Deploying Synchronization Service
This section describes how to:
-
Install and configure Active Roles .
-
Configure Azure BackSync.
-
Upgrade from supported versions of One Identity Quick Connect.
It also lists the communication ports used by .
To install all features and components of Active Roles , use the installation media downloaded from the One Identity Support Portal. Alternatively, you can also install the Management Shell only.
To install and all its components
-
Make sure the system on which you want to install meets the system requirements described in the Active Roles Release Notes.
-
From the Active Roles installation package, run the Active Roles setup.
-
On the Component Selection page, select and click Next.
-
On the Ready to Install page, click Install. The wizard will then install the following components:
-
: The graphical user interface of Active Roles .
-
Management Shell: A command-line interface to synchronize data between external data systems with Active Roles . For more information, see Synchronization Service Management Shell.
-
All built-in connectors to connect to external data systems.
-
To exit the wizard, click Finish.
To install Management Shell only
-
In Windows Explorer, navigate to the following folder of the installation media:
\Components\ActiveRoles Synchronization Service
-
To open the Windows command prompt, click the navigation bar of Windows Explorer, enter cmd, then press Enter.
-
To install Management Shell only, enter the following command, then press Enter:
SyncService.msi INSTALLSYNCSHELL=1
The installer then silently installs Management Shell.
-
To check if Management Shell has finished installation, search the application either in the Windows Start Menu, or in the Apps & Features list of the operating system. After the setup finished the installation, Management Shell will appear in these lists.
To uninstall, navigate to Add or remove programs, click Active Roles Management Shell, then click Uninstall.
NOTE: Running the Active Roles installation wizard with the .exe file of the installation media always installs both the and the Management Shell.
One Identity recommends using the installation wizard to install both the and the Management Shell for most use cases.
To configure , you can use one of the following methods:
-
Specify new SQL Server or Azure SQL Server databases for storing the data.
With this method, you can store the configuration settings and synchronization data either in a single new SQL Server database or in two separate databases.
-
Share existing configuration settings between two or more instances of .
Prerequisites
-
If you are using an Azure SQL Server, set the db_owner database role to the user of the Azure SQL Server.
-
If you are using an SQL Server, set the dbcreator server role to the user of the SQL Server.
dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server requires for the initial configuration of .
After creating the new database, you can revoke the dbcreator role because the db_owner role that is automatically assigned to the same user of the SQL Server is sufficient for the database connection.
To configure using a new database
-
Start the .
-
Follow the steps in the wizard that starts automatically to configure .
-
On the Service Account and Mode page, specify the following and click Next:
-
The account under which you want to run.
-
The mode (local or remote) in which you want to use . Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
-
Select Create a new configuration and click Next.
-
On the Database Connection page, specify an SQL Server database.
-
(Optional) Select Store sync data in a separate database.
-
If you want to store the configuration settings and synchronization data in a single SQL Server database, clear the check box.
-
If you want to store the configuration settings and synchronization data in two separate databases, select the check box, then specify the database in which you want to store the synchronization data.
-
On the Database Connection page, select an SQL Server authentication method, and click Next.
NOTE: For all Azure SQL Server variants, select Use SQL Server authentication because Windows authentication is not supported.
-
Use Windows authentication: Allows you to access the SQL Server in the security context of the account under which the is running.
-
Use SQL Server authentication: Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify.
-
On the Configuration File page, select the file for storing the created configuration profile, protect the file with a password, and click Finish.
To configure using an existing database
-
Start the .
-
Follow the steps in the wizard that starts automatically to configure .
-
On the Service Account and Mode page, specify the following and click Next:
-
The account under which you want to run.
-
The mode (local or remote) in which you want to use . Use the remote mode to work with connectors installed remotely. For more information, see Using connectors installed remotely. If you select the remote mode, click Finish to close the wizard.
-
Select Use an existing configuration and click Next.
NOTE: If the is already configured, using an existing configuration file does not override the existing SQL Server or Azure SQL Server database settings. To change the settings of the database, you must reconfigure it or reinstall the with the new configuration.
-
On the Configuration File page, select I have the configuration file to provide the configuration file you exported from an existing instance, enter the password if necessary, and click Next. If you do not have the configuration file, after clicking Next you will need to enter the required settings.
-
If you provided the configuration file, specify the authentication method for accessing the database. Otherwise, enter the required database name and select the authentication method. Click Finish.
After you configure , you can change its settings at any time using the Configuration Wizard. To start the wizard, start the and click the gear icon in the upper right corner of the .
In hybrid environments, on-premises Active Directory (AD) objects are synchronized to Azure AD, for example via Azure AD Connect. When you deploy Active Roles in such a hybrid environment, this synchronization works only if existing user and group information (such as the Id) are also synchronized back from Azure AD to the on-premises AD. Active Roles uses Azure back-synchronization (also known as Azure BackSync) for this purpose.
Prerequisites
The hybrid environment must meet the following requirements to configure Azure BackSync:
-
Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed and configured.
-
The Directory Writers role must be enabled in Azure AD. To enable the role, use the following script:
$psCred=Get-Credential
Connect-AzureAD -Credential $psCred
$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }
# Enable an instance of the DirectoryRole template
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
In addition, the user account you use to configure Azure BackSync must have the following roles:
Automatic and Manual Azure BackSync
You can perform Azure back-synchronization with Active Roles , either automatically or manually:
- You can configure automatic Azure back-synchronization via the (Settings) > Configure Azure BackSync option of Active Roles . For more information, see Configuring automatic Azure BackSync.
- You can also configure manual Azure back synchronization, using existing Active Roles feature components. For more information, see Configuring manual Azure BackSync.