PracticalHost Directory Sync allows PracticalHost Hosted Email customers to synchronize their local Active Directory objects and user passwords with PracticalHost Hosted Email in real time. This article describes how to install and configure Directory Sync.
Functional Level of Domain Controller and Active Directory
- Windows 2008 Server
- Windows 2008 Server R2
- Windows 2012
- Directory Sync Service Must Be Installed directly on your domain controller.
- After Installation, Directory Sync Cannot automatically sync existing passwords because they are unreadable from the Active Directory. Passwords must be reset after installation to ensure password sync.
- Directory Sync is compatible with Hosted Exchange 2010, Hosted Exchange 2013, Hosted Exchange 2016, and EnsureMail.
NET Framework version 4.0 on the target domain controller and any other domain controllers in the forest. You can download the appropriate .NET framework from the Microsoft Download Center.
You do not have to open any inbound ports from the internet to your domain controllers.
Enable the following ports on the Directory Sync server:
- 443 –Outbound HTTPS connections from Directory Sync service to PracticalHost API.
- 8732 – Open for connections from other domain controllers to the Directory Sync server. Not used for any connections outside your network. This port is used by domain controller password hooks.
- 8080 – Only used locally on Directory Sync service machine for web browser user interface. You may block this port for any external connections.
Communications between Directory Sync and PracticalHost is secured through HTTPS.
Communications between the Active Directory password hook and Directory Sync is secured with Microsoft WCF Transport Security which uses Windows Authentication and encryption.
The installation files can be be downloaded from this KB article with links below.
Choose the appropriate installer, based on either 32 or 64 bit platforms.
- Directory Sync Service x64.msi or Directory Sync Service x86.msi.
- The download links are at the end of this KB article.
See the Directory Sync Administrator's Guide to learn more about the features and how to use it after installation.
Directory Sync Service Installation
Copy the appropriate, platform specific, Directory Sync Service .msi file to the domain controller.
Two services are installed with the Directory Sync system, the Directory Sync service and the Password Handler service. The Directory Sync service is a Windows service that automatically synchronizes user information and requires a local service account under which to run. The Password Handler service automatically synchronizes user password changes.
NOTE: The Directory Sync Service will run as the “Local System account” on the domain controller.
Copy the appropriate platform-specific Directory Sync service .msi file to the domain controller. Then, open the file and follow the prompts for installing the Directory Sync service.
- On the Welcome page of the Directory Sync Service Setup Wizard, click Next.
- On the Ready install Directory Sync Service page, click Install.
- When prompted, click Yes to restart your system now, or click No to manually restart it later. You must restart for the changes to take effect. After you restart, the installation wizard continues.
- On the Resuming the Directory Sync Service Setup Wizard page, click Install.
- To complete the install process, click Finish.
- When installation is complete, the web user interface (UI) for validation and synchronization automatically opens. A shortcut to the web UI is created on both the Start menu and on the desktop.
Configure the Directory Sync service and synchronize
The Windows Services management console contains a new service called Directory Sync. The installation automatically starts the service. If any errors occur when the service is starting, view the event log for more information about the error.
Note: We recommend creating new security groups in Active Directory that will manage the list of synchronized users for each hosted service. For example, if you are synchronizing Exchange users, create a new security group in Active Directory as PracticalHost Exchange.
To start synchronizing Active Directory changes with PracticalHost, the Directory Sync service must be configured. Perform the following steps:
Open the Directory Sync service administrative web application, if it is not already open:
2. On the Sync Registration Page, enter the admin ID and password associated with your EnsureMail https://ensure.practicalhost.com account, and then click Register.
It is advisable to create a new admin ID for the sync Service.
3. On the Settings tab, provide the following information:
- Local AD Domain: Verify that the appropriate local Active Directory domain is selected.
- Hosted Exchange: Select the appropriate security group to be synchronized with Microsoft Exchange mailboxes.
- Hosted Email: Select the appropriate security group to be synchronized with EnsureMail Email mailboxes.
- Administrator email: Enter an email address. All alerts will be sent to this email address.
- Time to Send Summary Email: Set the time when a summary report of changes synchronized with your Active Directory will be sent to the Administrator email address. By default, this value is set to 08:00.
4. Click Save & Start Sync to begin a full synchronization.
There are two types of synchronization:
- Full synchronization finds all items available for synchronization in the entire directory. This synchronization type initiates only on the first synchronization process.
- Delta synchronization finds changes available for synchronization in Active Directory that occurred since the last synchronization. This synchronization type runs automatically every 5 minutes by default but can also be performed manually. To manually run a delta synchronization, click on the Sync History tab and then click the Sync Now button.
Note: The Directory Sync services never makes changes to the directory. All access is read-only.
Synchronize users and groups
For information about how to start synchronizing your Active Directory objects to your mailboxes and distribution lists, see the Directory Snyc Operations Guide.
Install password synchronization for multiple domain controllers (optional)
The main installer for Directory Sync is installed on one domain controller (DC) that will communicate directly to PracticalHost. The DC communicates through the PracticalHost API to the EnsureMail Control Panel over an HTTPS connection on port 443. This DC, or primary DC, includes the Directory Sync UI and is where Directory Sync is configured.
If you have multiple DCs to manage the Active Directory, you must install the Password Handler on all DCs except the primary DC (the Password Handler is installed during initial setup). Normally, password changes in a network occur locally and then are replicated to the other DCs. Directory Sync is unable to see those password changes after replication because of encryption. To ensure that password changes are synchronized, each DC requires the Password Handler to be installed directly. This installation requires each DC to restart.
Password changes made in the other DCs are delivered to the primary DC over port 8732. Multiple DCs communicate internally with the primary DC and do not send any password changes outside of the network. All password synchronizations are funneled through the primary DC and then synchronized to PracticalHost.
The following figure illustrates this communication process.
Install the Password Handler service on secondary domain controllers
During the installation of the Directory Sync service on the primary domain controller, the Directory Sync Password Handler Install folder was created on the desktop. Use the installer in this folder to synchronize your users’ passwords across multiple domain controllers.
Note: The .msi file within the folder should be installed on the secondary domain controllers only.
This process applies to multiple domain controllers (two or more). Repeat the following steps for each additional domain controller in the Active Directory forest.
- Copy the .msi file to the secondary domain controller.
- Double-click the installation file and click Next on the welcome page of the wizard.
On the next page, click Install.
After restart the installer will start up to finish the installation.
- Click Finish.
Note: This application runs in background. You do not have to configure any settings. Settings are taken from the primary DC.
Now that the installation is complete, see the Directory Sync Administrator’s Guide and the Sync Operations Guide to learn how to use Directory Sync and its features.