Setting up Active Directory sync for an organization in Autotask

On the Active Directory (AD) Sync - Add New Sync page, you configure the settings for the synchronization of a specific organization's contacts from AD to Autotask. AD Sync must be set up separately for each organization.

IMPORTANT This must be a 1:1 relationship. Once an organization has Active Directory sync successfully set up, a second one cannot be set up for that same organization.

BEFORE YOU BEGIN Before you can set up an organization in Autotask, you must complete the prerequisite steps in Azure. Refer to Configuring AD for an organization in Azure.

Setup tab

On the Setup tab, you select the organization to be synced and the AD Type, the contact fields to be synced, and the billing product. You can also test the connection.

To open the page, use the path(s) in the Security and navigation section above.

Populate the fields in the following sections:

Configuration

In the Configuration section, populate the following fields.

Field Name Description

Organization Select the organization whose contacts you want to sync to Autotask. All organizations in your Autotask instance are available.

Enabled Contacts will only be synced if this check box is selected.

Active Directory Type
This field appears on the Active Directory (AD) Sync page when you add or edit Active Directory synchronization for a client. It lets you select the protocol you will be using to synchronize AD users with the contacts of an Autotask organization.

The following environments are supported:

In the Cloud AD with Azure (Windows Azure Active Directory or WAAD). Refer to If you selected Azure....

On-premise AD with LDAPS (Lightweight Directory Access Protocol Secure). Refer to If you selected LDAP....

To support unified identity management with traditional on-premises applications, WAAD can also be integrated with Windows Server Active Directory via DirSync and Active Directory Federation Services (ADFS) gateway components. This hybrid implementation is not specifically supported by Datto.

If you selected Azure...

If you selected Azure as the Active Directory Type, make sure you have completed the steps in Configuring AD for an organization in Azure. Retrieve the note that contains the IDs and Client secret you have generated in Azure and paste them into the page as follows:

Azure Field Autotask Field Name Description

Application (client) ID Client ID This creates the application that allows Autotask to communicate with Azure AD.

Directory (tenant) ID Tenant This uniquely identifies the customer whose users are being synchronized.

Value (of Client secret ) Client Secret
This is the unique key that authenticates Autotask to the Active Directory.

Click Edit to open the Edit Secret dialog window, and enter and confirm the secret value copied from Azure.

Once configured, this field value is both encrypted at rest, and obfuscated in Autotask. The value can be edited, but not viewed.

Object ID Group ID This is the group of users that is synchronized with Autotask.

If you selected LDAP...

If you selected LDAP as the Active Directory Type, you must populate the following fields:

Field Description

Inactivate Autotask Contacts after 30 days of non-login to AD Select this check box if you would like to automatically inactivate Autotask contacts if they have not logged into AD for 30 days.
This will inactivate these users in Autotask with the next sync. If you have rule-based billing enabled, it will reduce the number of contacts the customer is paying for.

Host LDAP Server DNS Registered Host Name. <hostname>.<domain> is the default. The address must resolve to an IP that the Autotask service can make calls to. You must open your firewall (see Port , below). Refer to LDAP Requirements.

Port The port number the AD server listens on for synchronization requests. 636 is the default port for LDAPS (LDAP over SSL). SSL is required.
IMPORTANT Non-secure access over port 389 is now prevented.

User DN The distinguished name of the user whose credentials are used to authenticate to the Active Directory. The Active Directory user account can be a normal user account and doesn't require any special elevated rights to run queries against Active Directory.

Password The password of the user.

Base of Search The typical format of the search base is cn=users,dc=<domain component>,dc=<domain component>.
Example: cn=users,dc=aeit,dc=com searches for users that share the aeit.com domain, that is, belong to the same organization.
This is important, because all selected users will be synced with the Autotask organization you are configuring the AD sync for.

Search Filter The search filter is used to restrict the number of users who will be synchronized. The search takes advantage of objectClass attributes.
For example, if my users have two objectClass attributes (one equal to "person" and another to "user"), this is how you would search for them: (&(objectClass=person)(objectClass=user)). Notice the ampersand symbol "&" at the start. Translated this means: search for objectClass=person AND object=user. A pipe symbol "|" denotes OR: search for objectClass=person OR object=user.
This filter (&(objectClass=user)(memberof=CN=psa contact,cn=Users,DC=attest,DC=local)) translates to: search for objectClass=person AND CN that contains the word psa contact in the search base defined above.

SSL Certificate Since Autotask uses LDAPS (LDAP over SSL), an SSL certificate is required. A self-signed SSL certificate is sufficient. For more information, refer to How to enable LDAP over SSL with a third-party certification authority.
NOTE Uploading a file that does not have a .cer extension, will return an invalid file type validation error. Uploading a .cer file that is invalid (junk file or certificate has expired), will return an alert dialog stating that the SSL Certificate is invalid.

Remove SSL If your SSL certificate is expired and you would like to upload a new one, click Remove SSL. This allows you to upload the new one.

Field Name	Description
Organization	Select the organization whose contacts you want to sync to Autotask. All organizations in your Autotask instance are available.
Enabled	Contacts will only be synced if this check box is selected.
Active Directory Type	This field appears on the Active Directory (AD) Sync page when you add or edit Active Directory synchronization for a client. It lets you select the protocol you will be using to synchronize AD users with the contacts of an Autotask organization. The following environments are supported: In the Cloud AD with Azure (Windows Azure Active Directory or WAAD). Refer to If you selected Azure.... On-premise AD with LDAPS (Lightweight Directory Access Protocol Secure). Refer to If you selected LDAP.... To support unified identity management with traditional on-premises applications, WAAD can also be integrated with Windows Server Active Directory via DirSync and Active Directory Federation Services (ADFS) gateway components. This hybrid implementation is not specifically supported by Datto.

Azure Field	Autotask Field Name	Description
Application (client) ID	Client ID	This creates the application that allows Autotask to communicate with Azure AD.
Directory (tenant) ID	Tenant	This uniquely identifies the customer whose users are being synchronized.
Value (of Client secret )	Client Secret	This is the unique key that authenticates Autotask to the Active Directory. Click Edit to open the Edit Secret dialog window, and enter and confirm the secret value copied from Azure. Once configured, this field value is both encrypted at rest, and obfuscated in Autotask. The value can be edited, but not viewed.
Object ID	Group ID	This is the group of users that is synchronized with Autotask.

Field	Description
Inactivate Autotask Contacts after 30 days of non-login to AD	Select this check box if you would like to automatically inactivate Autotask contacts if they have not logged into AD for 30 days. This will inactivate these users in Autotask with the next sync. If you have rule-based billing enabled, it will reduce the number of contacts the customer is paying for.
Host	LDAP Server DNS Registered Host Name. <hostname>.<domain> is the default. The address must resolve to an IP that the Autotask service can make calls to. You must open your firewall (see Port , below). Refer to LDAP Requirements.
Port	The port number the AD server listens on for synchronization requests. 636 is the default port for LDAPS (LDAP over SSL). SSL is required. IMPORTANT Non-secure access over port 389 is now prevented.
User DN	The distinguished name of the user whose credentials are used to authenticate to the Active Directory. The Active Directory user account can be a normal user account and doesn't require any special elevated rights to run queries against Active Directory.
Password	The password of the user.
Base of Search	The typical format of the search base is cn=users,dc=<domain component>,dc=<domain component>. Example: cn=users,dc=aeit,dc=com searches for users that share the aeit.com domain, that is, belong to the same organization. This is important, because all selected users will be synced with the Autotask organization you are configuring the AD sync for.
Search Filter	The search filter is used to restrict the number of users who will be synchronized. The search takes advantage of objectClass attributes. For example, if my users have two objectClass attributes (one equal to "person" and another to "user"), this is how you would search for them: (&(objectClass=person)(objectClass=user)). Notice the ampersand symbol "&" at the start. Translated this means: search for objectClass=person AND object=user. A pipe symbol "\|" denotes OR: search for objectClass=person OR object=user. This filter (&(objectClass=user)(memberof=CN=psa contact,cn=Users,DC=attest,DC=local)) translates to: search for objectClass=person AND CN that contains the word psa contact in the search base defined above.
SSL Certificate	Since Autotask uses LDAPS (LDAP over SSL), an SSL certificate is required. A self-signed SSL certificate is sufficient. For more information, refer to How to enable LDAP over SSL with a third-party certification authority. NOTE Uploading a file that does not have a .cer extension, will return an invalid file type validation error. Uploading a .cer file that is invalid (junk file or certificate has expired), will return an alert dialog stating that the SSL Certificate is invalid.
Remove SSL	If your SSL certificate is expired and you would like to upload a new one, click Remove SSL. This allows you to upload the new one.

Contact Sync Fields

In the Contact Sync Fields section, you specify the contact fields that will be synced from AD to Autotask. These settings are organization-specific.

First Name and Last Name must be synced.

All other fields are selected by default, but can be cleared.

IMPORTANT Middle Name and Alternate Phone are not available when synching from Azure. Blank fields in Active Directory will overwrite fields in Autotask and remove any existing information. Do not select fields that are not populated in AD!

Billing

If you bill this customer by the number of supported contacts and want to automatically assign a Contact Billing Product to any newly synced contacts, select one from the drop-down list. For more information on rule-based billing, refer to Billing by the contact or device.

Connection Test

To test the connection to the AD server, click Test Connection. If Autotask is able to connect to the Active Directory, you will see a message that the test was successful, and a sample of users will be displayed in the table below.

Click Save. Up to 400,000 contacts can be synced, 500 at a time.

If the connection is successful, the status column on the list view will display a green dot, if it failed, a red dot with an x.

NOTE Even if the connection is successful, you may have mapping conflicts for specific users. These are addressed on the AD Users tab. Refer to AD Users tab.

AD Users tab

Once the first synchronization is completed, all of the Active Directory users that match the settings you configured in Azure or LDAP and were brought into Autotask are displayed on the AD Users tab.

If there were no existing contact records for the organization, the synced contacts are created in Autotask and are automatically mapped to the correct AD users.
If some or all of the AD users already existed as organization contacts in Autotask, they are mapped according to the rules described in Mapping steps in priority order.

Mapping AD users to Autotask contacts may result in mapping conflicts. Refer to Conflict Cases. You can manually resolve mapping conflicts on this page. Refer to Finding and resolving mapping conflicts.

User table filtering options

The user table can be filtered on any displayed column. To locate mapping conflicts, use the Status filter. The following statuses are available:

Name	Description
[blank]	No filter is applied and all synced records are displayed.
Mapped	Displays AD users who are matched to a unique Autotask contact. Any conflicts were manually resolved, and any duplicates were set to Ignored.
Unmapped	Users appear as Unmapped if: There are two identical AD users, but only one matching contact in Autotask. The first AD user is mapped to the contact, and the second one will remain unmapped. There is one AD user, but two matching active contacts. Both users will remain unmapped. You will need to map the user to one of the contacts and set the other one to Ignored.
Ignored	This status is always manually applied to a user. Ignored users will remain unmapped, but will not count as conflicts. Example: You may have an "IT User" in your AD database that you don't want to map to an Autotask contact.

Inactive tab

On the Inactive tab, we list AD users who were synced to Autotask but are inactive for one reason or another.

Users can be inactive for the following reasons:

Reason	Description
Not enabled	The user is currently inactive in AD, but belongs to the group that was synced to Autotask.
30 Days Inactive	The user has not logged into AD in 30+ days and the account was automatically made inactive. This setting is only available for AD type "LDAP".
Deleted	The user is no longer synced from Active Directory, either because he is no longer a member of the group or because he is no longer in Active Directory. The Date Inactivated column shows the time stamp of the first sync the user appears as inactive.

To search for a specific user, use the filter row below the column headers.

Notification tab

On the Notification tab, you select who will receive an email when synchronization fails or errors occur.

Errors are generated when AD users cannot be uniquely mapped to Autotask contacts. Refer to Conflict Cases.
For LDAP integrations, error messages will also be generated when the SSL Certificate has expired or will be expiring within 30 days.

Field	Description
Resource	A resource is a user at your company who has an Autotask log in. Employees, consultants, or contractors must be set up as an Autotask resource if they do one of the following: They create or edit Autotask entities such as tickets, organizations, or opportunities. In this context, the field label in Autotask is usually Created by or Creator. They work on project tasks, tickets, or sales to-dos. In this context, the field label in Autotask is usually Resource, Primary Resource, or Secondary Resources. They are responsible for sales accounts and any opportunities they generate. In this context, the field label in Autotask will be Account Owner or Opportunity Owner. They are the individual or role-based recipients of notification emails. In this context, the field label in Autotask will be Recipient or Resource. They manage, approve, approve & post, or report on any of these activities. In this context, the field label in Autotask will be Timesheet Approver, Expense Report Approver, or Change Request Approver. Resources are selected or referenced on many Autotask entities. They may be associated with an entity even if they are not displayed on the UI. The First Name, Last Name, and Middle Name components of a resource name are displayed either in sort order (Lang, Suzanne M.) or narrative order (Suzanne M. Lang).
Other Email(s)	This field appears in the Notification section of Autotask entities. It lets you send notification emails to recipients whose email is not stored in Autotask, because they are neither a customer contact nor an internal resource. On some forms, there are multiple Other Email(s) fields to allow you to distinguish between To:, CC:, and BCC: recipients. Enter the full email address for each recipient. Separate multiple email addresses with a semicolon.

Field

Description

Resource

A resource is a user at your company who has an Autotask log in. Employees, consultants, or contractors must be set up as an Autotask resource if they do one of the following:

They create or edit Autotask entities such as tickets, organizations, or opportunities. In this context, the field label in Autotask is usually Created by or Creator.
They work on project tasks, tickets, or sales to-dos. In this context, the field label in Autotask is usually Resource, Primary Resource, or Secondary Resources.
They are responsible for sales accounts and any opportunities they generate. In this context, the field label in Autotask will be Account Owner or Opportunity Owner.
They are the individual or role-based recipients of notification emails. In this context, the field label in Autotask will be Recipient or Resource.
They manage, approve, approve & post, or report on any of these activities. In this context, the field label in Autotask will be Timesheet Approver, Expense Report Approver, or Change Request Approver.

Resources are selected or referenced on many Autotask entities. They may be associated with an entity even if they are not displayed on the UI.

The First Name, Last Name, and Middle Name components of a resource name are displayed either in sort order (Lang, Suzanne M.) or narrative order (Suzanne M. Lang).

Other Email(s)

This field appears in the Notification section of Autotask entities. It lets you send notification emails to recipients whose email is not stored in Autotask, because they are neither a customer contact nor an internal resource. On some forms, there are multiple Other Email(s) fields to allow you to distinguish between To:, CC:, and BCC: recipients.

Enter the full email address for each recipient. Separate multiple email addresses with a semicolon.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.