Admin may configure AD connection settings to Domain Controller (i.e. DC mode) or Global Catalog (i.e. GC mode).
-
From the web console UI (Administration > Settings > Active Directory and Compliance Settings):
-
From the AD sync tool:
Sync scope
| DC Mode | GC Mode |
|---|---|
| Trusted Forest | Single Forest |
Use case
| DC Mode | GC Mode |
|---|---|
| Suitable for most environment | Used when admin only wants to sync specific AD forest from multiple cross-trusted AD forests |
When using GC mode to sync AD, Apex Central / Apex One as a Service not support using AD Group (type: Domain Local / Global) to logon web console. AD Group (type: Universal) and AD user are still supported in GC mode.
Prerequisites:
- Admin need to install and configure Microsoft Active Directory Certificate Services (ADCS) on domain controller (reference).
- To use SSL connection, please ensure that the Windows endpoint where AD sync tool is running (for SaaS) or the Apex Central server (for on-premise) is joined to the Active Directory domain or imported the Active Directory Certificate.
Steps:
- Use Microsoft Management Console (MMC) to export the Active Directory Certificate as a .cer file from any domain-joined computer or server.
- Use Microsoft Management Console (MMC) to import the Active Directory Certificate to the Windows endpoint with AD sync tool (for SaaS) or the Apex Central server (for on-premise).
-
Configure SSL for Active Directory connection.
-
SaaS (AD sync tool)
-
On-premise (web console UI > Administration > Settings > Active Directory and Compliance Settings)
-
-
Perform AD sync.
Ports used for LDAP/GC connection with SSL/non-SSL:
LDAP GC Non-SSL TCP 389 TCP 3268 SSL TCP 636 TCP 3269
| Scenario | DC Mode | GC Mode |
|---|---|---|
| Sync an AD domain or an AD forest | Add an AD domain setting | Add an AD domain setting |
| Sync multiple AD forests with cross-forest trust | Add an AD domain setting | Add an AD domain setting of each forest |
| Sync multiple AD forests without forest trust | Add an AD domain setting of each forest | Add an AD domain setting of each forest |
For more details on what data the AD tool synchronizes, refer to the KB article: Data synchronized by the AD Sync Tool.
Sync specified Organizational Units (OU) from AD
- Since Apex One as a Service September 2019 Update / Apex Central on premise HF build 3964, it's supported to sync only specified OUs from AD.
-
For the configuration details:
- On-premise: Refer to %Apex Central installation folder%\ADSyncOUList.config
- In SaaS environment (i.e. AD sycnc tool), it's %Apex_Central_ADSyncAgent_folder%\ADSyncOUList.config