CloudPanel ADSync is a tool that is used to sync attributes and passwords between a customer’s on-site domain controller(s) and your CloudPanel instance. The service will sync these attributes at custom time intervals which default to every 15 minutes but can be adjusted with registry changes.
Notice!
You do not run ADSync in your CloudPanel environment! This application goes on the customer's domain controller(s) to sync data back to your CloudPanel environment. Installing this tool is completely OPTIONAL and is only needed if you want to sync your customer's domain data (user attributes, passwords, etc) to your CloudPanel and visa vera.
¶ Requirements
- Your CloudPanel instance must be accessible over the internet and be secured with an SSL certificate
- At the current time the customer must have a static IP or at the very least a sticky IP since you have to specify their IP address in CloudPanel
- In order to match the users between CloudPanel and the customer’s domain controller, the MAIL attribute on the customer’s end must match a user’s email address in CloudPanel
¶ Install
CloudPanel ADSync was introduced in version 3.2.315.0 and provides a way for you to keep a customer’s on-site Active Directory Domain Controller in sync with your CloudPanel environment.
The current version of this sync utility can sync user attributes such as first name, last name, address, and even passwords.
¶ Prep CloudPanel
The first thing you must do is enable ADSync in CloudPanel for that customer. Once you go to the customer you will see a AD Sync link on the left side which will bring you to this page.
The API key is going to be used in the installer when you install the software on the client’s domain controllers. You must also provide the client’s public IP because ClouDPanel uses the API Key and the source IP to allow access.
Below are some of the options available:
- Sync precedence: This allows you to choose rather the data in CloudPanel is the accurate data or the local domain controller. Choosing the source will allow you to make sure that the destination is up to date with the data from the source.
- IP Addresses: This must be the public IP’s from the client’s network. You can enter multiple by providing a comma separated list
- Email Notifications: The email that will receive notifications about syncing issues
- Sync Options: Currently you can only update users but we will soon allow it to sync created and deleted users.
- Update Documentation Password: When a password is changed on the client domain controller, this will allow you to store this password in the Documentation section which will be encrypted in the database. This is NOT recommended.
Password synchronization is always two-way. If a user’s password is reset in the customer’s Active Directory or in CloudPanel, it will always sync to the other side. The sync precedence applies only to the attributes you select below. If you want to disable password syncing, uncheck "Update Passwords"
¶ Prep Customer Server(s)
In order to implement CloudPanel ADSync, you must first prep the customer domain controller:
- Make sure that the “Passwords must meet complexity requirements” policy setting is enabled in Group Policy
- Make sure the “Mail” field in the Active Directory user is populated. This is how the sync utility matches users in CloudPanel
Warning!
The sync service must be installed on every domain controller in the customer’s environment
During the install you must provide the URL to where your CloudPanel instance is installed, the company code for the company, the API key and choose to log Information, Warnings and Errors.
Company Codes
Starting with ADSync verison 1.0.71 you can now enter a comma separated list of company codes to have a single instance sync with multiple customers on CloudPanel.
¶ Customize Time Frames
The ADSync service will default to syncing attributes and passwords every 15 minutes, but this can be customized. Simply go to the registry settings with regedit and modify the timeframes and then restart the service. Keep in mind if the customer has multiple domain controllers, this will need to be done on each one.
¶ Registry Key Descriptions
- CPUsersInterval
Retrieves a list of users from CloudPanel and their attributes and syncs it with the local domain controller - ADUsersInterval
Retrieves a list of local users in Active Directory and their attributes to send them to CloudPanel - CPChangesInterval
Processes any password changes that happened in CloudPanel and changes the user’s password in the local domain controller. - ADChangesInterval
Processes any password changes that happened on the local domain controller and sends them to CloudPanel - DataProtectionUpdated
This is an advanced key to disable the updated encryption methods that CloudPanel started in 3.2.0355.0.
¶ Troubleshooting
It is recommended to use your RMM software to monitor that the CloudPanel Sync Service remains running. If the service stops, then data will not be synced between environments
The sync service on the customer side will log errors to the event viewer and changes that are made in CloudPanel will be logged in the audit trail which you can view on the company overview page.
¶ Passwords not being captured
If you have an issue with the password filter not working, you may need to check that the DLL actually loaded in the system after the reboot. To check that the DLL loaded, please go to System Information and check on the Loaded Modules. You should see a “pwdsyncfilter” listed:
¶ Service Will Not Start
Sometimes you can run into a situation where the service may not run on the domain controller. This could be caused by a couple of reasons:
- Incorrect information such as the wrong BaseURL was provided. This needs to be in the format of https://url-to-cloudpanel.tld/cloudpanel if you have CloudPanel in a virtual directory, otherwise https://url-to-cloudpanel.tld
- Did not provide a company code. During the install you should of provided a company code or a commas separated list of company codes. Make sure that there are no spaces between the company codes.
Another reason could be due to a repair done on the install. If a repair was done it could potentially replace the DWORD registry keys with strings. In order to resolve this, simply delete the REG_SZ keys and recreate them with DWORD values or uninstall and reinstall (not repair).