This article provides information for domain administrators working with PracticalHost Directory Sync. It includes information on how Directory Sync works with Active Directory and local domains to sync to PracticalHost Hosted Email.
The benefits of using Directory Sync for your organization include:
- Same sign-on: Users have to remember only one password for their local network access and their email accounts for a same sign-on experience.
- Ease of management: Administrators benefit by adding and managing mail-enabled objects directly in Active Directory from a familiar Microsoft Active Directory interface. You choose which user objects to synchronize. You can synchronize as few as one user in your Active Directory, or synchronize all of them at the same time.
- Save time: For many larger organizations, the Directory Sync service can save considerable effort and time when onboarding new employees and managing password policies.
- Business automation: Directory Sync is built to use thePracticalHost Email cloud’s public REST APIs, which simplifies automating and preserving business.
- Secure: All data exchanged is SSL encrypted and synchronization is one-way only.
- Cost effective: Directory Sync is available at no additional cost.
Supported objects and platforms
PracticalHost Directory Sync supports the synchronization of the following Active Directory objects:
- Active Directory user mailboxes
- Active Directory user passwords for same sign-on
- Active Directory contacts (for Hosted Exchange)
- Distribution groups (for Hosted Exchange)
Directory Sync supports the following Email platforms:
- Hosted Exchange 2010
- Hosted Exchange 2013
- Hosted Exchange 2016
- Hosted Exchange Hybrid
Directory Sync supports the following Active Directory platforms:
- Windows Server 2008 and 2008 R2
- Windows 2012 and 2012 R2
Directory Sync limitations
- Existing mail data does not migrate with Directory Sync to our hosted environment.
- Synchronizes user passwords at the moment a password is changed. Passwords cannot be synchronized retroactively because they are unreadable from Active Directory. Users must change their passwords for Directory Sync to synchronize the change with their mailbox.
- Not LDAP compatible.
- Windows Server 2003 and the Active Directory functional level of 2003 are not supported.
Installation and configuration
See PracticalHost Directory Sync: Install and configure to get started.
Note: You must restart the domain controller during installation in order for the password synchronization to work.
How Directory Sync works
Directory Sync runs automatically. It synchronizes changes from your local directory to your email accounts every five minutes. You can also click Sync Now to synchronize immediately.
Directory Sync is one-way only. It does not synchronize information from Hosted Exchange or EnsureMail back to your Active Directory. If you change any information, such as passwords, using Outlook Web App or Control Panel, your mailboxes will not be synchronized with Active Directory.
Directory Sync synchronizes one local Active Directory domain with multiple email domains.
The domain names can be the same or different. You specify the local Active Directory domain at set up.
Directory Sync uses Active Directory security groups to manage which objects are synchronized with your email service. If you use Hosted Exchange, create a new security group for the users that will be synchronized with Exchange mailboxes. If you use EnsureMail Email, create a new security group for the users that will be synchronized with EnsureMai Email mailboxes. If you use both Hosted Exchange and EnsureMail Email, you will have two security groups. Directory Sync creates and manages mailboxes for all user objects that you add to the security groups.
Directory Sync associates Active Directory user objects with email accounts by their mail attribute. The mail attribute is the email address property associated with the user.
Password synchronization occurs after the user object has synchronized to the mailbox. Password changes occur on their own synchronization interval and with a higher priority than other synchronization sessions.
When you install Directory Sync, it cannot automatically synchronize existing passwords because they are unreadable from Active Directory. Users continue to use their old email passwords. When users manually change their password, Directory Sync synchronizes it with their mailbox. Be sure to assign user objects to email security groups before you change passwords. Otherwise, Directory Sync will not set the new passwords.
When you create new mailboxes, those users must change passwords before they can access their email.
If you manage your Active Directory with multiple domain controllers, the Directory Sync Password Handler must be installed on all secondary domain controllers. It is used to synchronize password changes on secondary domain controllers to the primary domain controller and then synchronize those changes to EnsureMail Hosted Mail.
Distribution list membership synchronization
Synchronize users within distribution lists or security groups from Active Directory to distribution list membership within the Email Control Panel. Directory Sync uses the group’s email address property to synchronize with the Hosted Exchange distribution list.
Synchronize contact objects within Active Directory to your Exchange contacts within the Hosted Exchange environment. Within Active Directory, you can set up the external email address to which the contact will forward. Directory Sync uses the contact object’s mail attribute to set this.
Alternate email addresses (Optional Synchronization)
proxyAddresses attribute is used to create alternate email addresses (aliases) for the Hosted Exchange environment. If the user has set the
proxyAddresses attribute to include
SMTP: userA@example.net, then Directory Sync will add the address
userA@example.net to the environment as an alias to that email address.
- Any address that begins with SMTP: in the
proxyAddressesattribute creates an alternate email address associated with the user’s mailbox.
- These addresses cannot include a domain alias in the address but can include either the primary domain or accepted domains.
- Alternate email addresses associated with domain aliases can be created by using the primary domain. For example,
SMTP:userB@example.comcreates the alternate address
- Accepted domains are created with the full email address (including the domain). For example,
SMTP:userA@example.orgcreates the alternate address
How to Enable:
- The setting is located in the
appSettings.configfile in the
\Directory Sync Service\webdirectory.
Go to config value:
<add key="SyncProxyAddresses" value="False" />
- The setting is set to
Falseby default for new installs and upgrades and needs to be changed to
Trueto enable syncing of the proxy addresses. This setting will be persistent so future upgrade installs will not revert.
- The Attribute Editor is visible in the Active Directory Users and Computer (ADUC) console with the Advanced Features enabled in the View tab.
- Domain aliases and accepted domains must be configured with the help of Cloud Office Support before configuring alternate addresses. If not, they will not sync correctly.
- During the initial set up, it is best to ensure the
proxyAddressesattribute does not contain any domain aliases. If not, this will create errors during set up.
- Alternate Addresses work for Exchange Mailboxes only. They do not work with Distribution Lists or Contacts. Those must be done manually in the Cloud Office Control Panel.
User password requirements
Directory Sync will not set an email password that does not meet minimal password requirements. We recommend that you change your domain password rules to meet or exceed these requirements.
PracticalHost Email and Hosted Exchange password requirements
- At least eight characters long.
- At least 3 of the following:
- At least one lowercase character
- At least one uppercase character
- At least one number
- At least one non-alphanumeric (!, $, #, %, space, etc.)
You do not have to open any inbound ports from the internet to your domain controllers.
Enable the following ports on the Directory Sync server:
- 443 - Outbound HTTPS connections from Directory Sync service to PracticalHost API
- 8732 - Open for connections from other domain controllers to the Directory Sync server. Not used for any connections outside your network. This port is used by domain controller password hooks.
- 8080 - Only used locally on Directory Sync service machine for web browser. You may block this port for any external connections.
Communications between Directory Sync and PracticalHost is secured through HTTPS. Communications between the Active Directory password hook and Directory Sync is secured with Microsoft WCF Transport Security which uses Windows Authentication and encryption.
Synchronized user attributes
Directory Sync will synchronize the following user attributes with Exchange and EnsureMail mailboxes. Some attributes differ between EnsureMail and Exchange mailboxes.
List Format: Email Attribute: ADSI property (limitations)
- Email Address: mail
- Password: password
- Display Name: displayName
- Last Name: sn
- First Name: givenName
- Generation Qualifier: generationQualifier (EnsureMail Email only)
- Initials: initials (EnsureMail Email only)
- Organization Unit: o (EnsureMail Email only)
- Business Number: telephoneNumber
- Pager Number: pager
- Home Number: homePhone
- Mobile Number: mobile
- FAX Number: facsimileTelephoneNumber
- Home FAX Number: otherFacsimileTelephoneNumber (EnsureMail Email only)
- Street: streetAddress
- City: l
- State: st
- Postal Code: postalCode
- Country: co
- Title: title
- User ID: employeeID (EnsureMail Email only)
- Employee Type: employeeType (EnsureMail Email only)
- User Account Control: userAccountControl
- Company: company (Exchange only)
- Department: department (Exchange only)
- Proxy Addresses: proxyAddresses (Exchange only)
- Office: physicalDeliveryOfficeName (Exchange only)