Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Modern Password Sync Setup Quick Start Guide

Configured Password Filter Plugin (Modern Password Sync)

Modern Password Sync requires Quest Directory Sync Password Filter installed in both source and target Active Directory. In a multi-domains forest, at least one Domain Controller per Domain must be configured with Password Filter.

To install the password filter, the following are required

  • One (1) Local Administrator Account for each Microsoft Forest and/or Domain that has permissions to install Password Filter on the Domain Controller.

  • One (1) Domain Controller per domain in a multi-domain forest.

Follow these steps to set up the password filter.  

  1. Launch the Password Filter installer on the domain controller.

  2. Click the Next button.

  3. Enter the same Passphrase used during Directory Sync agent installation, the passphrase must be the same for Directory Sync agent to communicate with the Password Filter.

A screenshot of a computer

Description automatically generated

  1. Click the Next button.

  2. Click the Install button.

  3. Select ‘Yes, I want to restart my computer now’ and click the Finish button. Note, the domain controller must be restarted as Password Filter runs during startup.

A screenshot of a computer

Description automatically generated

  1. Repeat the above step and install the Password Filter in the target Active Directory Domain Controller.

 

Setup Templates

Before we can build our workflows, it is best to set up your template(s). Templates contain common mappings and settings used to sync Users, Contacts, Devices, Groups, Office 365 Groups and Microsoft Teams. A template can then be applied to any workflow with a Stage Data step.

For the purpose of this guide, the following template will need to be configured to perform Password Synchronization for User Objects. This guide also assume users will be created in the target Active Directory if there is no match found.  Additional templates may be created based on your project requirements.

  • Local to Local Password Sync

How to create a Local to Local template

  1. Navigate to Templates.

  1. Click the New button.

  2. Name and describe the template.

  3. In our example, we will name our template “Local to Local Password Sync”, click Next.

  4. Click Local as the source environment type, click Next.

  5. Click Local as the target environment type, click Next.

  6. Set CREATE NEW USERS AS = AS-IS.

  7. Set UPDATE CREATED USERS= ENABLE.

  8. Set UPDATE MATCHED USERS= ENABLE.

  9. Set IF TARGET ADDRESS EXISTS setting as OVERWRITE ONCE.

  10. Click Next.

  11. Set CREATE GROUPS AS = SKIP.

  12. Set UPDATE CREATED GROUPS = DISABLE.

  13. Set UPDATE MATCHED GROUPS = DISABLE.

  14. Click Next.

  15. Set CREATE NEW CONTACTS AS = DO NOT CREATE.

  16. Set UPDATE CREATED CONTACTS = DISABLE.

  17. Set UPDATE MATCHED CONTACTS = DISABLE.

  18. Click Next.

  19. Set CREATE NEW DEVICES AS = SKIP.

  20. Set UPDATE CREATED CONTACTS = DISABLE.

  21. Set UPDATE MATCHED CONTACTS = DISABLE.

  22. Click Next.

  23. Enter a default password, Click Next.

  24. Leave the SYNCHRONIZE SID HISTORY checkbox unchecked, click Next.

  25. Under mappings, we can leave the settings as default or update them based on your project requirements.

  26. Click Next.

  27. Click Finish.

How to create a Local to Local template

Setup Templates

Before we can build our workflows, it is best to set up your template(s). Templates contain common mappings and settings used to sync Users, Contacts, Devices, Groups, Office 365 Groups and Microsoft Teams. A template can then be applied to any workflow with a Stage Data step.

For the purpose of this guide, the following template will need to be configured to perform Password Synchronization for User Objects. This guide also assume users will be created in the target Active Directory if there is no match found.  Additional templates may be created based on your project requirements.

  • Local to Local Password Sync

  1. Navigate to Templates.

  1. Click the New button.

  2. Name and describe the template.

  3. In our example, we will name our template “Local to Local Password Sync”, click Next.

  4. Click Local as the source environment type, click Next.

  5. Click Local as the target environment type, click Next.

  6. Set CREATE NEW USERS AS = AS-IS.

  7. Set UPDATE CREATED USERS= ENABLE.

  8. Set UPDATE MATCHED USERS= ENABLE.

  9. Set IF TARGET ADDRESS EXISTS setting as OVERWRITE ONCE.

  10. Click Next.

  11. Set CREATE GROUPS AS = SKIP.

  12. Set UPDATE CREATED GROUPS = DISABLE.

  13. Set UPDATE MATCHED GROUPS = DISABLE.

  14. Click Next.

  15. Set CREATE NEW CONTACTS AS = DO NOT CREATE.

  16. Set UPDATE CREATED CONTACTS = DISABLE.

  17. Set UPDATE MATCHED CONTACTS = DISABLE.

  18. Click Next.

  19. Set CREATE NEW DEVICES AS = SKIP.

  20. Set UPDATE CREATED CONTACTS = DISABLE.

  21. Set UPDATE MATCHED CONTACTS = DISABLE.

  22. Click Next.

  23. Enter a default password, Click Next.

  24. Leave the SYNCHRONIZE SID HISTORY checkbox unchecked, click Next.

  25. Under mappings, we can leave the settings as default or update them based on your project requirements.

  26. Click Next.

  27. Click Finish.

Setup Workflows

Follow these steps to create two (2) new workflows for reading, matching, staging and writing data. 

How to create a one-way sync workflow for Local to Local

  1. Navigate to Workflows.

  1. Click the New button.

  2. Name and describe the template, click Next.

  3. Select the two (2) local Active Directory environments created previously, click Next.

  4. Select ONE-WAY SYNC, click Next.

  5. The screen presented next will be a pre-configured set of workflow steps to facilitate the flow of objects and attributes between your directories. 

  6. Start at the top of the steps, 1. Read From. Click the Select button.

  7. Select the two (2) environments created previously the click OK.

  8. Move to Match Objects

    1. This is the step where you will decide on how to match existing objects across your local Active Directories

    2. Matching is conducted by pairing sets of attributes to find corresponding objects.

    3. Your two (2) environments may already have some attributes that can be used to find similar objects between the different directories, or you may need to set some to ensure accurate matching.

    4. For the purpose of Password Synchronization, it is most important that existing objects are correctly matched to perform Password Synchronization.

  9. Click the Select button to configure the Match Objects criteria for your source Local environment and target Local environment.

    A close-up of a computer screen

Description automatically generated

    Figure 1: Example Match Objects Criteria

    1. Select your source local environment from the drop-down menu.

    2. Select your target local environment from the drop-down menu.

    3. Choose your first attribute pairings, we will use WindowsEmailAddress for our first match criteria.

    4. Choose the sAMAccountName attribute for the source and target fields.

    5. To add more attribute pairs, click the Add Attribute button.

    6. Additional pairings are evaluated as “OR” conditions. After the first match is found, the additional pairings are not assessed.

    7. In our case we are adding three (3) additional attribute pairings to our criteria

      1. cn – This attribute was added to ensure we can match existing objects based on CN.

      2. UserPrincipalName – UPN was added to ensure uniqueness of the local part of the address string.

      3. Mail – This attribute was added to ensure we can match existing objects based on Mail.

        Note: Matching attributes should be reviewed and adjusted based on actual project scope; there isn’t a set matching rule that will fit all scenarios.

    8. Ensure Match Across all object types is not checked in this case.

    9. There is no need in this guide to Add Another Pair, click OK to close this configuration.

  1. Drag a Stage Data workflow task from the left panel to the right under the Stage Data task mentioned above. Click the Select button to configure the fourth STAGE DATA workflow task for your target local to source local synchronization rule.

    1. Select the “Local to Local Password Sync” template, click Next.

    2. Select the source local environment as your source, click Next.

    3. Select the target local environment as your target, click Next.

    4. Select the default target domain name, click Next.

    5. Select the source Organizational Units that will be in scope of the project by click on the ADD OUS button.

    6. In the new OU pop-up window, select the OU that will be in-scope, check the INCLUDE ALL SUB OUS checkbox, click OK to close the pop-up.

    7. Configure any Stage Data filter you like by double-clicking on the OU in the OUs list, it is highly recommended to set up a filter to limit the scope to perform a test on the first sync as part of the validation. Click Next.

      A screenshot of a web page

Description automatically generated

      Figure 2: Example Source OU setup.

    8. Select the default OU for newly created objects for Users, Groups, Contacts, and Devices. 

      A screenshot of a web page

Description automatically generated

      Figure 3: Example Target OU setup.

    9. Click Finish.

  1. Click the Select button to configure the WRITE TO workflow task. Ensure the target environment is selected, click OK.

  2. Click Next.

  3. Configure the workflow sync interval, select Manual for now and we can set up a sync schedule once the test sync has completed. Click Next.

  4. Setup any workflow alert you may wish to configure, for now, click SKIP.

  5. Click Finish.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating