To set up Active Directory (AD) synchronisation you need to update the global settings to add in the user settings and restart the AD synchronisation Service.
This setting is the domain that your AD install is running on. We strongly recommend you use the pre Windows 2000 version of your domain or the short domain in this setting. So our AD domain is contensis.co.uk so our setting is set to Contensis.
This is the user name that will be used to read the AD listings and carry out the synchronisation. As this user needs read privileges in the domain, we would recommend this user not have an expiring password as the synchronisation might stop without notice.
This is simply the password for the user above.
This is the setting which dictates if users and groups that have been removed from AD should also be removed from Contensis. The only time this could be dangerous is if you delete all users from the synchronisation group and subsequently all users will be removed from Contensis.
Test the Synchronisation settings
The easiest way to test the synchronisation settings is to go onto the server and run the console version of the synchronisation tool. This tool can be found at ServiceInstallLocation\Contensis Directory Services Console.exe
Once the tool has run successfully you can log into Contensis to see the results of the synchronisation. If you wish to run this tool on a schedule (rather than using the normal scheduling through the user interface), you will need to add the command line argument /s to hide the initial confirmation message.
Schedule the synchronisation
This start time is here for when you are running the service only once a day for example. This is a semi-colon separated list of times the synchronisation service will run in a HH:MM format.
This setting quite simply sets whether the directory services tool is enabled or not.
Specify the AD user properties to update in Contensis
If the AD Update is turned on, the following properties are updated on the corresponding AD user record by default:
- Account Disabled
- Account Locked
- Email Address
- First Name
- Last Name
- Telephone Number
- Job Title
- Division (mapped to company name in Contensis)
Any of these fields can be excluded from the AD update by changing the value of the DirectoryServices_DisabledActiveDirectoryProperties_CMStoAD setting in Global Settings. The value of this setting is a bit field array but rendered as a decimal.
To set the value, refer to the following list:
- None = 0
- Account Disabled = 1
- Account Locked = 2
- Email Address = 4
- Title = 8
- First Name = 16
- Last Name = 32
- Telephone Number = 64
- Job Title = 128
- Department = 256
- Division = 512
- Password Never Expires = 1024
An example value of 192 => (64+128) would disable the update of the Job Title and Telephone Numbers.
Make changes to global settings
When any of the above global settings are changed in the CMS, you will need to:
- In the Management Console / Project Setup / Publishing Servers screen, click on CMS Config for the relevant publishing server, and then click Save and Publish. This will ensure that the global settings are updated on the publishing server.
- Restart the application pool for the relevant published website in IIS on the publishing server. This will ensure that any pages in the published website use the new global settings.
- Any users of the CMS will need to click Reset Application Cache (in the Management Console) for the new global settings to take effect on the CMS User Profile screen.