One Identity Manager supports synchronization with Active Directory, shipped with Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.
The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and the Active Directory directory.
This sections explains how to:
-
Set up synchronization to import initial data from Active Directory domains to the One Identity Manager database.
-
Adjust a synchronization configuration, for example, to synchronize different Active Directory domains with the same synchronization project.
-
Start and deactivate the synchronization.
-
Evaluate the synchronization results.
TIP: Before you set up synchronization with an Active Directory domain, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.
Detailed information about this topic
The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the Active Directory environment. You use these project templates to create synchronization projects with which you import the data from an Active Directory domain into your One Identity Manager database. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.
To load Active Directory objects into the One Identity Manager database for the first time
-
Prepare a user account with sufficient permissions for synchronizing in Active Directory.
-
One Identity Manager components for managing Active Directory environments are available if the TargetSystem | ADS configuration parameter is enabled.
-
In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
- Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
- Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
The following users are involved in synchronizing One Identity Manager with Active Directory.
Table 2: Users for synchronization
|
User for accessing Active Directory |
You must provide a user account with the following permissions for full synchronization of Active Directory objects with the supplied One Identity Manager default configuration.
NOTE: In a hierarchical domain structure, the One Identity Manager Service's user account of a child domain is member of the Enterprise Admins group.
There is no recommended practical minimum configuration whose permissions in terms of user administration effectiveness, differ from a member of the Domain admins group. |
|
One Identity Manager Service user account |
The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).
The user account must belong to the Domain users group.
The user account must have the Login as a service extended user permissions.
The user account requires permissions for the internal web service.
NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:
netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.
In the default installation, One Identity Manager is installed under:
Setting Remote Access Service (RAS) properties requires Remote Procedure Calls (RPC) which are run in the context of the One Identity Manager Service user account. To read or write these properties, the One Identity Manager Service user account must have the necessary permissions. |
|
User for accessing the One Identity Manager database |
The Synchronization default system user is provided to run synchronization using an application server. |
Necessary access permissions explained
The synchronization base object in Active Directory requires the following access permissions:
If the base object is the domain object, these permissions are needed to allow reading and setting domain properties such as password policies.
The following permissions are required for working unrestricted below the base object:
-
Create All Child Objects
-
Delete All Child Objects
To be able editing of specific properties in a user object that result in a change to the permission list of an Active Directory object (for example, the Password cannot be changed property), the following permissions are required:
-
Read Permissions
-
Modify Permissions
Prerequisite for further privileges:
Normally only group administrators have this privilege. If the One Identity Manager Service user account is not a member of this group or any equivalent group, it must put in a position to cope with accounts without any permissions.
The following permissions are required because all an object's values can, in principle, be modified through One Identity Manager:
-
Read All Properties
-
Write All Properties
-
All Extended Rights
-
DeleteSubTree
Essential user account functionality is partially stored as an entry in the permissions list of an Active Directory object. The One Identity Manager Service user account must be able to modify this permissions list. Example of properties maintained over the permissions list are UserCanNotChangePassword for the user account, or AllowWriteMembers for the group.
Modifying a permissions list assumes a wide range of permissions. If a user account that does not have the Full Control permissions for the corresponding Active Directory object is used for changing a permissions list, the change is only accepted under the following conditions.
Otherwise the modifications are rejected.
If the Take Ownership permission is assigned to the user account, it is possible to initiate a change of owner and to change the permissions list accordingly. However, this falsifies the permissions state of the Active Directory object and is not recommended.
Furthermore, you require domain administrator permissions to use the delete and restore functions of the Active Directory recycling bin and for dealing with specially protected user account and groups.
NOTE: In theory, the part of the synchronization with the Active Directory that imports the Active Directory objects into the One Identity Manager database also functions if only Read permissions and not Write permissions are assigned to the structure.
The following problems may occur:
-
To include a user account for which only Read permissions exist in a group that is not the primary group of the user account, the One Identity Manager Service must have at least Write permissions for the group object.
-
Error states between the One Identity Manager database and Active Directory data occur, if One Identity Manager administration tools or database imports result in the creation of, or changes to objects in the Active Directory for which only Read permissions exist. These cases can be excluded with the suitable menu navigation in the administration tools, One Identity Manager object permissions, and by taking appropriate precautions when importing.
NOTE: For the One Identity Manager Active Directory edition, full read permissions are required, as well as permissions for creating, changing, and deleting groups.
One Identity Manager is made up of several components that can run in different network segments. In addition, One Identity Manager requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.
The following ports are required:
Table 3: Communications port
|
1433 |
|
|
1880 |
Port for the HTTP protocol of One Identity Manager Service. |
|
2880 |
Port for access tests with the Synchronization Editor, such as in the target system browser or for simulating synchronization.
Default port for the RemoteConnectPlugin. |
|
80 |
Port for accessing web applications. |
|
88 |
Kerberos authentication system (if Kerberos authentication is implemented). Required for authentication against Active Directory. |
|
135 |
Microsoft End Point Mapper (EPMAP) (also, DCE/RPC Locator Service). |
|
137 |
NetBIOS Name Service. |
|
139 |
NetBIOS Session Service. |
|
389 |
Lightweight Directory Access Protocol (LDAP Standard). Target system server communications port. |
|
445 |
Microsoft-DS Active Directory, Windows shares. Required for synchronization (TCP/UDP) |
|
53 |
Domain Name System (DNS), mainly through UDP. Required for access to the Active Directory total structure. |
|
636 |
Lightweight Directory Access Protocol using TLS/SSL (LDAP S). Required for access to the Active Directory total structure. |
|
3268 |
Global catalog. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings. |
|
3269 |
Global catalog over SSL. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings. |
