Install the AD Sync client on every domain controller in the external domain. For more information on preparing these domain controllers for AD Sync, see Plan to deploy the AD Sync service.
Important: The AD Sync client cannot decrypt users' existing passwords when installed due to Active Directory encryption. After the client is installed, users must change their passwords so the client can synchronize them with Services Manager.
- Log on to an external domain controller and then log on to the Services Manager control panel using the administrator credentials of the customer just provisioned.
- Download the AD Sync client installer:
- From the Services Manager menu bar, select Services > AD Sync > AD Sync Download and then click Download.
- Click Save to save the AD Sync client installer to a drive location so you can copy it to the other external domain controllers.
- Install the client:
- Run the AD Sync Setup installer, enter the requested password, and then click Next.
- Specify the User watch frequency, select the following settings, and then click Next:
Important: Perform this step for only one AD Sync client to ensure that duplicate requests are not sent to the Services Manager API. The domain controller configured to watch for changes synchronizes user and password changes. The other domain controllers synchronize only password changes.
- Watch for changes to contacts
- Watch for changes to groups
- Watch for changes to users
- Select the Active Directory user groups to include in AD Sync operations and then click Next twice. When the AD Sync service detects a USN change, it performs the synchronization only if the user is in an included group. The last USN value is stored in [INSTALLDIR]\Queue\SyncActiveDirectory.config.
- If a proxy server is used in the external domain, enter the information for it. Using a proxy server ensures that domain controllers are not exposed to the internet.
- Click Next, choose a location to install the AD Sync client, click Next, and then click Install.
- Restart the domain controller. The AD Sync service starts.
- Copy the AD Sync client installer to all other external domain controllers and then repeat Steps 3a - 3g for each domain controller.
- Test the AD Sync client:
- After a domain controller restarts, log on to Services Manager and then click Users to view the user list. The synchronized users have a small green arrow next to the user icon.
- To test that the synchronization works for new accounts, create a new user account in the external domain, add it to a user group that is included in AD Sync operations, change an attribute on the account, and then verify that the account appears on the Users screen.
To synchronize additional Active Directory attributes
To change the Active Directory attributes included in API requests, edit the request format in [INSTALLDIR]\Requests.