a synchronization project
Data Explanation

Full domain name

Full domain name.

User account and password for domain login

User account and password for domain login. This user account is used to access the domain. Make a user account available with sufficient permissions. For more information, see Users and permissions for synchronizing with Active Directory.

DNS name of the domain controller.

Full name of the domain controller for connecting to the synchronization server to provide access to Active Directory objects.

Example:

<Name of servers>.<Fully qualified domain name>

Communications port on the domain controller

Communications port on the domain controller. LDAP default communications port is 389.

Authentication type

You can only connect to a target system if the correct type of authentication is selected. The Secure authentication type is used by default.

For more information about authentication types, see the MSDN Library.

Synchronization server for Active Directory

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service must be installed on the synchronization server with the Active Directory connector.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

  • Server function: Active Directory connector

  • Machine role: Server | Job Server | Active Directory

For more information, see System requirements for the Active Directory synchronization server.

One Identity Manager database connection data

  • Database server

  • Database name

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used

    Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • Active Directory connector is installed

  • Target system specific components are installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Creating an initial synchronization project for Active Directory domains

Important: The domain controller and the domain must be resolved by DNS query for successful authentication. If the DNS cannot be resolved, the target system connection is refused.

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up an initial synchronization project for an Active Directory domain

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. Select the Target system type Active Directory entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. On the Domain selection page, specify the Active Directory domain to synchronize.

    • Select the domain in the Domain list or enter the full domain name.

  2. Enter the user account for accessing the domain on the Credentials page. This user account is used to synchronize Active Directory objects.

    1. To use a specified user account, enter the user account and password for logging into the target system.

      - OR -

      If you left this empty, the user account of the currently logged in user is used. In the case of synchronization, this is the user account that the One Identity Manager Service is running under. The user account requires the permissions described under Users and permissions for synchronizing with Active Directory.

      NOTE: If you do not enter a user account, the current user account is also used in the Synchronization Editor during configuration.

      The user account used with the Synchronization Editor may differ from the One Identity Manager Service's user account. In this case, it is recommended you use the RemoteConnectPlugin. This ensures that the same user account is used during configuration with the Synchronization Editor as is used in the service context.

    2. Click Test in the Verify credentials pane to test the connection to the domain.

  3. Enter the domain controller for synchronization on the Configure connection options page and set the connection options.

    • In the Binding options view, you define the authentication type for login to the target system. The Secure authentication type is used by default.

    • In the Enter or select domain controller view, you define the domain controller.

      1. In the Domain controller menu, select an existing domain controller or enter the full name of the domain controller directly.

      2. In the Port input field, enter the communications post on the domain controller. LDAP default communications port is 389.

      3. With the Use SSL option, define whether a secure connection should be used.

      4. Click Test to test the connection. The system tries to establish a connection to the domain controller.

  4. Specify additional synchronization settings on the Connector features page. Enter the following settings.

    Table 6: Additional settings
    Property Description

    When restoring objects with the same distinguished name or GUID from the recycle bin.

    Specifies whether deleted Active Directory objects are taken into account on insertion. Set this option if, when adding an object, the system first checks whether the object is in the Active Directory recycling bin and must be restored.

    Allow read and write access to Remote Access Service (RAS) properties.

    Specifies whether Remote Access Service (RAS) properties are synchronized. If the option is not set, default values are taken for synchronization. However, no properties are written or read. You can set these options are a later date.

    Allow read and write access to the terminal service properties.

    Specifies whether terminal server properties are synchronized. If the option is not set, default values are taken for synchronization. However, no properties are written or read. You can set these options are a later date.

    NOTE: The import of terminal server properties and RAS properties may slow down synchronization.

  5. (Optional) On the Additional Active Directory schema settings page you can specify whether to modify the schema used by synchronization. You can add additional auxiliary classes to structural classes. The extension methods apply to the structural class and its derived classes. This configuration is only possible in expert mode.

  6. On the last page of the system connection wizard, you can save the connection data.

    • Set the Save connection data on local computer option to save the connection data. This can be reused when you set up other synchronization projects.

    • Click Finish, to end the system connection wizard and return to the project wizard.

  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Restrict target system access page, specify how system access should work. You have the following options: Read-only access to target system.
    Table 7: Specify target system access
    Option Meaning

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.

    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.

    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.

    • Synchronization steps are only created for such schema classes whose schema types have write access.

  1. On the Synchronization server page, select the synchronization server to run the synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as Job server for the target system in the One Identity Manager database.

    4. NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.

  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    This sets up, saves and immediately activates the synchronization project.

    NOTE:

    • If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

      Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    • If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    • The connection data for the target system is saved in a variable set and can be modified in the Synchronization Editor in the Configuration > Variables category.

Related topics

Configuring the synchronization log

All the information, tips, warnings, and errors that occur during synchronization are recorded in the synchronization log. You can configure the type of information to record separately for each system connection.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the Configuration > Target system category in the Synchronization Editor.

    - OR -

    To configure the synchronization log for the database connection, select the Configuration > One Identity Manager connection category in the Synchronization Editor.

  2. Select the General view and click Configure.

  3. Select the Synchronization log view and set Create synchronization log.

  4. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for error analysis and other analyzes.

  5. Click OK.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related topics

Adjusting the synchronization configuration for Active Directory environments

Having used the Synchronization Editor to set up a synchronization project for initial synchronization of an Active Directory domain, you can use the synchronization project to load Active Directory objects into the One Identity Manager database. If you manage user accounts and their authorizations with One Identity Manager, changes are provisioned in the Active Directory environment.

You must customize the synchronization configuration to be able to regularly compare the database with the Active Directory environment and to synchronize changes.

  • To use One Identity Manager as the primary system during synchronization, create a workflow with synchronization in the direction of the Target system.

  • You can use variables to create generally applicable synchronization configurations that contain the necessary information about the synchronization objects when synchronization starts. Variables can be implemented in base objects, schema classes, or processing method, for example.

  • Use variables to set up a synchronization project for synchronizing different domains. Store a connection parameter as a variable for logging in to the domain.

  • To specify which Active Directory objects and database objects are included in synchronization, edit the scope of the target system connection and the One Identity Manager database connection. To prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects will be synchronized.

  • Update the schema in the synchronization project if the One Identity Manager schema or target system schema has changed. Then you can add the changes to the mapping.

  • To synchronize additional schema properties, update the schema in the synchronization project. Include the schema extensions in the mapping.

For more information about configuring synchronization, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating