The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Quest Windows Server and an SQL Server database server.
|
Supported |
Not Supported |
Binary Tree Windows Server |
Windows Server 2016, Windows Server 2019, or Windows Server 2022; US English Operating System |
All other versions of Windows Server |
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 R2 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
Domain |
The following Windows Server versions are supported:
|
|
NTLM Authentication is required for the product to function. NTLM Authentication options are typically controlled via Group Policy. These three settings should be verified:
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictSendingNTLMTraffic key, with DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all out going NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when outgoing NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on sending NTLM traffic in place.
Network security: Restrict NTLM: Incoming NTLM traffic
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictReceivingNTLMTraffic key, with a DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all incoming NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when Incoming NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on receiving NTLM traffic in place.
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This allows for exclusions from the two policies below for a computer
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The ClientAllowedNTLMServers key, with REG_MULTI_SZ values will be present. If the key present, but is empty, there are no allowed exceptions. If they key is present, and lists servers, these are the servers that allow NTLM communication to. If the key is missing, then this setting is not being leveraged.
The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Quest Windows Server and an SQL Server database server.
|
Supported |
Not Supported |
Binary Tree Windows Server |
Windows Server 2016, Windows Server 2019, or Windows Server 2022; US English Operating System |
All other versions of Windows Server |
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 R2 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
Domain |
The following Windows Server versions are supported:
|
|
NTLM Authentication is required for the product to function. NTLM Authentication options are typically controlled via Group Policy. These three settings should be verified:
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictSendingNTLMTraffic key, with DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all out going NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when outgoing NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on sending NTLM traffic in place.
Network security: Restrict NTLM: Incoming NTLM traffic
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictReceivingNTLMTraffic key, with a DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all incoming NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when Incoming NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on receiving NTLM traffic in place.
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This allows for exclusions from the two policies below for a computer
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The ClientAllowedNTLMServers key, with REG_MULTI_SZ values will be present. If the key present, but is empty, there are no allowed exceptions. If they key is present, and lists servers, these are the servers that allow NTLM communication to. If the key is missing, then this setting is not being leveraged.
The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Quest Windows Server and an SQL Server database server.
|
Supported |
Not Supported |
Binary Tree Windows Server |
Windows Server 2016, Windows Server 2019, or Windows Server 2022; US English Operating System |
All other versions of Windows Server |
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 R2 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
Domain |
The following Windows Server versions are supported:
|
|
NTLM Authentication is required for the product to function. NTLM Authentication options are typically controlled via Group Policy. These three settings should be verified:
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictSendingNTLMTraffic key, with DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all out going NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when outgoing NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on sending NTLM traffic in place.
Network security: Restrict NTLM: Incoming NTLM traffic
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The RestrictReceivingNTLMTraffic key, with a DWORD value will be present. If the key is missing, then this setting is not being leveraged. If the key is set to 2, the “deny all” option has been set to restrict all incoming NTLM Traffic. If the key is set to 1, the “audit all” option has been set, which will only log when Incoming NTLM traffic is detected. If the key is set to 0, then “allow all” is configured and there are not restrictions on receiving NTLM traffic in place.
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This allows for exclusions from the two policies below for a computer
Microsoft Outlines this setting here: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication
The registry key for this setting is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The ClientAllowedNTLMServers key, with REG_MULTI_SZ values will be present. If the key present, but is empty, there are no allowed exceptions. If they key is present, and lists servers, these are the servers that allow NTLM communication to. If the key is missing, then this setting is not being leveraged.
The IP address and either the default SQL port (1433) or an alternate port must be open to all Quest servers.
The ability to create and modify tables in the Dirsync database on the SQL Server database server.
It is strongly recommended that the SQL Server database server is dedicated to SQL Server. This server can host other SQL databases, but should serve no other purpose than being a SQL Server database server.
SQL Server must be configured using Mixed Mode authentication.
Using the default system administrator SQL Server login account is not recommended. A Directory Sync SQL Server login account should be created. This account must have sysadmin and database owner rights to create the Dirsync database. The sysadmin right can be removed from this account once the install is complete.
If using a Remote Named Instance of SQL Server:
The incoming firewall rules on the machine that hosts the SQL Server instance must be modified.
Using the SQL default of dynamic ports for named instances:
Create an inbound firewall “Program” rule whose program path is the named SQL database engine (ex: %ProgramFiles%\Microsoft SQL Server\MSSQL14.<INSTANCE-NAME>\MSSQL\Binn\sqlservr.exe)
Create an inbound firewall “Port” rule for UDP port 1434.
The “SQL Server Browser” must be running.
Alternatively, you can setup a fixed port for the SQL instance following these instructions.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center