---
title: Overview of configuration tasks
description: PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD). This topic describes the required configuration tasks for synchronizing changes to AD systems.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_overview_config_tasks
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_overview_config_tasks.html
revdate: September 13, 2023
---

# Overview of configuration tasks

PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD) *(tooltip: \<div class="paragraph">
\<p>A directory service for Windows domain networks, included in most Windows Server operation systems.\</p>
\</div>)*. This topic describes the required configuration tasks for synchronizing changes to AD systems.

|   |                                                                                                                                                                           |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | You can find an example configuration in the `<server-root>/config/sample-dsconfig-batch-files/reference-bidirectional-sync-activedirectory-pingdirectory.dsconfig` file. |

* Enable SSL connections

  If you are synchronizing passwords between systems, you must enable SSL on the AD domain controller to enable PingDataSync to securely propagate the `cn=Sync User` account password (and other user passwords) to the target.

* Run the `create-sync-pipe-config` tool

  On the PingDataSync server, use the `create-sync-pipe-config` tool to configure the sync pipes to communicate with the AD source or target.

* Configure outbound password synchronization on a PingDirectory server sync source

  After running the `create-sync-pipe-config` tool, determine if outbound password synchronization from a PingDirectory server sync source is required. If so, enable the Password Encryption component on all PingDirectory server sources that receive password modifications.

  The PingDirectory server uses the Password Encryption component to intercept password modifications and add an encrypted attribute, `ds-changelog-encrypted-password`, to the changelog entry. The component enables passwords to be synchronized securely to the AD system, which uses a different password storage scheme. The encrypted attribute appears in the changelog and gets synchronized to the other servers, but doesn't appear in the entries.

* Configure outbound password synchronization on an AD sync source

  After running the `create-sync-pipe-config` tool, determine if outbound password synchronization from an AD sync source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync. The PSA can't be pointed at multiple domain clusters.

* Run the `realtime-sync set-startpoint` tool

  The `realtime-sync set-startpoint` tool can take several minutes to run, because it must issue repeated searches of the AD domain controller until it has paged through all the changes and received an up-to-date cookie.

  |   |                                                                                                                                                                                                                 |
  | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | If the PSA is down for any length of time and misses a password change, these changes won't be synced on recovery without either a new password change for the entry or the use of pass-through authentication. |