Rackspace Directory Sync Installation and Set-Up Procedures
Functional Level of Domain Controller and Active Directory
- Windows 2008 Server
- Windows 2008 Server R2
- Windows 2012
- Directory Sync Service Must Be Installed directly on your domain controller.
- After Installation, Directory Sync Cannot automatically sync existing passwords because they are unreadable from the Active Directory. Passwords must be reset after installation to ensure password sync.
- Directory Sync is compatible with Hosted Exchange 2010, Hosted Exchange 2013, and Rackspace Email only.
NET Framework version 4.0 on the target domain controller and any other domain controllers in the forest. You can download the appropriate .NET framework from the Microsoft Download Center.
You do not have to open any inbound ports from the internet to your domain controllers.
Enable the following ports on the Directory Sync server:
- 443 –Outbound HTTPS connections from Directory Sync service to Rackspace API.
- 8732 – Open for connections from other domain controllers to the Directory Sync server. Not used for any connections outside your network. This port is used by domain controller password hooks.
- 8080 – Only used locally on Directory Sync service machine for web browser user interface. You may block this port for any external connections.
Communications between Directory Sync and Rackspace is secured through HTTPS.
Communications between the Active Directory password hook and Directory Sync is secured with Microsoft WCF Transport Security which uses Windows Authentication and encryption.
The installation files can be found while logged into either cp.rackspace.com or into the my.rackspace.com; depending on how you normally log in.
Admins that log into my.rackspace.com (Must be logged in as primary contact)
- Click the Products Tab and select Email and Apps from the dropdown.
- Click on your domain and the Directory Sync installers will be located on the right hand column.
Admins that log into cp.rackspace.com (Must have Super Admin permission)
- While on the home page, click Domains. This will take you to the Domains Home page
- Click on the Tools, and then select the Directory Sync Tab
- The installers are listed at the bottom of the page.
Choose the appropriate installer, based on either 32 or 64 bit platforms.
- Directory Sync Service x64.msi
- Directory Sync Service x86.msi
See the Rackspace Directory Sync Administrator's Guide to learn more about the features and how to use it after installation.
Directory Sync Service Installation
Copy the appropriate, platform specific, Directory Sync Service .msi file to the domain controller.
There are two services that are installed with the Directory Sync System, the Directory Sync Service and the Password Hook. The Directory Sync Service is a Windows service which automatically synchronizes user information and requires a local service account under which to run. The Password Sync Service is a password handler which automatically synchronizes user password changes.
NOTE: The Directory Sync Service will run as the “Local System account” on the domain controller.
Follow the prompts for installing Directory Sync Service.
1. Click Next to begin the Directory Sync Service Setup Wizard.
2. Click Install.
3. You will have to restart your system for the changes to take effect. Click Yes if you wish to restart now.
4. Upon restart, install will continue. Click Install
5. Click Finish to complete the install process.
6. The web user interface for validation and synchronization will automatically launch when installation completes. A shortcut to the web UI will be created on both the Start Menu and on the Desktop.
Directory Sync Service Validation & Synchronization
- Within the Windows Services management console will be a new service called Directory Sync Service. The installation will auto start the service.
- If any errors occur when attempting to start the service, view the event log for more information about the error.
- It is highly advised to create new security groups in AD that will manage the list of synced users for each hosted service. For example, if you are synchronizing Exchange Users please create a new security group in AD as Rackspace Exchange or Rackspace Hosted Exchange.
To start synchronizing active directory changes with Rackspace, the Directory Sync Service must be configured. Open the Directory Sync Service administrative web application.
1. Sync Registration Page: Enter your Control Panel Admin ID and Password associated with your Rackspace Email & Apps account and click Register.
- Customers that log into my.rackspace.com will automatically create an admin id through the MyRack Customer Portal prior to download
- Customers that log into cp.rackspace.com are advised to create a new admin id dedicated to the sync service.
2. Local AD Domain: Verify that the appropriate local active directory domain is selected.
3. Hosted Exchange: Select the appropriate Security Group to be synced with Microsoft Exchange mailboxes.
4. Hosted Email: Select the appropriate Security Group to be synced with Rackspace Email mailboxes.
5. Administrator email: All alerts will be sent to this email address.
6. Time to Send Summary Email: Set the time a summary report of changes synced with your active directory will be sent to the Administrator email address. By default, this will be set to 08:00.
7. Click Save & Start Sync to begin a Full Sync.
There are two types of synchronization:
- Full Sync: This sync will find all items available for synchronization in the entire directory. This sync type only initiates on the first sync process.
- Delta Sync: This sync will find changes available for synchronization in active directory that occurred since the last synchronization. This sync type will run automatically every 5 minutes by default but can also be performed manually. To manually run a Delta Sync, click on the Sync History tab and click the button Sync Now.
NOTE: No changes are EVER made by the Directory Sync Service to the directory; all access is read-only.
Synchronizing Users and Groups
Please check out the Directory Sync Operations Guide on how to start synchronizing your AD objects to your mailboxes and distribution lists.
Optional Multiple Domain Controllers Password Synchronization Installation
The main installer for Directory Sync is installed on 1 Domain Controller (DC) that will communicate directly to Rackspace. The DC communicates through Rackspace's API to the Rackspace Email and Apps Control Panel over an HTTPS connection on port 443. This DC or Primary DC will include the Directory Sync User Interface and where Directory Sync is configured.
If you have multiple DCs to manage the Active Directory, the Password Handler must be installed on all DCs not including the Primary DC (the primary DC already has this installed during initial set up). Normally, password changes in a network occur locally and then are replicated to the other DCs. Directory Sync is unable to see those password changes after replication due to encryption. To ensure password changes are synchronized, each DC will require the Password Handler to be installed directly. This will require each DC to restart.
Password changes made in the other DCs are delivered to the Primary DC over port 8732. Multiple DCs will communicate internally to the Primary DC and will not send any password changes outside of the network. All password syncs are funneled through the Primary DC and then synchronized to Rackspace.
Where to find the installation Files?
During the Installation, the Directory Sync Password Handler Install folder is created on the desktop. This installer allows you to synchronize your users' passwords across multiple domain controllers.
The .msi file within the folder should be installed on the secondary domain controllers only.
This process applies to multiple domain controllers; it can be more than two. Repeat these steps for each additional domain controller in the AD forest. Below are the steps needed to complete the install of all other domain controllers in the AD forest.
Note: YOU MUST RESTART EACH DOMAIN CONTROLLER TO COMPLETE THIS PROCESS. PLEASE PERFORM THIS ACTION DURING OFF HOURS.
1. Copy the msi file to the new domain controller.
2. Double click the install file. A window will appear click the next and install button to start.
3. After a minute to 3 minutes it will complete and ask you to restart your DC.
4. After restart the installer will start up to finish the installation.
5. Click the final Install button and finish and it will finish installing the Password Handler.
At this time you have successfully installed the Password Handler of Directory Sync
Please ensure that you install this on the secondary DC of your Domain not the Primary.
This application will run in the background there will be no Settings screen as this looks to the primary program installed on the first DC.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER