Prepare Directory Servers: Active Directory (with or without Exchange)
Created: 2012-04-20 08:09:59Modified: 2022-04-06 11:11:14
Tags: Active Directory Exchange 20xx System Requirements UnitySync
The smallest element of Active Directory (AD) is the domain. Each domain is controlled by a domain controller. This domain controller stores user account information, permissions and some basic contact information for that domain. A domain is always part of only one greater forest. A forest is comprised of one or more domains. Within the forest, domains automatically set up trust relationships so they can assign permissions between the domains.
Domains (individual domain controllers, or DC’s) do not store information from other domains. However, each domain maintains a least one complete database of information from all the forest’s domains. This is called the global catalog server (GC).
Both a domain controller and a global catalog server are separate LDAP servers:
- Domain Controller: port 389 (SSL 636)
- Global Catalog: port 3268 (SSL 3269)
If you would like to read only one domain’s worth of information you can connect directly to that DC. If you need to read from many domains (whole forest) you’ll need to read from a GC (a DC that contains the GC).
The GC ports are read only. UnitySync can only write to DC ports 389 or 636.
Active Directory with Exchange
Exchange is a mail server. It uses Active Directory to store its configuration data, account information etc. When Exchange is loaded on AD, it modifies the LDAP schema of AD to add Exchange specific attributes. When syncing what you are really doing is reading/writing to the underlying AD DC’s. When writing to an AD Destination (and this includes one with Exchange loaded), you must still specify the IP address of a DC, not the Exchange Server itself.
When creating a new UnitySync connection, the Destination Map Template you select determines if the AD objects created will include Exchange attributes (i.e., be mail enabled). If you want your UnitySync connection to create Exchange mail enabled objects, choose a Destination map template that includes mail enabled in the template name.
Configuring Active Directory Login ID
Setting up a UnitySync Account
You will need to create an account that will be used by our programs to read and/or write to your directory. It is preferred that your UnitySync credentials be granted domain admin priveleges; if you are not able to provide domain admin, apply Special Permissions as outlined in this knowledge base article. Additionally, you may encounter a few other issues if you are unable to use a domain admin account. See the article which outlines these potential concerns.
- Launch Active Directory Users and Computers (AD U&C).
- Open the tree until you find the appropriate container.
- Right-click on OU and select New/User.
- Enter the appropriate account information.
- Press Next
- You may use whatever password you like. We recommend checking “User cannot change password” and “Password never expires” to eliminate the need to maintain this account.
- Select Next, then Finish.
- You should now see the account you created in the appropriate OU.
- To add your new user to the Domain Admins group, double-click on the Domain Admin group in the Users container.
- Select Members, Look In: Entire Directory. Select your new user account and press Add.
User ID Syntax
Active Directory uses a ‘Domain Component’ structure for its user ID. When you setup Active Directory you assigned an internet domain name to it (i.e. dirwiz.com). An example of a user ID would be: UnitySync@dirwiz.com