To configure synchronization with Active Directory (AD) systems, the following tasks are performed:

Enable SSL connections
If synchronizing passwords between systems, synchronization with Microsoft Active Directory systems requires that SSL be enabled on the Active Directory domain controller, so that PingDataSync can securely propagate the cn=Sync User account password and other user passwords to the target.
Run the create-sync-pipe-config tool
On the PingDataSync server, use the create-sync-pipe-config tool to configure the Sync Pipes to communicate with the Active Directory source or target.
Configure outbound password synchronization on an PingDirectory Server Sync Source
After running the create-sync-pipe-config tool, determine if outbound password synchronization from an PingDirectory server Sync Source is required. If so, enable the Password Encryption component on all PingDirectory server sources that receive password modifications. The PingDirectory server uses the Password Encryption component, analogous to the Password Sync Agent component, to intercept password modifications and add an encrypted attribute, ds-changelog-encrypted-password, to the changelog entry. The component enables passwords to be synchronized securely to the Active Directory system, which uses a different password storage scheme. The encrypted attribute appears in the change log and is synchronized to the other servers, but does not appear in the entries.
Configure outbound password synchronization on an Active Directory Sync Source
After running the create-sync-pipe-config tool, determine if outbound password synchronization from an Active Directory Sync Source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync.
Run the realtime-sync set-startpoint tool
The realtime-sync set-startpoint command can take several minutes to run, because it must issue repeated searches of the Active Directory domain controller until it has paged through all the changes and receives a cookie that is up-to-date.
Note: The Password Sync Agent cannot be pointed at multiple domain clusters.
Note: If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication.