The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Binary Tree Windows Server and an SQL Server database server.
|
|
Supported |
Not Supported |
|
Binary Tree Windows Server |
Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019; US English Operating System |
All other versions of Windows Server |
|
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
|
Domain |
At least one Windows Server 2003 SP2 Domain Controller in Source and Target |
|
.NET 4.6.1 or greater. The installer will install .NET 4.6.1 if the target machine does not already have it. All system patches, service packs, and security updates should be applied to you operating system to ensure compatibility with .NET 4.6.1.
IPv4 Only
The user running the BTDirSync service (full name BinaryTree.DirSync.Exchange.exe) must have the following rights:
Administrator rights to SQL Server with sysadmin role (during installation).
Local administrative rights to the Binary Tree Windows server (during installation).
Exchange cannot be installed on this server.
The Binary Tree Windows Server must be a dedicated server for the Binary Tree solutions.
If using the Password Copy functionality of Active Directory Pro Synchronization, PsExec must be installed in the Directory Sync Pro program directory (C:\Program Files\Binary Tree\DirSync). Ignore the PSTools Installation Guide concerning the proper installation location. PsExec is available at: https://technet.microsoft.com/en-us/sysinternals/bb897553
The IP address and either the default SQL port (1433) or an alternate port must be open to all Binary Tree servers.
The ability to create and modify tables in the Dirsync database on the SQL Server database server.
It is strongly recommended that the SQL Server database server is dedicated to SQL Server. This server can host other SQL databases, but should serve no other purpose than being a SQL Server database server.
SQL Server must be configured using Mixed Mode authentication.
Using the default system administrator SQL Server login account is not recommended. A Directory Sync SQL Server login account should be created. This account must have sysadmin and database owner rights to create the Dirsync database. The sysadmin right can be removed from this account once the install is complete.
If using a Remote Named Instance of SQL Server:
The incoming firewall rules on the machine that hosts the SQL Server instance must be modified.
Using the SQL default of dynamic ports for named instances:
Create an inbound firewall “Program” rule whose program path is the named SQL database engine (ex: %ProgramFiles%\Microsoft SQL Server\MSSQL14.<INSTANCE-NAME>\MSSQL\Binn\sqlservr.exe)
Create an inbound firewall “Port” rule for UDP port 1434.
The “SQL Server Browser” must be running.
Alternatively, you can setup a fixed port for the SQL instance following these instructions.
All components of Directory Sync Pro are fully functional on physical as well as virtual machines. When setting up Proof of Concept or Pilot environments, the use of virtual machines as a means of lowering the expense of such projects is fully supported and recommended. However, when it comes to production environments, sufficient information to determine whether virtual environments have the same stability and performance characteristics as physical machines has not yet been gathered. Because a majority of production environments have been and are deployed on physical machines, potential customers are advised of these facts, but defers to them to make the final decision. Product support will be provided in both physical and virtual environments. However, if either stability or performance issues are found in a virtual environment, switching to a physical one as a means of issue correction may be recommended.
Binary Tree Servers must be connected via a LAN (10MB or higher) connection. A high-speed WAN (5MB or higher) connection may be acceptable, but is not recommended. Where possible, it is recommended to have these servers, as well as Exchange on the same physical network.
To deploy Directory Sync Pro on the Binary Tree Windows Server, an AD account with Server Administration rights must be able to log on to the server interactively. The account must be able to run programs with Administration-level access on the target Exchange Server and specifically be able to open the Exchange Management Shell (PowerShell).
The following setup for the service account is recommended:
Minimum membership of Domain Users (least privilege) built-in security group
Read & List Contents rights to "Deleted Objects" container. You may follow these steps if your account is not a Domain Administrator or equivalent (see KB892806):
Using a domain admin account, open a command prompt and confirm the successful execution of the following commands:
dsacls "CN=Deleted Objects,DC=domain,DC=com" /takeownership
dsacls "CN=Deleted Objects,DC=domain,DC=com" /g Domain\ServiceAccount:LCRP
Full Control rights to destination OU in Active Directory
Administrative rights to Exchange
Create a new login in the SQL Server Management Studio. In Server Roles, grant public and sysadmin rights (you may remove these rights after the database has been created). In User Mapping, select the Dirsync database and grant public and database owner rights.
Member of local Built-In Administrators group
The following requirements must be met if using the Post Sync PowerShell Script option:
PowerShell 4
The credentials specified on the AD Target tab must have rights to run PowerShell.
The following must be enabled on the DC defined on the AD Target tab:
Remote PowerShell commands (Unrestricted methods must be enabled if required)
Windows Remote Management (WinRM)
Active Directory Web Services
The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Binary Tree Windows Server and an SQL Server database server.
|
|
Supported |
Not Supported |
|
Binary Tree Windows Server |
Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019; US English Operating System |
All other versions of Windows Server |
|
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
|
Domain |
At least one Windows Server 2003 SP2 Domain Controller in Source and Target |
|
.NET 4.6.1 or greater. The installer will install .NET 4.6.1 if the target machine does not already have it. All system patches, service packs, and security updates should be applied to you operating system to ensure compatibility with .NET 4.6.1.
IPv4 Only
The user running the BTDirSync service (full name BinaryTree.DirSync.Exchange.exe) must have the following rights:
Administrator rights to SQL Server with sysadmin role (during installation).
Local administrative rights to the Binary Tree Windows server (during installation).
Exchange cannot be installed on this server.
The Binary Tree Windows Server must be a dedicated server for the Binary Tree solutions.
If using the Password Copy functionality of Active Directory Pro Synchronization, PsExec must be installed in the Directory Sync Pro program directory (C:\Program Files\Binary Tree\DirSync). Ignore the PSTools Installation Guide concerning the proper installation location. PsExec is available at: https://technet.microsoft.com/en-us/sysinternals/bb897553
The IP address and either the default SQL port (1433) or an alternate port must be open to all Binary Tree servers.
The ability to create and modify tables in the Dirsync database on the SQL Server database server.
It is strongly recommended that the SQL Server database server is dedicated to SQL Server. This server can host other SQL databases, but should serve no other purpose than being a SQL Server database server.
SQL Server must be configured using Mixed Mode authentication.
Using the default system administrator SQL Server login account is not recommended. A Directory Sync SQL Server login account should be created. This account must have sysadmin and database owner rights to create the Dirsync database. The sysadmin right can be removed from this account once the install is complete.
If using a Remote Named Instance of SQL Server:
The incoming firewall rules on the machine that hosts the SQL Server instance must be modified.
Using the SQL default of dynamic ports for named instances:
Create an inbound firewall “Program” rule whose program path is the named SQL database engine (ex: %ProgramFiles%\Microsoft SQL Server\MSSQL14.<INSTANCE-NAME>\MSSQL\Binn\sqlservr.exe)
Create an inbound firewall “Port” rule for UDP port 1434.
The “SQL Server Browser” must be running.
Alternatively, you can setup a fixed port for the SQL instance following these instructions.
All components of Directory Sync Pro are fully functional on physical as well as virtual machines. When setting up Proof of Concept or Pilot environments, the use of virtual machines as a means of lowering the expense of such projects is fully supported and recommended. However, when it comes to production environments, sufficient information to determine whether virtual environments have the same stability and performance characteristics as physical machines has not yet been gathered. Because a majority of production environments have been and are deployed on physical machines, potential customers are advised of these facts, but defers to them to make the final decision. Product support will be provided in both physical and virtual environments. However, if either stability or performance issues are found in a virtual environment, switching to a physical one as a means of issue correction may be recommended.
Binary Tree Servers must be connected via a LAN (10MB or higher) connection. A high-speed WAN (5MB or higher) connection may be acceptable, but is not recommended. Where possible, it is recommended to have these servers, as well as Exchange on the same physical network.
To deploy Directory Sync Pro on the Binary Tree Windows Server, an AD account with Server Administration rights must be able to log on to the server interactively. The account must be able to run programs with Administration-level access on the target Exchange Server and specifically be able to open the Exchange Management Shell (PowerShell).
The following setup for the service account is recommended:
Minimum membership of Domain Users (least privilege) built-in security group
Read & List Contents rights to "Deleted Objects" container. You may follow these steps if your account is not a Domain Administrator or equivalent (see KB892806):
Using a domain admin account, open a command prompt and confirm the successful execution of the following commands:
dsacls "CN=Deleted Objects,DC=domain,DC=com" /takeownership
dsacls "CN=Deleted Objects,DC=domain,DC=com" /g Domain\ServiceAccount:LCRP
Full Control rights to destination OU in Active Directory
Administrative rights to Exchange
Create a new login in the SQL Server Management Studio. In Server Roles, grant public and sysadmin rights (you may remove these rights after the database has been created). In User Mapping, select the Dirsync database and grant public and database owner rights.
Member of local Built-In Administrators group
The following requirements must be met if using the Post Sync PowerShell Script option:
PowerShell 4
The credentials specified on the AD Target tab must have rights to run PowerShell.
The following must be enabled on the DC defined on the AD Target tab:
Remote PowerShell commands (Unrestricted methods must be enabled if required)
Windows Remote Management (WinRM)
Active Directory Web Services
The following is a list of supported and unsupported environments. If implementing directory synchronization between two Active Directory environments, you will need a Binary Tree Windows Server and an SQL Server database server.
|
|
Supported |
Not Supported |
|
Binary Tree Windows Server |
Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019; US English Operating System |
All other versions of Windows Server |
|
SQL Server Database |
SQL Server can be a new or existing database server in the customer’s environment. The following SQL Server versions (English versions) are supported:
|
SQL Server 2008 or previous
Reporting using SQL Server Reporting Services 2016 or SQL Server Express Reporting Services 2016 |
|
Domain |
At least one Windows Server 2003 SP2 Domain Controller in Source and Target |
|
.NET 4.6.1 or greater. The installer will install .NET 4.6.1 if the target machine does not already have it. All system patches, service packs, and security updates should be applied to you operating system to ensure compatibility with .NET 4.6.1.
IPv4 Only
The user running the BTDirSync service (full name BinaryTree.DirSync.Exchange.exe) must have the following rights:
Administrator rights to SQL Server with sysadmin role (during installation).
Local administrative rights to the Binary Tree Windows server (during installation).
Exchange cannot be installed on this server.
The Binary Tree Windows Server must be a dedicated server for the Binary Tree solutions.
If using the Password Copy functionality of Active Directory Pro Synchronization, PsExec must be installed in the Directory Sync Pro program directory (C:\Program Files\Binary Tree\DirSync). Ignore the PSTools Installation Guide concerning the proper installation location. PsExec is available at: https://technet.microsoft.com/en-us/sysinternals/bb897553
The IP address and either the default SQL port (1433) or an alternate port must be open to all Binary Tree servers.
The ability to create and modify tables in the Dirsync database on the SQL Server database server.
It is strongly recommended that the SQL Server database server is dedicated to SQL Server. This server can host other SQL databases, but should serve no other purpose than being a SQL Server database server.
SQL Server must be configured using Mixed Mode authentication.
Using the default system administrator SQL Server login account is not recommended. A Directory Sync SQL Server login account should be created. This account must have sysadmin and database owner rights to create the Dirsync database. The sysadmin right can be removed from this account once the install is complete.
If using a Remote Named Instance of SQL Server:
The incoming firewall rules on the machine that hosts the SQL Server instance must be modified.
Using the SQL default of dynamic ports for named instances:
Create an inbound firewall “Program” rule whose program path is the named SQL database engine (ex: %ProgramFiles%\Microsoft SQL Server\MSSQL14.<INSTANCE-NAME>\MSSQL\Binn\sqlservr.exe)
Create an inbound firewall “Port” rule for UDP port 1434.
The “SQL Server Browser” must be running.
Alternatively, you can setup a fixed port for the SQL instance following these instructions.
All components of Directory Sync Pro are fully functional on physical as well as virtual machines. When setting up Proof of Concept or Pilot environments, the use of virtual machines as a means of lowering the expense of such projects is fully supported and recommended. However, when it comes to production environments, sufficient information to determine whether virtual environments have the same stability and performance characteristics as physical machines has not yet been gathered. Because a majority of production environments have been and are deployed on physical machines, potential customers are advised of these facts, but defers to them to make the final decision. Product support will be provided in both physical and virtual environments. However, if either stability or performance issues are found in a virtual environment, switching to a physical one as a means of issue correction may be recommended.
Binary Tree Servers must be connected via a LAN (10MB or higher) connection. A high-speed WAN (5MB or higher) connection may be acceptable, but is not recommended. Where possible, it is recommended to have these servers, as well as Exchange on the same physical network.
To deploy Directory Sync Pro on the Binary Tree Windows Server, an AD account with Server Administration rights must be able to log on to the server interactively. The account must be able to run programs with Administration-level access on the target Exchange Server and specifically be able to open the Exchange Management Shell (PowerShell).
The following setup for the service account is recommended:
Minimum membership of Domain Users (least privilege) built-in security group
Read & List Contents rights to "Deleted Objects" container. You may follow these steps if your account is not a Domain Administrator or equivalent (see KB892806):
Using a domain admin account, open a command prompt and confirm the successful execution of the following commands:
dsacls "CN=Deleted Objects,DC=domain,DC=com" /takeownership
dsacls "CN=Deleted Objects,DC=domain,DC=com" /g Domain\ServiceAccount:LCRP
Full Control rights to destination OU in Active Directory
Administrative rights to Exchange
Create a new login in the SQL Server Management Studio. In Server Roles, grant public and sysadmin rights (you may remove these rights after the database has been created). In User Mapping, select the Dirsync database and grant public and database owner rights.
Member of local Built-In Administrators group
The following requirements must be met if using the Post Sync PowerShell Script option:
PowerShell 4
The credentials specified on the AD Target tab must have rights to run PowerShell.
The following must be enabled on the DC defined on the AD Target tab:
Remote PowerShell commands (Unrestricted methods must be enabled if required)
Windows Remote Management (WinRM)
Active Directory Web Services
|
Source |
Target |
Ports |
Protocol |
|
Directory Sync Pro for Active Directory |
SQL Server holding the primary database |
1433 |
TCP & UDP |
|
Directory Sync Pro for Active Directory |
SQL Server holding the logging database |
1433 |
TCP & UDP |
|
Source |
Target |
Ports |
Protocol |
|
Directory Sync Pro for Active Directory |
Source Domain controllers |
88, 389, 445*, 3268 |
TCP (all) UDP (88, 389) |
|
Directory Sync Pro for Active Directory |
Target Domain controllers |
88, 389, 445, 3268 |
TCP (all) UDP (88, 389) |
* Port 445 only needs to be open to the Source Domain Controller during Directory Sync Pro for Active Directory Profile creation
|
Source |
Target |
Ports |
Protocol |
|
Directory Sync Pro for Active Directory |
Source Domain controllers |
88, 389, 445*, 3268 |
TCP (all) UDP (88, 389) |
|
Directory Sync Pro for Active Directory |
Target Domain controllers |
88, 139, 389, 445, 3268 |
TCP (all) UDP (88, 389) |
* Port 445 only needs to be open to the Source Domain Controller during Directory Sync Pro for Active Directory Profile creation
|
Source |
Target |
Ports |
Protocol |
|
Directory Sync Pro for Active Directory |
Source or Target Domain controllers |
88, 139, 389, 445, 3268 |
TCP (all) UDP (88, 389) |
|
Source |
Target |
Ports |
Protocol |
|
Directory Sync Pro for Active Directory |
Source or Target Domain controllers running Windows 2008 or newer |
88, 135, 137, 139, 389, 445, 3268 and 49152-65535 |
TCP (all) UDP (88, 389) |
|
Directory Sync Pro for Active Directory |
Source or Target Domain controllers running Windows 2003 |
88, 135, 137, 139, 389, 445, 3268 and 1024-5000 |
TCP (all) UDP (88, 389) |
|
Target GC |
Source PDC |
135, 138, 389, 445, 1027 |
TCP (all) |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
