Setting up Active Directory sync for an organization in Autotask
SECURITY Security level with Admin permission to configure Microsoft Extensions. Refer to Admin security settings.
NAVIGATION > Admin > Extensions & Integrations > Microsoft Extensions > Active Directory (AD) Sync > Add
On the Active Directory (AD) Sync - Add New Sync page, you configure the settings for the synchronization of a specific organization's contacts from AD to Autotask. AD Sync must be set up separately for each organization.
IMPORTANT This must be a 1:1 relationship. Once an organization has Active Directory sync successfully set up, a second one cannot be set up for that same organization.
BEFORE YOU BEGIN Before you can set up an organization in Autotask, you must complete the prerequisite steps in Azure. Refer to Configuring AD for an organization in Azure.
On the Setup tab, you select the organization to be synced and the AD Type, the contact fields to be synced, and the billing product. You can also test the connection.
To open the page, use the path(s) in the Security and navigation section above.
-
Populate the fields in the following sections:
ConfigurationIn the Configuration section, populate the following fields.
Field Name Description Organization Select the organization whose contacts you want to sync to Autotask. All organizations in your Autotask instance are available. Enabled Contacts will only be synced if this check box is selected. Active Directory Type This field appears on the Active Directory (AD) Sync page when you add or edit Active Directory synchronization for a client. It lets you select the protocol you will be using to synchronize AD users with the contacts of an Autotask organization.
The following environments are supported:
- In the Cloud AD with Azure (Windows Azure Active Directory or WAAD). Refer to If you selected Azure....
- On-premise AD with LDAPS (Lightweight Directory Access Protocol Secure). Refer to If you selected LDAP....
- To support unified identity management with traditional on-premises applications, WAAD can also be integrated with Windows Server Active Directory via DirSync and Active Directory Federation Services (ADFS) gateway components. This hybrid implementation is not specifically supported by Datto.
If you selected Azure...If you selected Azure as the Active Directory Type, make sure you have completed the steps in Configuring AD for an organization in Azure. Retrieve the note that contains the IDs and Client secret you have generated in Azure and paste them into the page as follows:
Azure Field Autotask Field Name Description Application (client) ID Client ID This creates the application that allows Autotask to communicate with Azure AD. Directory (tenant) ID Tenant This uniquely identifies the customer whose users are being synchronized. Value (of Client secret ) Client Secret This is the unique key that authenticates Autotask to the Active Directory.
- Click Edit to open the Edit Secret dialog window, and enter and confirm the secret value copied from Azure.
Once configured, this field value is both encrypted at rest, and obfuscated in Autotask. The value can be edited, but not viewed.
Object ID Group ID This is the group of users that is synchronized with Autotask. If you selected LDAP...If you selected LDAP as the Active Directory Type, you must populate the following fields:
Field Description Inactivate Autotask Contacts after 30 days of non-login to AD Select this check box if you would like to automatically inactivate Autotask contacts if they have not logged into AD for 30 days. This will inactivate these users in Autotask with the next sync. If you have rule-based billing enabled, it will reduce the number of contacts the customer is paying for.
Host LDAP Server DNS Registered Host Name. <hostname>.<domain> is the default. The address must resolve to an IP that the Autotask service can make calls to. You must open your firewall (see Port , below). Refer to LDAP Requirements. Port The port number the AD server listens on for synchronization requests. 636 is the default port for LDAPS (LDAP over SSL). SSL is required. IMPORTANT Non-secure access over port 389 is now prevented.
User DN The distinguished name of the user whose credentials are used to authenticate to the Active Directory. The Active Directory user account can be a normal user account and doesn't require any special elevated rights to run queries against Active Directory. Password The password of the user. Base of Search The typical format of the search base is cn=users,dc=<domain component>,dc=<domain component>. Example: cn=users,dc=aeit,dc=com searches for users that share the aeit.com domain, that is, belong to the same organization.
This is important, because all selected users will be synced with the Autotask organization you are configuring the AD sync for.
Search Filter The search filter is used to restrict the number of users who will be synchronized. The search takes advantage of objectClass attributes. For example, if my users have two objectClass attributes (one equal to "person" and another to "user"), this is how you would search for them: (&(objectClass=person)(objectClass=user)). Notice the ampersand symbol "&" at the start. Translated this means: search for objectClass=person AND object=user. A pipe symbol "|" denotes OR: search for objectClass=person OR object=user.
This filter (&(objectClass=user)(memberof=CN=psa contact,cn=Users,DC=attest,DC=local)) translates to: search for objectClass=person AND CN that contains the word psa contact in the search base defined above.
SSL Certificate Since Autotask uses LDAPS (LDAP over SSL), an SSL certificate is required. A self-signed SSL certificate is sufficient. For more information, refer to How to enable LDAP over SSL with a third-party certification authority. NOTE Uploading a file that does not have a .cer extension, will return an invalid file type validation error. Uploading a .cer file that is invalid (junk file or certificate has expired), will return an alert dialog stating that the SSL Certificate is invalid.
Remove SSL If your SSL certificate is expired and you would like to upload a new one, click Remove SSL. This allows you to upload the new one.
Contact Sync FieldsIn the Contact Sync Fields section, you specify the contact fields that will be synced from AD to Autotask. These settings are organization-specific.
- First Name and Last Name must be synced.
- All other fields are selected by default, but can be cleared.
IMPORTANT Middle Name and Alternate Phone are not available when synching from Azure. Blank fields in Active Directory will overwrite fields in Autotask and remove any existing information. Do not select fields that are not populated in AD!
BillingIf you bill this customer by the number of supported contacts and want to automatically assign a Contact Billing Product to any newly synced contacts, select one from the drop-down list. For more information on rule-based billing, refer to Billing by the contact or device.
Connection TestTo test the connection to the AD server, click Test Connection. If Autotask is able to connect to the Active Directory, you will see a message that the test was successful, and a sample of users will be displayed in the table below.
- Click Save. Up to 400,000 contacts can be synced, 500 at a time.
If the connection is successful, the status column on the list view will display a green dot, if it failed, a red dot with an x.
NOTE Even if the connection is successful, you may have mapping conflicts for specific users. These are addressed on the AD Users tab. Refer to AD Users tab.
Once the first synchronization is completed, all of the Active Directory users that match the settings you configured in Azure or LDAP and were brought into Autotask are displayed on the AD Users tab.
- If there were no existing contact records for the organization, the synced contacts are created in Autotask and are automatically mapped to the correct AD users.
- If some or all of the AD users already existed as organization contacts in Autotask, they are mapped according to the rules described in Mapping steps in priority order.
Mapping AD users to Autotask contacts may result in mapping conflicts. Refer to Conflict Cases. You can manually resolve mapping conflicts on this page. Refer to Finding and resolving mapping conflicts.
You can force a sync any time, for example, if you have added a number of users to the Active Directory.
- At the top of the AD Users tab of the Active Directory (AD) Sync - Add New Sync page, click Force Sync.
- Select Force Sync from the context menu of the Active Directory (AD) Sync page.
The next sync always happens 24 hours after the last one (see date/time stamp right below the button). Just be aware that the next sync will now happen 24 hours after the forced sync.
The user table can be filtered on any displayed column. To locate mapping conflicts, use the Status filter. The following statuses are available:
Name | Description |
---|---|
[blank] | No filter is applied and all synced records are displayed. |
Mapped | Displays AD users who are matched to a unique Autotask contact. Any conflicts were manually resolved, and any duplicates were set to Ignored. |
Unmapped |
Users appear as Unmapped if:
|
Ignored |
This status is always manually applied to a user. Ignored users will remain unmapped, but will not count as conflicts. Example: You may have an "IT User" in your AD database that you don't want to map to an Autotask contact. |
On the Inactive tab, we list AD users who were synced to Autotask but are inactive for one reason or another.
Users can be inactive for the following reasons:
Reason | Description |
---|---|
Not enabled | The user is currently inactive in AD, but belongs to the group that was synced to Autotask. |
30 Days Inactive | The user has not logged into AD in 30+ days and the account was automatically made inactive. This setting is only available for AD type "LDAP". |
Deleted | The user is no longer synced from Active Directory, either because he is no longer a member of the group or because he is no longer in Active Directory. The Date Inactivated column shows the time stamp of the first sync the user appears as inactive. |
To search for a specific user, use the filter row below the column headers.
Because the sync is one way from AD to Autotask, AD users cannot be reactivated in Autotask. If an AD sync does not include a specific user, the user is assigned a status of Deleted in Autotask. If that user, or one with the same email address, is added in AD, this AD user is synced to Autotask with a new external ID. The Autotask contact is reactivated.
On the Notification tab, you select who will receive an email when synchronization fails or errors occur.
-
Errors are generated when AD users cannot be uniquely mapped to Autotask contacts. Refer to Conflict Cases.
-
For LDAP integrations, error messages will also be generated when the SSL Certificate has expired or will be expiring within 30 days.
Field | Description |
---|---|
Resource |
A resource is a user at your company who has an Autotask log in. Employees, consultants, or contractors must be set up as an Autotask resource if they do one of the following:
Resources are selected or referenced on many Autotask entities. They may be associated with an entity even if they are not displayed on the UI. The First Name, Last Name, and Middle Name components of a resource name are displayed either in sort order (Lang, Suzanne M.) or narrative order (Suzanne M. Lang). |
Other Email(s) |
This field appears in the Notification section of Autotask entities. It lets you send notification emails to recipients whose email is not stored in Autotask, because they are neither a customer contact nor an internal resource. On some forms, there are multiple Other Email(s) fields to allow you to distinguish between To:, CC:, and BCC: recipients. Enter the full email address for each recipient. Separate multiple email addresses with a semicolon. |