Overview
Active Directory (AD) by Microsoft is a centralized and standardized system that automates network management of user data, security and distributed resources. In simpler words, it allows management and storage of information and provides authentication and authorization mechanisms. i.e You can store information of your organization members, include their devices, verify credentials and define their access rights.
Zoho Directory Sync
Zoho Directory Sync is a simple and secure directory and password synchronization tool, which helps in syncing user objects and their passwords in Active Directory (AD) with Zoho accounts. Zoho Directory sync automatically synchronizes user accounts in Zoho to match the user data in the AD. Since the synchronization always happens from AD to Zoho, the data in the AD is never compromised. With Zoho One's Active Directory Sync the Org admin gets a centralized access control management system with data perfectly synced and scheduled.
Uses of Zoho Directory Sync
- Ensures your Zoho domain data matches that of your Active Directory or LDAP server.
- Allows you to configure rules for custom mapping of users, groups, and other attributes.
- Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
- Includes all necessary components in the installation package.
- Includes a number of features to keep your data secure.
How does Zoho AD Sync work
- It queries your LDAP Server.
- Queries your Zoho Account.
- Compares the data in the two lists.
- Curates any changes during comparison.
- Updates your Zoho Account with all necessary changes.
No updates are made to your LDAP server and your data remains completely safe. This simplifies the task of adding, modifying, and deleting accounts in each LDAP-enabled application separately, enhancing network security and reducing management costs.
Before Installation
Before you download and install Zoho Directory Sync, make sure you meet the system requirements. The installer downloads and installs all required components on your server.
System Requirements
- Browser - Internet Explorer 9 and above
- Operating System - Windows 7 and above
- Microsoft C++ Runtime redistributable 2010 or higher
- Net framework 4.0 and above
- If a higher version is installed, please make sure you have .NET Framework 4.0 is also installed both in PDC and local system.
- Administrative privilege for the entire domain.
- For best results, a network connection to your Zoho domain with no proxies or firewalls is recommended.
- Minimum 512 MB RAM is required. If your company has more than 10k employees,1GB or higher will be required for faster sync.
Download and Installation
You can download the Directory Sync tool from the Active Directory Tab in your Zoho One Admin Console. A file named ZohoOneSync.msi/ZohoDirectorySync.msi is downloaded to your computer. Open the file to start setup and install the tool on your machine. An installation wizard guides you through the process. Select the destination path of your choice and follow the wizard to complete the installation. After installation of the Directory Sync tool, you can start your configuration steps carefully guided by our tool's wizard.
Setup and Sync
Welcome Screen
Login Screen
- Click on 'Authorize with Zoho'.
- accounts.zoho.com will open in a separate window, where you can approve various OAuth scopes required to handle further requests.
Unauthorized User
When users who don't have permission to Admin console (not an org admin) tries to set up Directory Sync, they will get an error message. Log in as Administrator.
Successfully Logged In
Once logged in, you will be able to see who installed the tool.
Reauthorize Button
- Ownership and authorization privilege of the Zoho Directory Sync tool belongs to the user who first installed it.
- If the owner leaves the company or disables their account, then access to the tool might be lost.
- To prevent this chaos, you can use the “Reauthorize” button to permanently change the ownership details of the tool before disabling the user.
LDAP Credentials
Enter the details and click on Add.
Note: If your domain is MyDomain.com, then enter it as Dc=MyDomain,DC=com
The next screen will display the domain list. If needed, you can add domains by clicking on Add Domain in the top right corner. Under Sync Preference you can set the rules needed for your synchronization. There are 3 sub-headings under Sync Preference. Let's take a look at each heading.
Filter OUs/Users
- You can choose multiple based DN to apply the query.
Exclusion Rules
- Here you can set rules based on the criteria you need.
- The users matching these criteria will be excluded during the scheduled sync.
- Click on Add Rule button in the top right corner and fill in the details of your rule.
Attribute Definition
You can edit each attribute by hovering over the attribute and clicking on the edit icon.
- Here you can select the required attributes based on which the synchronization will happen.
- You can select from email, first name, language etc.
Directory Sync
- Under New Users column, the list of new users from LDAP results will be displayed. Here you can select the users to be added to the server. Their attributes will also be synced to the server based on the schedule set.
- Under Users to Delete column, the list of users not available in LDAP result will be displayed.
Password Sync
Password Synchronization allows end-users to use a single identity, subject to a single password policy, across various systems and applications.
Requirements
- The Password Sync tool must be installed on all the domain controllers in a domain including the primary domain controller.
- The domain controllers should have been a Full installation instead of a Server Core installation.
- The domain controllers should have the Microsoft .NET Framework 2.0 or 3.5 profile installed. Even if you have a higher version, please make sure you have .NET Framework 2.0 or 3.5 is also installed.
- Make sure the Message Queuing service is enabled and is running before starting the installation of the password sync tool.
Note:
Before installation of the password sync agent, when you create the users, default passwords will be given using which the users can log into their account. These default passwords can be changed later.
After installation of the password sync agent, when you create new users, their passwords will be synchronized with Active Directory. The passwords of existing users will not be read. If all users' passwords need to be synced then please request them to change their account passwords. The newly updated passwords will be synchronized with active directory.
Schedule Sync
Here, set the schedule for synchronization. The sync will happen automatically at the scheduled time.
Reports
Under Reports, you can view the history of all your synchronizations done. The report will display the username and their email address along with the status of the sync. You can view the reports of the scheduled times and reaffirm their statuses. A Retry button will be provided in case the scheduled sync fails.
Settings
Here you can enable Proxy Configuration and Auto update settings.
