Rackspace Directory Sync Administrator's Guide
This article provides information regarding Rackspace Directory Sync. Included is information on how Directory Sync works with your Active Directory and local domains to sync to Rackspace Hosted Email. It includes useful information for administrators in their deployment and set up. Also includes Product Limitations, Password Requirements and Synchronized User Attributes.
Rackspace Directory Sync allows Rackspace Hosted Email customers to sync their local AD objects and user passwords with Rackspace Hosted Email cloud in real time. What does this mean for your organization?
- Same sign-on: Users enjoy remembering only one password for their local network access and their email accounts for a same sign-on experience.
- Ease of management: IT administrators benefit by adding and managing mail enabled objects directly in their Active Directory from a familiar Microsoft AD UI. Choose which user objects to sync. You can choose to sync as little as 1 user in your AD or all of them at the same time.
- Save time: For many larger organizations, Directory Sync service can save considerable effort and time when onboarding new employees and managing password policies.
- Business automation: Rackspace Directory Sync is built to use Rackspace Email cloud’s public REST APIs which makes automating business processes or preserving them simple.
- Secure: All data exchanged is SSL encrypted, and sync is one-way only.
- Cost effective: Rackspace Directory Sync is available at no additional cost.
Rackspace Directory Sync supports syncing of the following AD objects:
- Active Directory users' mailboxes
- Active Directory user passwords for Same Sign-On
- Active Directory contacts (for Hosted Exchange)
- Distribution groups (for Hosted Exchange)
Supported Rackspace Email platforms:
- Hosted Exchange 2010
- Hosted Exchange 2013
- Hosted Exchange Hybrid
- Rackspace Email
Supported AD Server platforms: Windows 2008, Windows 2008 R2, Windows 2012.
- Rackspace Directory Sync can only sync with Rackspace Email, Hosted Exchange 2010 and Hosted Exchange 2013.
- Synchronizes user passwords at the moment a password is changed. Passwords cannot be synchronized retroactively because they are unreadable from Active Directory. When first using Directory Sync, sync users' existing passwords cannot be synchronized, because the passwords are unreadable from Active Directory. Each user must change their password for Directory Sync to synchronize the change with their mailbox.
- Not LDAP compatible.
- Windows Server 2003 and Active Directory functionality level of 2003 is not supported.
Installation and Setup
See the Directory Sync Installation & Setup Guide to get started.
Restarting the Domain Controller
You must restart the domain controller during installation for the password sync to start working.
How Directory Sync Works
Directory Sync runs automatically without direct interaction. It synchronizes changes from your local directory to your email accounts every five minutes. You can also click Sync Now to synchronize immediately.
Directory Sync is one-way only. It does not synchronize information from Exchange or Rackspace Email back to your Active Directory. If you change any information, such as passwords, using Outlook Web App or Control Panel, your mailboxes will be out of sync with your AD.
Directory Sync will synchronize one local Active Directory domain with multiple email domains.
The domain names may be the same or different. You specify the local AD domain at set up.
Directory Sync uses Active Directory security groups to manage which objects are synchronized with your email service. If you use Hosted Exchange, create a new security group for all of your users that will be synchronized with Exchange mailboxes. If you use Hosted Email, create a new security group for all of your users that will be synchronized with Hosted Email mailboxes. If you use both Hosted Exchange and Email, you will have two security groups. Directory sync will create and manage mailboxes for all user objects that you add to the security groups.
Directory Sync associates AD User objects with email accounts by their Mail Attribute. The mail attribute is the email address property associated to the user.
Note: If upgrading to Version 1.4, you MUST UPDATE each user’s email address property to match the current email address.
Password Hook Sync
- Password Synchronization will occur after the user object has synced to the mailbox. Password changes will sync after this initial sync. Password changes occur on their own sync interval and with a higher priority than other sync sessions
- When you install Directory Sync, it cannot automatically sync existing passwords because they are unreadable from Active Directory. Users will continue to use their old email passwords. When a user manually changes their password, then DirSync will sync it with their mailbox. Assign user objects to email security groups before you change passwords. Otherwise, Directory Sync will not set the new passwords.
- When you create new mailboxes, those users must change passwords before they can access their email.
- If you manage your AD with multiple domain controllers, the Directory Sync Password Handler must be installed on all secondary DCs. This is used to synchronize password changes on secondary DCs to the Primary DC and then sync those changes to Rackspace Hosted Mail.
Distribution List Membership Sync. Sync users within distribution lists or security groups from Active Directory to distribution list membership within Email Control Panel. Directory Sync uses the group’s email address property to sync with the hosted Exchange distribution list.
Exchange Contacts. Sync Contact objects within the Active Directory to your Exchange Contacts within the Hosted Exchange environment. Within the Active Directory you will be able to set up the external email address the contact will forward to. Directory sync uses the contact object’s mail attribute to set this.
Alternate Email Addresses. The proxyAddresses attribute is used to create alternate email addresses (aliases) for our Exchange environment. If the user has the proxyAddresses attribute to include "SMTP: userA@example.net", then Directory Sync will add the address "userA@example.net" to our environment as an alias to that email address.
- Any address that begins with SMTP: in the proxyAddresses attribute will create an alternate email address associated to the user's mailbox.
- These addresses cannot include a domain alias in the address but can include either the primary domain or accepted domains.
- Alternate email addresses associated to domain aliases can be created using the primary domain. (For example, use "SMTP:userB@example.com" to create the alternate address 'userB@example.net'.)
- Accepted Domains are created with the full email address (including the domain). IE Use "SMTP:userA@example.org" to create alternate address 'userA@example.org'
- The Attribute Editor is visible in the Active Directory Users and Computer (ADUC) console with the Advanced Features enabled in the View tab.
- Domain aliases and accepted domains must be configured with the help of Email Support before configuring alternate addresses. If not, they will not sync correctly.
- During the initial set up, it is best to ensure the proxyAddresses attribute does not contain any domain aliases. If not, this will create errors during set up.
- Alternate Addresses work for Exchange Mailboxes only. They do not work with Distribution Lists or Contacts. Those must be done manually in the Email Control Panel.
User Password Requirements
User passwords must meet the following requirements. Directory Sync will not set an email password that does not meet these criteria. We recommend that you change your domain password rules to meet or exceed these:
- Must be at least 8 characters
- Cannot include your username, display name, or full name
- No more than 2 consecutive characters(For example: 567, 1234, 98765)
- Must contain 3 of the 4 character groups:
- uppercase characters
- lowercase characters
- numerals 0-9
- non-alphabetic characters (such as !, $, #, %).
- Passwords must contain at least 6 characters
- Passwords cannot contain:
- 3 or more consecutive numerals (For example: 567, 1234, 98765)
- The word “password”
- The mailbox user name
- The mailbox domain name
You do not have to open any inbound ports form the internet to your domain controllers.
Enable the following ports on the Directory Sync server:
- 443 –Outbound HTTPS connections from Directory Sync service to Rackspace API.
- 8732 – Open for connections from other domain controllers to the Directory Sync server. Not used for any connections outside your network. This port is used by domain controller password hooks.
- 8080 – Only used locally on Directory Sync service machine for web browser. You may block this port for any external connections.
Communications between Directory Sync and Rackspace is secured through HTTPS. Communications between the Active Directory password hook and Directory Sync is secured with Microsoft WCF Transport Security which uses Windows Authentication and encryption.
Synchronized User Attributes
Directory Sync will synchronize the following user attributes with Exchange and Rackspace Email mailboxes. Some attributes differ between Rackspace and Exchange mailboxes.
List Format: Email Attribute: ADSI property (limitations)
- Email Address: mail
- Password: password
- Display Name: displayName
- Last Name: sn
- First Name: givenName
- Generation Qualifier: generationQualifier (Rackspace Email only)
- Initials: initials (Rackspace Email only)
- Organization Unit: o (Rackspace Email only)
- Business Number: telephoneNumber
- Pager Number: pager
- Home Number: homePhone
- Mobile Number: mobile
- FAX Number: facsimileTelephoneNumber
- Home FAX Number: otherFacsimileTelephoneNumber (Rackspace Email only)
- Street: streetAddress
- City: l
- State: st
- Postal Code: postalCode
- Country: co
- Title: title
- User ID: employeeID (Rackspace Email only)
- Employee Type: employeeType (Rackspace Email only)
- User Account Control: userAccountControl
- Company: company (Exchange only)
- Department: department (Exchange only)
- Proxy Addresses: proxyAddresses (Exchange only)
- Office: physicalDeliveryOfficeName (Exchange only)
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER