AD Synchronization

Introduction
AD Synchronization allows you to link your Intranet Connections site to your Active Directory. Benefits of the synchronization include a significant reduction in administration of logins and employee profiles as well as the ability for users to seamlessly sign into the site with their domain credentials. A configured sync will automatically create users in the site as they are added to your domain, modify them as they are edited and delete them from the intranet as they leave the organization. AD sync can also optionally bring in group memberships, AD manager/supervisor relationships, sync contact information from AD into Employee profiles and import photo thumbnails stored in AD for the site directory. The following overview article will explain the sync setup and discuss considerations and additional reference material for setting up your sync.

 

Before you begin
There are several elements that should be considered prior to enabling AD Sync:
  1. Familiarize yourself with Intranet Connections treatment of login and employee records.
  2. Determine your desired Authentication Mode (AD Auth or Mixed mode).
  3. For Windows Authentication - Add your web server to your your domain.
  4. Modify your website directory security as required for either AD Auth or Mixed Mode.
  5. Configure through group policy or disseminate documentation to your users about changing browser settings for pass through authentication.
  6. Create a service account to perform the synchronization.

Considerations
  • Create an 'Intranet Users' Universal Security Group within your Active Directory and use this to sync with the intranet. For information on how to create this group filter, click here to see the KB article. 
  • Will you be syncing with multiple domains?

 

 

AD Connection Settings
The AD Synchronization form can be accessed either by Admin > Security > AD Login Synchronization or by Admin > Directory > AD employee synchronization with either method taking you to the same form. The interface has several different sections which we will discuss sequentially to explain their purpose. The first of these is the Connection Settings box. Here you provide the details on how your intranet site will communicate with your Active Directory.
syncconnection.png
  • Full Domain Name: Enter the fully qualified domain name (FQDN) this is generally in the form of companyname.com or companyname.local but consult with your network team for confirmation
  • Domain Controller: Enter the server name of a domain controller (see understanding windows authentication and failover)
  • Admin Username/Password: Enter the credentials (using the domain\username convention) of a domain admin or a properly created service account
  • Sync Interval: Enter a value in minutes for the frequency you wish the sync to run at. Leaving this blank will let the scheduled sync happen every time the scheduled task runs (every 5 minutes).
  • Advanced Options - Start: Used for OU targeting or multi-domain sync
  • Advanced Options - Filter: Used to filter the returned records from the domain using LDAP query language
The test connection button is used to confirm the domain details and credentials you have provided. Use this after saving your connection settings but before enabling the sync. Test connection will not import any users or modify logins/employees in any way.

The force re-sync button is only available when the sync is enabled and is used for troubleshooting failed syncs. It will force a complete resync with your domain.

 

Enable the Sync
Once you have successfully configured your connection settings you are ready to enable the sync. To do so, you can simply check the enable sync option and press save. A synced login will show as a user card with a red flag in the logins list (Admin > Security > Find Logins) and their login details will show as Windows Authentication with a username and domain name. Users with windows authentication do not use a password stored or managed by the intranet site.
ADSync4.png
There are additional sync features which you should also consider.
  • Sync Managers/Supervisors: If this selection is checked the sync will read the user's manager assignment in Active Directory. Within the intranet site this user will have that employee assigned as the supervisor to their login.
  • Remove Disabled Users: Normally the only criteria which will cause the sync to remove an employee from your site is when the user's account is deleted from Active Directory. Enable this option to force the sync to disable the user's intranet login when their account is disabled (but not deleted) in AD. This also ensures that no currently disabled accounts will get imported and synced into the site.
Please note that to be synced, an AD account must have the First Name, Last Name and Display Name fields populated.

 

Group Synchronization
An additional option available for you on the sync is the ability to synchronize a user's group memberships from Active Directory. If you enable this option the sync read in all groups that are returned in the sync. Within the intranet group management interface (Admin > Security > Find Groups) you will now see AD Sync groups. These groups will have the same name and memberships as their AD counterparts with the following restrictions:
  • The group sync is non-recursive. Only the direct membership of the group itself will be returned. For example, if you have group A and group B and group B is a member of group A, group B's user membership will not be added to the synced group.
  • A user's primary group is not synced. For this reason we do not recommend using the Domain Users group for any security purposes on the site as it is the most common group assigned as a user's primary group.
It is important to note that group sync will create groups in the intranet site for all groups returned from the sync. If you target your entire domain this can result in a large number of unwanted groups (ex: Domain admins, DHCP Admins, SQL Admins, etc etc) being imported into the site. For this reason we strongly recommend considering a sync which uses a sync filter to restrict the returned users and groups.

 

Employee Synchronization
Up until this point all the aspects of sync we have discussed have been related to logins. The last section, however, relates to the optional importing of contact information from AD to create an employee profile in the directory associated with the employee's login. Note that the entire Employee sync can be disabled if you would prefer to manage the directory either via CSV import or through manual updating. Also, since many Active Directory implementations do not contain either complete or current contact information the interface allows you the flexibility of selecting only those fields you can guarantee are being maintained.

To sync a field in your directory to AD, enable this section. You'll notice that you now have a form that drops down. On the left are the fields in the intranet's directory that are available to sync with. On the right is a drop down for each of these fields allowing you to select the AD field you wish to associate with this directory field. Simply select those which you want to sync. Any directory fields that you want to be able to edit and control through the intranet should be left blank (leave the drop down at select one).
ADSync3.png
The only required field for the employee sync is the Department field. This is because the sync uses this field to organize employees in your directory based on this value using the following process:
  • The textual value of the synced field for each AD account is read in.
  • The employee record is then created in the directory department of the same name. (ex: If your AD account has a value of 'Systems Dept' in their Office field and you choose to associate Office with the directory's department field in the sync then the employee record will be added to a directory department called 'Systems Dept')
  • If no directory department exists for this account's value a new directory department of that name will be created. Note that in the case of records in AD with misspellings of the same record (ex: 'System Dept' vs 'Systems Dept' this will result in the creation of two directory departments
  • If an AD account's value for the synced field changes at any time the employee record will be moved from their existing department to the new matching department. If this does not yet exist it is created.
All other synced fields are added and updated to match their AD counterpart. Note that any fields in the directory that are synced with AD become unavailable for editing by users or admins through either inline editing or the admin site. The value imported from Active Directory is considered to be the master record and it cannot be changed on the site.

 

Corresponding Active Directory LDAP Names
The table below provides a list of the Drop Down options and their corresponding LDAP names.
Dropdown Label LDAP Name Notes
City l  
Company company  
Department department  
Description description  
Fax facsimileTelePhonenumber  
Home Phone homePhone  
IP Phone ipphone  
Cell Phone mobile  
Office physicalDeliveryOfficeName  
Pager pager  
ZIP/Postal Code postalCode  
P.O. Box postOfficeBox  
State/Province st  
Street streetAddress  
Phone Number telephoneNumber  
Title title  
EmployeeNumber employeeNumber  
Employee ID employeeID  
Notes info  
Exchange Extension Attribute 1 Extensionattribute1 only if setting enabled (ADField3 =1 in AppSetting)
n/a GivenName always mapped to Person.FirstName
n/a SN always mapped to Person.LastName
n/a manager used to set Supervisor relationship
n/a sAMAccountName mapped to user account name
n/a mail always mapped to Person.Email
During synchronization, will first attempt to match employee record to AD record via the ADSID previously recorded. If no ADSID match (first sync), will attempt to match based on user name (aka login name) in Intranet matching AD's sAMAccountName.  
 

 Referenced by:

Have more questions? Submit a request

0 Comments

Article is closed for comments.