Chat now with support
Chat with Support

Binary Tree Power365 Current - Help Center

Help Center Home Power365 Platform Tenant-to-Tenant Directory Sync Migration for Active Directory Release Notes Known Limitations Support

Directory Sync

Requirements

Binary Tree Power365 Directory Sync is built with Microsoft Azure. Our Software-as-a-Service (SaaS) platform is designed to handle a variety of directory synchronization scenarios to meet your coexistence and collaboration needs.

Power365 Directory Sync can manage simple AD to AD, Cloud to Cloud, and more complex scenarios including combinations of local and cloud mixed environments.

 

What is required to get Power365 Directory Sync set up?  

You will need 2 items to get started with setting up Directory Sync.

  1. The authorized account(s) that allow changes to your local and/or cloud directories
  2. At least one (1) local on-premises server to host the local agent (if applicable)

The following information provides details around the specific component requirements.

 

Agents  

Power365 Directory Sync is a 100% SaaS platform but to commit changes to on-premises directories (if applicable) such as Active Directory, a local agent must be installed and configured.

You will need at least one Power365 Directory Sync Agent installed per forest (environment). You may have up to five agents per forest. Adding more agents can offer limited fault-tolerance and can improve synchronization throughput, especially for near real-time password synchronization.

Important Tip: If you are only connecting to Azure AD, local agents are not required.

 

Hardware  

This local agent must meet the following minimum requirements:

  • At least one (1) Windows Server 2012 R2, 2016 or 2019
  • Additional Windows servers may be deployed. Limit to 5.
  • CPU: 4 Cores
  • Memory: 4GB Free
  • Disk: 40GB Free Disk Space excluding Operating System.

Important Tip: Do not install any local agents on AD domain controllers in a production environment.

 

Software  

This local agent must meet the following minimum requirements:

  • Windows Server 2012 R2, 2016 or 2019
  • .NET 4.5.2 (will automatically be installed unless already present)
  • TLS 1.2 or higher

 

Domain and Forest Functional Levels  

  • 2012 R2 or 2016

 

Network  

  • Connecting to the Power365 Directory Sync web interface uses TCP port 443 (HTTPS).
  • Agent connections are initiated by the agent and require port 443 access to Power365 Directory Sync SaaS application.
  • Connecting to DCs uses TCP on ports 139, 389 (UDP), 445, and 3268.
  • Copying SID History uses TCP on ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535.

 

Accounts  

Local Active Directory Account

  • The agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.
  • An agent intended to sync all domains in a forest, must have access rights to all domains and objects used in workflows.

Azure AD Application Account

  • When creating a new Cloud Environment, an account with the Global Administrator Role is required to grant permissions and establish a connection.

Azure AD PowerShell Accounts

  • An OAuth token will be used by the application to create two (2) PowerShell accounts which are used to read and update objects in the cloud.
  • The accounts being used do not require any Microsoft 365 licenses.

 

Password Synchronization  

The following conditions must be met for Password Sync:

  • ADMIN$ must be accessible on the domain controller from the Directory Sync agent server.
  • The Password Sync functionality requires that either a domain admin role or built-in admin role be granted to the service account.
  • Any third-party anti-virus program that prevents access the LSASS process may need to be updated with a whitelist entry for the Password Sync executable.

 

SID History  

  • A trust relationship must exist between that source and target domain. Typically, this is done by establishing a Forest level trust, but can also be done as a domain trust.

  • The target account must have administrator permissions in the source domain. To enable this, the target account of the Power365 Directory Sync agent should be added to the source PDC's built-in administrator group.

  • Auditing of the source and target domain must be enabled. This can be enabled as a global policy for all domain controllers or as a local policy on the specific source and target DCs involved. To enable auditing as a local policy, go to gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and enable the “Audit account management” and “Audit directory service access” settings.

    Local Group Policy Editor

  • ‘Account Management’ and ‘DS Access’ Advance Audit policies of the source and target domain should be configured if Advance Auditing are configured in the environments. These settings can be enabled as a global policy for all domain controllers or as a local policy on the specific source and target DCs involved.

    • To enable advance audit policy for Account Management, go to gpedit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management enable Success and Failure audit for the below policies.
    • Audit Application Group Management
    • Audit Computer Account Management
    • Audit Distribution Group Management
    • Audit Other Account Management Events
    • Audit Security Group Management
    • Audit User Account Management

    • To enable advance audit policy for DS Access, go to gpedit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access and enable Success audit for the below policies.
    • Audit Directory Service Access
    • Audit Directory Service Changes
    • Audit Directory Service Replication
    • Audit Detailed Directory Service Replication

  • An empty Domain Local security group must be created in each source domain and named {SourceNetBIOSDomain}$$$.

  • The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport registry key must be set to 1 on the source domain primary domain controller. You must restart the source domain primary domain controller after the registry configuration.

  • MigratesIDHistory permissions are required on the target domain. This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.
    2. Select the Security tab and add or update the desired group or user and enable the “Migrate SID History” permission.

      Security tab of Properties

Important Tip: For further guidance from Microsoft about Using DsAddSidHistory, click here.

 

Workflow Alerts  

• To create a workflow alert, simply have a valid SMTP address ready.

Setup

Workflows

What is a Workflow?  

A workflow is a configurable series of steps that provides an easy automation framework to connect and manage Directory object synchronization. Activities such as creating, updating and deleting objects along with property/attribute synchronization and transformation. In addition, workflows may also include a PowerShell script to be executed based on the workflow rules. Providing greater flexibility and extensibility to the workflow automation.

 

Where do I manage Workflows?  

To manage workflows, simply open the left navigation menu and click Workflows, located under Setup, see figure 1.

Figure 1: Directory Sync Setup and Settings Menu

Figure 1: Directory Sync Setup and Settings Menu

 

What should be entered as the Workflow Name?  

You can name your workflow anything you'd like but remember that you may be referencing the same environment in multiple workflows. We suggest a name that generally describes the flow of objects. Then use the description field for the distinguishing characteristics. After this step, the wizard will guide you through all the necessary components that will make up your workflow.

 

What should be selected for Workflow Type?  

The workflow type choice determines which default set of workflow steps that the wizard will guide you through. No matter what choice you make here, you can always customize your workflow steps at any time, so if you aren't sure, start with a one-way sync. Once you have learned what settings work best for a particular project, you may want to enter those settings in an XML file and import it here so that you can easily recreate the steps for similar workflows. You can download the sample file and then customize to your needs, then import it.

 

What are the steps to create a Workflow?  

When you create a new workflow, the wizard will ask you to choose a type of workflow. It will then prepopulate a workflow for you with the appropriate steps. You can modify this, or, start from scratch. We will start from scratch, to examine the possible steps that you will need for any workflow.

 

  1. First is Read From. Here is where you will choose the environments that have the objects that you would like to use for matching and mapping, and ultimately for possible migration to a target environment. If you plan a many to one migration, you would choose several sources here. You have to have at least one environment to read from in any workflow. One Read From step can include several sources, so you don’t need a separate read from step for each one.
  2. Match objects is next. Here is where you choose the environments to compare, AND, the criteria that Power365 Directory Sync will use to decide if an object in one environment is the same object as found in another environment, which we call a match. If you don’t read from an environment, you cant choose it here.
  3. The Stage Data step is required next. Stage Data is where you customize your workflow action. You will be asked to choose a template. A template contains specifc preferences that you can reuse, such as password options, and attribute mappings. You will choose your source and target environment pairs here. And again, you will only be able to choose those environments that you have read from. You will be able to choose your source OUs and even set up some OU filters if you want to narrow your scope.
  4. And finally, you need to include at least one Write To environment. After data has been matched, mapped and filtered, what is your target, where do you want to place the new objects, and/or sync objects that were considered a match?

 

How is a Workflow scheduled?  

You can run your workflow manually or choose to run at specific time intervals. Or choose a time of day. The minimum time interval is 15 minutes. No matter what you choose as part of the wizard, you can always trigger a manual run of a workflow from the welcome screen. You can access the welcome screen at any time by clicking the Power365 Directory Sync logo at the top left.

The set interval can be changed on the Discover tab of the Local Environment settings.

 

 

Can objects be deleted?  

A Delete Objects step is also available. If an object is removed from scope and/or deleted from the Source, any matching object on the Target will be deleted. To configure this step, you must enter Source/Target endpoint pairs and a threshold (the max number of objects to delete per pair).

 

Can a PowerShell script be run?  

An optional additional step would be the run PowerShell script step, in which you can choose a PowerShell script that will run each time the workflow is run.

 

Additional Information  

Alerts

Workflow Test Mode

Evaluate Changed Objects Only

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating