User Tools

Site Tools

AD Sync Installation


The AD Sync service is what provides ongoing, one-way, unobtrusive synchronization from your Active Directory (AD) environment to CloudPortal Services Manager (CPSM) at CDS. The AD Sync service allows you to synchronize your agency’s domain controllers to the domain controllers behind CPSM.

To accomplish a smooth transition, this service must be installed on all domain controllers in your AD forest. The operation of this service is unobtrusive to your network environment.

Your AD users’ user principal name (UPN) will be the username for Office 365. Your user accounts in CPSM will be regularly updated with any changes that have been saved in your local AD forest.

If there are any questions or concerns at any time during the execution of this document, please notify your project manager.

Before you begin the installation of AD Sync for your agency, please confirm for all staff that their UPN matches exactly their primary SMTP address. A CDS Windows engineering resource will be available to you if you need assistance with this step.

AD Sync may be installed on a domain controller running any version of Windows Server from 2003 R2 to 2016. However, if you have Windows Server 2012 or later domain controllers, you must raise the domain functionality level to Windows Server 2008 or later. If you do not, you will experience AD Sync instability.

Re-installs and Upgrades

If you are re-installing or upgrading AD Sync, there are some additional steps that need to be performed on each domain controller.

  1. Uninstall AD Sync
  2. Reboot the domain controller
  3. Delete the AD Sync installation folder (by default, this is C:\Program Files\AD Sync)
  4. Install AD Sync per the instructions below

Installation Tasks

The steps below should be completed on all domain controllers in your Active Directory forest. If any child domains exist, a listener should be placed in each domain.

  1. Log in into CloudPortal Services Manager (CPSM) using the newly created AD Sync username and password supplied by CDS.
  2. You will be prompted to change the password. The password requirements are:
    1. At least eight (8) characters in length
    2. At least one (1) lowercase letter
    3. At least one (1) uppercase letter
    4. At least one (1) non-alphabetic character
    5. This password must not be changed once set. If this password is changed, AD Sync will immediately cease processing updates from your local domain to CPSM and may require re-installation of AD Sync to all of your domain controllers.
  3. Create a global security group in your domain called AD Sync and add all migrating users to this group as members.

  4. Within CPSM, hover over Services and click on AD Sync Download.
  5. Download the AD Sync software to each domain controller in your AD forest.
    1. Click Next on the Welcome screen.
    2. Enter the password of your AD Sync account (this is the same password from Step 2 above).
    3. In the Events to watch section, check the box for Watch for changes to users only if this is the “listener” domain controller. It is very important that only one listener DC is present in any domain.Also choose Ignore in the User out of scope action: setting.
    4. Leave the scanning frequency to the default of five (5) seconds unless you have previously discussed a different setting with CDS.
    5. Remove all of the groups listed under Exclude users in these groups as well as the Users group under Include users in these groups. These fields should now be blank.
    6. Under Group name type in AD Sync and click Find Now. This should locate the global security group that you created in Step 3 above.
    7. Add this group to the Include users in these groups section.
    8. Do not change anything in the User Information section.
    9. Do not change anything in the Connection Information section.
    10. If your agency is using a proxy server, enter these details in the Proxy Server section.
    11. Choose the Destination folder for the installation. By default, this is C:\Program Files\AD Sync. It is recommended, though not required, that you accept the default.
    12. Begin the installation.
    13. After the installation is complete, reboot the domain controller.
    14. Stop the AD Sync service.
    15. Open the file called ADSync.exe.config. This is found in the installation folder. By default, this location is C:\Program Files\AD Sync.
    16. Set the value to 10 for the UploadMaxErrors element.
    17. Remove the comma from AttributeValueRegEx. The new value should be ^[^\\/=+<>#;“]+$
    18. Start the AD Sync service.
    19. Repeat these steps to install the AD Sync service on each domain controller within your Active Directory forest. During this step, ensure that the Watch for changes to users option is only selected on one of the domain controllers.
  6. On completion of the AD Sync installation across all Active Directory domain controllers, notify your project manager. Your CDS Messaging engineering resource will then work with you to verify proper installation and to provide a discrepancy report that compares your users’ UPNs and primary SMTP addresses.
  7. Once all discrepancies have been addressed, all users in the AD Sync group will be required to change their domain password. This initial password change allows your users’ domain passwords to synchronize with CloudPortal Services Manager in order to provide a unified set of credentials for access to domain resources and Hosted Exchange at CDS.
    This password change must be completed prior to the beginning of your e-mail migration.

Frequently Asked Questions

Please see the AD Sync FAQ.