User Tools

Site Tools

AD Sync Overview

How AD Sync Works

AD Sync is a one-way synchronization tool that will watch for changes to a local Active Directory domain and upload those changes to a remote Active Directory domain. In this case, it is installed at the agency and synchronizes user object changes to CloudPortal Services Manager (CPSM).

Please note that AD Sync will only replicate changes for user objects. Security and distribution groups do not replicate and must be managed via CPSM.

AD Sync watches for changes in a number of ways. It monitors the SYSVOL share for changes using a filter driver installed at the file system level, monitors for in-memory transactions on user objects, and observes the SAM for password changes.

Once a change is detected, AD Sync will establish a secure HTTP connection to CPSM and send an encrypted request. The request is picked up by CPSM and processed. See the diagram below for a very basic overview.

User Object Attributes

AD Sync will upload more than just a username and password to CPSM. Below are a list of attributes that are synchronized by default and a list of commonly selected optional attributes that may be configured to upload if needed.

Default Synchronization List

The following object attributes from Active Directory will synchronize by default.

  • fullName
  • firstName
  • lastName
  • password
  • phsyicalDeliveryOfficeName
  • department
  • userPrincipalName
  • description
  • telephoneNumber
  • wWWHomePage
  • streetAddress
  • postOfficeBox
  • l
  • co
  • info
  • st
  • postalCode
  • homePhone
  • pager
  • mobile
  • facsimileTelephoneNumber
  • ipPhone
  • title
  • manager.sAMAccountName
  • objectSid
  • userEnabled

Using Additional Attributes

AD Sync may be configured to synchronize additional object attributes if it is needed. Please see our article on AD Sync Attribute Sync Changes.

Disabling User Objects

When a user leaves the agency, it is common practice to disable the associated user object. If the user object remains in the AD Sync global security group, AD Sync will upload the change to CPSM and disable the account in Office 365.

It is important that the user object remain in the AD Sync global security group until such time as the object is deleted.

Removing User Objects from AD Sync

If a user object is removed from the AD Sync global security group, it will not automatically be removed from CPSM. To remove a user object from CPSM, you must perform one of the following:

  • Delete the user object from your Active Directory domain while it is a member of the AD Sync global security group
  • Deprosivion and delete the user object from CPSM after removing it from the AD Sync global security group

When you deprovision a user object in CPSM, it is important to note that this will delete the associated mailbox, as well.

Deleting User Objects

If a user object is deleted from the local Active Directory domain while it is still a member of the AD Sync global security group, AD Sync will replicate the deletion to CPSM. This will disconnect the mailbox and remove the associated user object from Hosted Exchange at CDS.

Recovering From Accidental Deletion

In the event a user object has been deleted by accident while a member of the AD Sync global security group, please immediately contact Customer Care and have them notify the Omnicom Messaging team. Recreate (or recover from backup or tombstone) the user object in the local domain, add it back to the AD Sync global security group, and make a change to an attribute so that AD Sync will replicate the account to CPSM.

Do not provision any services to this user in CPSM. The CDS Messaging team will need to reconnect the existing mailbox to the user, and this is not possible if a mailbox is already connected.