• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Rackspace Directory Sync Administrator's Guide


Product Limitations

  • Synchronizes user passwords only at the moment a password is changed. Passwords cannot be synchronized retroactively because they are unreadable from Active Directory.
  • When first using Directory Sync, it cannot sync users' existing passwords because the passwords are unreadable from Active Directory. Each user must change their password for Directory Sync to synchronize the change with their mailbox.
  • Not LDAP compatible.
  • Windows Server 2003 and Active Directory functionality level of 2003 is not supported.

 

Installation and Setup

See the Directory Sync Installation & Setup Guide to get started.

Restarting the Domain Controller

You must restart the domain controller during installation for the password sync to start working.

 

How Directory Sync Works

Directory Sync runs automatically without direct interaction. It synchronizes changes from your local Directory to your email accounts every five minutes. Click the "Sync Now" button to synchronize immediately. 

Directory Sync is one-way only. It does not synchronize information from Exchange or Rackspace Email back to your Active Directory. If you change any information, such as passwords, using Outlook Web App or Control Panel, your mailboxes will be out of sync with your AD.

Domain Names

Directory Sync will synchronize one local Active Directory domain with multiple email domains.

The domain names may be the same or different. You specify the local AD domain at set up.

Security Groups

Directory Sync uses Active Directory security groups to manage which objects are synchronized with your email service. If you use Hosted Exchange, create a new Security Group for all of your users that will be synchronized with Exchange mailboxes. If you use Hosted Email, create a new Security Group for all of your users that will be synchronized with Hosted Email mailboxes. If you use both Hosted Exchange and Email, you will have two security groups. Directory sync will create and manage mailboxes for all user objects that you add to the security groups.

User Mailboxes

Directory Sync associates AD User objects with email accounts by their Mail Attribute.  The mail attribute is the email address property associated to the user.

*Note: If upgrading to Version 1.4, you MUST UPDATE each user’s email address property to match the current email address.

Password Hook Sync

You must install a password hook on each Domain Controller. The password hook can synchronize user passwords only at the moment the password is changed in AD.

When you install Directory Sync, it cannot automatically sync existing passwords because they are unreadable from Active Directory. Users will continue to use their old email passwords. When a user manually changes their password, then DirSync will sync it with their mailbox.

 

Normal Operation

Assign user objects to email security groups before you change passwords. Otherwise, Directory Sync will not set the new passwords.

When you create new mailboxes, those users must change passwords before they can access their email.

Distribution List Membership Sync.  Sync users within distribution lists or security groups from Active Directory to distribution list membership within Email Control Panel.  Directory Sync uses the group’s email address property to sync with the hosted Exchange distribution list.

Exchange Contacts.  Sync Contact objects within the Active Directory to your Exchange Contacts within the Hosted Exchange environment. Within the Active Directory you will be able to set up the external email address the contact will forward to. Directory sync uses the contact object’s mail attribute to set this.

Important Notes:

  • We have changed the required property (from previous versions) in active directory that represents the users' identity in Email and Apps. Instead of using the userPrincipalName, Directory Sync now uses (and requires) the mail property of the active directory user object. Before upgrading to this version, ensure all of the active directory users to be synced have the mail attribute specified appropriately.

 

Add a new mailbox:

  1. Create new User object in AD.
  2. Set the User’s email address property (mail Attribute) to the desired email address
  3. Add the new User to the email security Group.
  4. Ask the user to change passwords.

*Note: Directory Sync will create a mailbox for the user and synchronize the user's new password. The email address will be based on the user's email address property (mail Attribute)

 

Create a mailbox for an existing user:

  1. Ensure that the user’s email address property (mail attribute) matches the email address.
  2. Add the User object to the email security group.
  3. Ask the user to change passwords.

*Note: Directory Sync will create a mailbox for the user and synchronize the user's new password. The email address will be based on the user's UPN.

 

Connect an existing user with an existing mailbox:

  1. Verify that the user object’s email address property (mail attribute) is the same as the email address.
  2. Add the User object to the email security group.
  3. Ask the user to change passwords.

*Note: Directory Sync will synchronize the new password with the mailbox.

 

Remove a user mailbox

  1. Remove the user from the email security Group. 
    *Note: Directory Sync will disable the user’s mailbox.
  2. Go to the administration Control Panel.
  3. Confirm the mailbox is disabled.
  4. Delete the mailbox.

*Note: Directory Sync does not automatically delete mailboxes to prevent accidental deletions.

 

Create a Distribution List

  1. Create a Group within the Active Directory (or use an already existing group). This group can either be a Security Group in the AD or a Distribution List in the AD (Directory Sync is not differentiating between the type).
  2. Set the group email address. 

         a. New distribution lists, provide an email address before subscribing to the Hosted Exchange security group.

    b. Existing distribution lists in active directory, add an email address if it doesn't exist, or update the email address to match the email in Control Panel before syncing. If the email address doesn't match with CP, a new distribution list will be created

  3. Subscribe the new group created in step one, to the Hosted Exchange group specified in the Directory Sync Settings. You must set the email address in step 2 before you subscribe the distribution group to the Hosted Exchange security group.

* Note: In order for memberships of the distribution list created in step one to sync as members of the distribution list in the control panel, the members must also be subscribed to either the Hosted Exchange group or the Hosted Email group specified in the Directory Sync Settings. 

 

Delete a Distribution List

  1. Remove the Distribution List group from the Hosted Exchange security group specified in the Directory Sync Settings.

*Note: After the next synchronization, the distribution list will be deleted from the Email Control Panel.

 

Create a Contact (Exchange)

  1. Create a Contact object within the Active Directory. 
    *Note: While initially creating the contact, the Display Name within the object will create the Display Name within the Email Control Panel for the Contact
  2. Once the Contact object is made, set the email address. The email address will point to the external email address of the contact.
  3. Subscribe the new contact to the Hosted Exchange group specified in the Directory Sync Settings.

*Note: The objectGUID attribute of the contact is used as the username for the contact within the Email Control Panel. AD automatically creates this and you will not need to create one for it and is how Directory Sync references the contact through our API.

*Customer's with multiple email domains will need to edit the otherMailBox attribute (of the contact object) to contain the desired domain to sync. You will only need to have the desired domain set within this attribute.

 

Delete a Contact (Exchange)

  1. Remove the Contact from the Hosted Exchange security group specified in the Directory Sync Settings.

*Note: After the next synchronization, the contact will be deleted from the Email Control Panel.

 

Change the external email address of a Contact (Exchange)

  1. Remove the Contact from the Hosted Exchange security group set in the DirSync Settings.
  2. Allow the Directory Sync Tool to synchronize the new changes. Either a manual or an automatic sync will synchronize the new changes.
  3. Change the email address of the contact object
  4. Add the contact address to the Hosted Exchange security group and sync.

 

Rename a Hosted Service Security Group

  1. In Settings page, select “Do Not Sync” from the email service list and click “Save & Start Sync”.
  2. In Active Directory, rename the security group and the pre-Windows 2000 group name. The group name and pre-Windows 2000 group name must be identical.
  3. Back in the Settings page, select the new group name from the list, click “Save & Start Sync”.

  

Security

User Password Requirements

User passwords must meet the following requirements. Directory Sync will not set an email password that does not meet these criteria. We recommend that you change your domain password rules to meet or exceed these:

Exchange:

Must be at least 8 characters

Cannot include your username, display name, or full name

Must contain 3 of the 4 character groups:

  • uppercase characters
  • lowercase characters
  • numerals 0-9
  • non-alphabetic characters (such as !, $, #, %).

Rackspace Email:

Passwords must contain at least 6 characters

Passwords cannot contain:

  • 3 or more consecutive numerals (e.g. 567, 1234, 98765)
  • The word “password”
  • The mailbox user name
  • The mailbox domain name

 

Network Ports

You do not have to open any inbound ports form the internet to your domain controllers.

Enable the following ports on the Directory Sync server:

  • 443 –Outbound HTTPS connections from Directory Sync service to Rackspace API.
  • 8732 – Open for connections from other domain controllers to the Directory Sync server. Not used for any connections outside your network. This port is used by domain controller password hooks. 
  • 8080 – Only used locally on Directory Sync service machine for web browser. You may block this port for any external connections.

 

Network Encryption

Communications between Directory Sync and Rackspace is secured through HTTPS. Communications between the Active Directory password hook and Directory Sync is secured with Microsoft WCF Transport Security which uses Windows Authentication and encryption.

 

Synchronized User Attributes

Directory Sync will synchronize the following user attributes with Exchange and Rackspace Email mailboxes. Some attributes differ between Rackspace and Exchange mailboxes.

List Format: Email Attribute: ADSI property (limitations)

  • Email Address: mail
  • Password: password
  • Display Name: displayName
  • Last Name: sn
  • First Name: givenName
  • Generation Qualifier: generationQualifier (Rackspace Email only)
  • Initials: initials (Rackspace Email only)
  • Organization Unit: o (Rackspace Email only)
  • Business Number: telephoneNumber
  • Pager Number: pager
  • Home Number: homePhone
  • Mobile Number: mobile
  • FAX Number: facsimileTelephoneNumber
  • Home FAX Number: otherFacsimileTelephoneNumber (Rackspace Email only)
  • Street: streetAddress
  • City: l
  • State: st
  • Postal Code: postalCode
  • Country: co
  • Title: title
  • User ID: employeeID (Rackspace Email only)
  • Employee Type: employeeType (Rackspace Email only)
  • User Account Control: userAccountControl
  • Company: company (Exchange only)
  • Department: department (Exchange only)
  • Proxy Addresses: proxyAddresses (Exchange only)
  • Office: physicalDeliveryOfficeName (Exchange only)

 







© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER