ºÚÁϺ£½Ç91Èë¿Ú

ADI: Change Configuration

The ºÚÁϺ£½Ç91Èë¿Ú Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between ºÚÁϺ£½Ç91Èë¿Ú and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords:

  1. Manage users, groups, and passwords in AD
  2. Manage users, groups, and passwords in ºÚÁϺ£½Ç91Èë¿Ú
  3. Manage users and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú, or both

After setting up your initial ADI configuration, you may decide to change it. This article provides a high level overview on how to do so.

Prerequisites

  • Existing AD Integration
  • Access to all AD servers
  • If you are changing to the Manage users and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú, or both deployment configuration, verify your current agents are the latest version

Considerations

  • Connect Keys are one-time use keys required for installing the agents on a new AD server:
    • The Connect Key will expire in 7 days if it is not used
    • Connect Keys are not required when upgrading agents
    • A connect key should only be used once - do not use the same connect key on multiple servers
  • When upgrading an agent, the installation wizard prompts for minimal information:
    • Import agent connect key, when upgrading from import agent v2.6.0 or lower
    • Installation folder path
    • Finish screen
  • The agents should be installed on at least 2 member servers for high availability
  • Agent versions should be the same on all AD servers

ADI Configurations

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in ºÚÁϺ£½Ç91Èë¿Ú Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Change ADI Configuration

  1. Go to DIRECTORY INTEGRATIONS > Active Directory.
  2. Search for and select your existing ADI instance.
  3. In the right upper corner, select Update Configuration.
  4. Select the radio button next to your desired new configuration and then click Next.
  5. Review the settings for both the Previous and Updated Configuration.

Note:

Each ADI configuration has default settings. Some settings are read-only and others are editable. See ADI configuration settings for more information.

  1. Click Save.
    • Depending on the previous and updated configuration, you will receive a note stating that agents will need to be uninstalled
  2. Go to the Action needed: section - download and install any agents for the updated configuration
  3. Click Continue.
  4. Your new ADI Configuration Details will appear. In the Integration Details section, verify or change any ADI configuration settings.
  5. Click Save.

Tip:

See the below sections for changes required on your user records and the high level overviews of changes required on your AD servers when changing your ADI deployment configuration.

ADI configuration settings

  • Delegated Password Validation â€“ default setting for enabling and disabling delegated authentication to AD for users imported from AD to ºÚÁϺ£½Ç91Èë¿Ú. Applicable in the following ADI configurations:
    • Manage users and passwords in either system or both. Editable setting. Disabled by default
    • Manage users and passwords in Active Directory. Read-only setting. Enabled by default
  • Externally Managed Password and Attributes â€“ default setting for restricting and unrestricting changes to ADI synced user attributes and user password within the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal and the ºÚÁϺ£½Ç91Èë¿Ú User Portal. This is a read-only setting. Applicable in all ADI configurations:
    • Manage users and passwords in ºÚÁϺ£½Ç91Èë¿Ú. Disabled by default
    • Manage users and passwords in either system or both. Disabled by default
    • Manage users and passwords in Active Directory. Enabled by default
  • Enable groups and memberships management â€“  default setting controlling whether a group and group memberships are synced from ºÚÁϺ£½Ç91Èë¿Ú to AD when a sync agent is installed on an AD server. This is a read-only setting that is enabled by default. Applicable in the following ADI configurations:
    • Manage users and passwords in either system or both
    • Manage users and passwords in ºÚÁϺ£½Ç91Èë¿Ú 
  • Provision Staged Users â€“ default setting controlling whether a staged user is synced from ºÚÁϺ£½Ç91Èë¿Ú to AD when a sync agent is installed on an AD server. This is a read-only setting that is disabled by default. Applicable in the following ADI configurations:
    • Manage users and passwords in either system or both 
    • Manage users and passwords in ºÚÁϺ£½Ç91Èë¿Ú

Change to Manage users and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú, or both

See Configure ADI: Manage users, groups and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú, or both.

From managing users, groups, and passwords in AD

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Leave the default None (ºÚÁϺ£½Ç91Èë¿Ú) selected.
  6. Click Save.
  7. Follow the instructions in Convert AD-Managed User Accounts.

Changes required in AD

  1. Create the AD Sync Service Account.
  2. Delegate control for AD Sync Service Accounts.
  3. Download AD Sync agent.
  4. Run the AD Sync Agent installation wizard.
  5. Reboot each AD server where the import agent was installed.
  6. Verify AD sync and AD import agents in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal.

From managing users, groups, and passwords in ºÚÁϺ£½Ç91Èë¿Ú

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Leave the default None (ºÚÁϺ£½Ç91Èë¿Ú) selected.
  6. Click Save.
  7. Follow the instructions in Convert AD-Managed User Accounts.

Changes required in AD

  1. Create the AD Import Service Account.
  2. Delegate control for the AD Import Service Accounts.
  3. Download AD Import agent.
  4. Run the the AD Import Agent installation wizard.
  5. Reboot each AD server where the import agent was installed.
  6. Verify the Import Agent Service started.
  7. Complete post-installation AD import agent configuration on each DC.
  8. Verify AD sync and AD import agents in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal.

Change to Manage users and passwords in AD

See Configure ADI: Manage users, security groups, and passwords in AD.

From managing users, groups, and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú or both

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Select Active Directory.
  6. Click Save.

Changes required in AD

  1. Uninstall AD Sync agent.
  2. Reboot each AD server where the Sync agent was installed.
  3. Change AD Sync service account to inactive.
  4. Verify the Import Agent Service started on each AD server.

From managing users, groups, and passwords in ºÚÁϺ£½Ç91Èë¿Ú

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Select Active Directory.
  6. Click Save.

Changes required in AD

  1. Uninstall AD Sync agent.
  2. Reboot each AD server where the Sync agent was installed.
  3. Change AD Sync service account to inactive. (can you rename this account)
  4. Create the AD Import Service Account.
  5. Delegate control for the AD Import Service Accounts.
  6. Download AD Import agent.
  7. Run the the AD Import Agent installation wizard.
  8. Reboot each AD server where the import agent was installed.
  9. Verify the Import Agent Service started.
  10. Complete post-installation AD import agent configuration on each DC.

Change to Manage users and passwords in ºÚÁϺ£½Ç91Èë¿Ú

See Configure ADI: Manage users, security groups, and passwords in ºÚÁϺ£½Ç91Èë¿Ú.

From managing users, groups, and passwords in AD, ºÚÁϺ£½Ç91Èë¿Ú or both

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Select Active Directory.
  6. Click Save.
  7. If you enabled the Delegated Password Validation option on the ADI configuration and want your existing users with access to AD to have their logins validate by AD, do the following:
    • Select the users you want to update
    • Select More Actions > Set Delegated Password Authority.
    • Select Active Directory.
    • Click Save.

Changes required in AD

  1. Uninstall AD Import agent.
  2. Reboot each AD server where the Import agent was installed.
  3. Change AD Import service account to inactive.
  4. Verify the Import Agent Service started on each AD server.

From managing users, groups, and passwords in AD

Changes required on existing user records

  1. Go to USER MANAGEMENT > Users.
  2. Select Filter by > Password Externally Managed in the Search bar.
  3. Select all users.
  4. Select More Actions > Set External Password Authority.
  5. Select Active Directory.
  6. Click Save.
  7. Select the existing users with access to AD.
  8. Select More Actions > Set Delegated Password Authority.
  9. Select Active Directory.
  10. Click Save.

Changes required in AD

  1. Uninstall AD Import agent.
  2. Reboot each AD server where the Import agent was installed.
  3. Change AD Import service account to inactive. (can you rename this account?)
  4. Create the AD Sync Service Account.
  5. Delegate control for the AD Sync Service Accounts.
  6. Download AD Sync agent.
  7. Run the the AD Sync Agent installation wizard.
  8. Reboot each AD server where the import agent was installed.
  9. Verify the Sync Agent Service started.
  10. Complete post-installation AD Sync agent configuration on each DC.

Next Steps

Want additional assistance from ºÚÁϺ£½Ç91Èë¿Ú? 

ºÚÁϺ£½Ç91Èë¿Ú now offers a myriad of professional services to assist you with implementing and configuring ºÚÁϺ£½Ç91Èë¿Ú. If you’re looking for assistance with Migrating from AD or integrating AD with ºÚÁϺ£½Ç91Èë¿Ú, we recommend you reach out to ºÚÁϺ£½Ç91Èë¿Ú’s Professional Services team on the following page: Professional Services - ºÚÁϺ£½Ç91Èë¿Ú.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case