--- title: Configuring one way synchronization from Active Directory to PingDirectory description: Configure a one-way Sync Pipe with the Active Directory (AD) topology as the sync source and a PingDirectory server topology as the Sync Destination. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_configure_sync_pipe_ad canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_configure_sync_pipe_ad.html revdate: September 13, 2023 page_aliases: ["pd_sync_ad_with_pd.adoc"] section_ids: about-this-task: About this task steps: Steps result: Result: sync_ad_pd: Synchronizing Active Directory with PingDirectory modifies-as-creates: modifies-as-creates --- # Configuring one way synchronization from Active Directory to PingDirectory Configure a one-way Sync Pipe with the Active Directory (AD) *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* topology as the sync source and a PingDirectory server topology as the Sync Destination. ## About this task Syncing from AD-LDS to PingDirectory is supported for all features except password syncing. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are syncing the `lockoutTime`, `userAccountControl & (ACCOUNTDISABLE == 2)`, or `pwdLastSet` AD attributes, or the AD-LDS `ms-DS-User-Account-Disabled` attribute, see [Synchronizing Active Directory with PingDirectory](#sync_ad_pd). | | | | | - | ---------------------------------------------------------------------- | | | The Password Sync Agent cannot be pointed at multiple domain clusters. | ## Steps 1. From the `server-root` directory, start PingDataSync. ```shell $ /bin/start-server ``` 2. To set up the initial synchronization topology, run the `sync` tool. ```shell $ bin/create-sync-pipe-config ``` 3. In the **Create Initial Synchronization Configuration** menu, press Enter to continue the configuration. 4. In the **Synchronization Mode** menu, press Enter to accept the default option `1` for `Standard mode`. 5. In the **Synchronization Direction** menu, press Enter to accept the default option `1` for `One way`. 6. In the **Source Endpoint Type** menu, enter option `7` for `Microsoft Active Directory`. 7. In the **Source Endpoint Name** menu, enter a name for the Microsoft AD source server, or press Enter to accept the default value of `Microsoft Active Directory Source`. 8. In the ***\* Server Security** menu, press Enter to accept the default option `1` for `SSL` security. 9. In the ***\* Servers** menu, enter the host name and listener port for Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* communication with the source server in the format of `:` and press Enter. The Data Sync server attempts a connection to the AD source server. After adding the first server, you can add additional servers for the source endpoints that will be prioritized below the first server. 10. When you have finished adding servers, press Enter to continue to the next configuration step. 11. In the **Synchronization User Account for *\*** menu, enter a user account distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* for the source servers, or press Enter to accept the default value. The account is used exclusively by the Data Sync Server to communicate with the source external servers. 12. Enter a password for the synchronization user account and press Enter. | | | | - | ---------------------------------------------------------------------------------------- | | | The User Account DN password must meet the minimum password requirements for AD domains. | 13. In the **Destination Endpoint Type** menu, press Enter to select the default option `1` for `Ping Identity Directory Server`. 14. In the **Destination Endpoint Name** menu, enter a name for your destination endpoint, or press Enter to select the default value, `Ping Identity Directory Server Destination`. 15. In the **Base DNs for *\*** menu, enter a base DN where synchronized entries can be found in your endpoint server, or press Enter to accept the default value. After your initial entry, you can add additional base DNs by following the prompts. 16. When you have finished entering base DNs for synchronized entries, press Enter to continue the configuration. 17. In the ***\* Server Security** menu, enter the option for the type of security that the Sync Server will use in communication with the endpoint server and press Enter. 18. In the ***\* Servers** menu, enter the host name and port for LDAP communication in the format of `:` and press Enter. The PingDataSync server attempts a connection to the destination PingDirectory server endpoint. After adding the first server, you can add additional servers for the destination endpoints that will be prioritized below the first server. 19. When you have finished adding servers, press Enter to continue to the next configuration step. 20. In the **Synchronization User Account for *\*** menu, enter a DN for the synchronization user account that will be used in communication with external servers, or press Enter to accept the default value, `[cn=Sync User,cn=Root DNs,cn=config]`. 21. Enter a password for the synchronization user account and press Enter. 22. In the **Prepare Server *\*** menu, press Enter to accept the default option `1` for `Yes` to prepare the source server for synchronization. 23. In the **Prepare Server *\*** menu, press Enter to accept the default option `1` for `Yes` to prepare the endpoint server for synchronization. 24. In the **Sync Pipe Name** menu, enter a name for the Sync Pipe from the source server (AD) to the endpoint server (PingDirectory server), or press Enter to select the default value, `Microsoft_Active_Directory_Source_to_Ping_Identity_Directory_Server_Destination`. 25. In the **Pre-configured Sync Class Configuration for Active Directory Sync Source** menu, follow the prompts to create the basic sync classes and attribute mappings needed to synchronize user accounts, user passwords, and groups to and from AD. 1. To synchronize user `Create`, `Modify`, and `Delete` operations from AD, follow the prompts. 2. Enter the object class for user entries at the endpoint, or press Enter to accept the default value, `inetOrgPerson`. 3. To configure which password policy state attributes to synchronize, follow the prompts. For more information on the AD to PingDirectory password policy state attribute mappings, see [Synchronizing Active Directory with PingDirectory](#sync_ad_pd). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For the referenced password policy state attributes, AD is treated as the authoritative source, because synchronization from PingDirectory to AD is not supported for those attributes. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The password policy in PingDirectory must match the password in AD. For example, the `lockout-failure-count` in PingDirectory must match the account lockout threshold in AD. | 4. To create a DN map for users in the sync pipe, enter `yes` and press Enter. To not create a DN map, press Enter to accept the default option, `no`. 5. Review the list of basic mappings set up for synchronized user entries and follow the prompts to add any additional attribute mappings. Press Enter to continue. 6. To synchronize group `Create`, `Modify`, and `Delete` operations from AD, follow the prompts. 26. In the **Sync Pipe Sync Class Definitions** menu, either press Enter to accept the `Microsoft Active Directory Source Users Sync Class`, or enter a value and press Enter to create a new sync class name. 27. Review the **Configuration Summary** and press Enter to write the configuration file as displayed. ### Result: The server writes the configuration file to a `dsconfig` batch file. 28. To apply the configuration changes to the local PingDataSync server, press Enter. (If you don't want to apply the changes, enter `no` and press Enter.) ## Synchronizing Active Directory with PingDirectory When you use the `sync-pipe` tool to configure AD *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* or AD-LDS as a one-way sync with PingDirectory, three AD password policy state attributes require user input to map to a corresponding PingDirectory attribute. The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the PingDirectory server to apply the change. | AD and AD-LDS attribute | Intermediate attribute | PingDirectory attribute | PasswordPolicyStateOperation opType | | ---------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------- | ------------------------------------ | | `lockoutTime` | `pwdAccountLockedTimeFromAD` | `pwdAccountLockedTime` | `OP_TYPE_SET_AUTH_FAILURE_TIMES` | | `userAccountControl & (ACCOUNTDISABLE == 2)` In AD-LDS, the corresponding attribute is ms-DS-User-Account-Disabled. | `ds-pwp-account-disabled-from-ad` | `ds-pwp-account-disabled` | `OP_TYPE_SET_ACCOUNT_DISABLED_STATE` | | `pwdLastSet` | `pwdChangedTimeFromAD` | `pwdChangedTime` | `OP_TYPE_SET_PW_CHANGED_TIME` | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don't exist on either the AD server or on the PingDirectory server. | ### `modifies-as-creates` By default, the `modifies-as-creates` sync class property is set to `false`. Active Directory attributes might not be synchronized as expected when the following is true: * You are using the `realtime-sync` tool. * The `modifies-as-creates` sync class property is set to `true`. * A modification is detected on the source endpoint to a missing entry on the destination endpoint. * The modification is to attributes other than the three AD password policy state attributes previously mentioned. To avoid this known issue, you can run the `resync` tool instead of the `realtime-sync` tool. Using `resync` will correctly copy all attributes. For more information, see [The `resync` command](pd_sync_resync_tool.html).