The Barracuda Active Directory Sync Tool can be installed either on an AD server or on a device that has direct access to the AD server. The tool periodically checks the domain controller for changed user and group information as well as group memberships.
Note that the tool supports nested groups within a single domain.
Before configuring the Barracuda Active Directory Sync Tool, make sure that your system meets the following requirements:
Local Installation – Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2 or 2016. Windows Server Core is not supported for local installation and monitoring. The Active Directory Sync Tool can, however, communicate with a domain controller that is running Windows Server Core. In this case, you could install the Active Directory Sync Tool on a server running Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, or 2016 and configure it to remotely monitor a domain controller that is running on a Windows Server Core machine.
Remote Installation – Microsoft Windows 2008 and higher. Also note that, for the remote installation of Active Directory Sync Tool, you MUST be a domain member to query the server.
How the Tool Works
The Active Directory Sync Tool discovers groups and users on a customer Active Directory (AD) server by starting queries from Base Distinguished Names (Base DN). With version 1.1 and above, the Base DN controls where the agent starts querying for users. All queries start at the base and retrieve all of the users or groups below that base name recursively. The simplest, and preferred, configuration for the Base DN values is shown below where both Base DN values are set to the Search Root of the domain:
The configuration application sets the two Base DN values to to the "Search Root" of the domain that authenticated the user running the configuration application. The recommended configuration is for the Active Directory Sync Tool to run with a single profile with both Group and user Base DN values set to the domain's Search Root.
There are separate values for the group and user Base DN's because some AD's have accumulated multiple organization units (OU) or high level groups over time due to merger activity or AD upgrades. The obsolete users are isolated to a different Base DN than the currently active users. In the alternative, the current users are in a Base DN below the Search Root. Searching for users below the Base DN does work, but many of the important AD group objects are located under the Search Root. These groups include all of the Builtin groups, Administrators, Domain Administrators, Users, Guests, and Domain Users. Therefore, the tool needs a Group Base DN value. Barracuda STRONGLY recommends using the Search Root of the domain as the value for the Group Base DN. The tool tries not to configure groups that have no users.
Synchronization Time Frames
Full synchronization refers to the time frame for retrieving objects from Active Directory (AD). Full synchronization means that all configured AD objects will be queried since the beginning of time. Otherwise, the Active Directory Sync Tool queries for AD objects since the most recent update. See below for this option.
The Active Directory Sync Tool queries every three hours.
Forcing Complete Synchronization
When setting up Active Directory Sync Tool the first time, some trial and error may be required. When adjusting the settings in the Active Directory Sync Tool relative to Active Directory (server, Base DN, etc.), it is important to establish a new baseline on the computer and, possibly, on the BCS Portal.
The Active Directory Sync Tool user interface has an option to re-send all data from AD to the BCS Portal. This option is on the profile screen (where the server name is set) and is turned off after a synchronization cycle. After adjusting an AD setting, Barracuda recommends checking the Full synchronization on Next Run box before the next run. If you do not want to wait for three hours, the Active Directory Sync Tool can be manually restarted from the service controller. The setting for Full Synchronization is on the main screen of the configuration tool:
Get and Install the Barracuda Active Directory Sync Tool for BCS
- Log into your BCS account.
- Go to the USERS page and click on Directory Sync Tool.
- Follow instructions on the page to download and install the tool and the configuration file on your computer.
- Run the Active Directory Sync Tool on your Windows machine.
Configuration with Multiple Base DN's
It is possible to configure multiple Base DN (even servers) within a single agent:
Use this technique to carefully pick which portions of the AD hierarchy will be synced. Barracuda strongly recommends configuring as many User Base DN's as needed, and to always use the Search Root as the Group Base DN.
Base Distinguished Name from Powershell
The Base Distinguished Name on the configuration screen is the starting point for all LDAP queries made by the Barracuda Active Directory Sync Tool. In general, it should be set to the search root of the domain. Use the following commands in PowerShell to find the search root. The search root can be found using the following procedure:
- Logon to a domain-connected computer as a domain administrator (this might work as a domain user, but I did not test).
- Start a Powershell command prompt.
- $adsisearcher = New-Object system.directoryservices.directorysearcher
to create an Active Directory searcher object
to verify that the object was created successfully
to see the distinguished name
How to Uninstall the Barracuda Active Directory Sync Tool
Use the Add/Remove Programs or Programs and Features tool in the Windows Control Panel to uninstall the Barracuda Active Directory Sync Tool for BCS.