Active Directory synchronization
Overview
Users stored in the company's Active Directory (or any other LDAP server) can be synchronized by the Verba database. It can be administered on the web interface under the Administration / Active Directory Synchronization menu item.
If you delete a user from your Active Directory Verba won't delete the user from it's database. Instead of that the system will invalidate that user. This way functions/calls are not "lost", e.g. searching back for the user in the Users Call list is available, the name of the user is displayed in the call lists. Invalidating the user will disable the user login by setting the Valid To field to the current date and time. Invalidated users have * symbol next to their name.
Synchronization Interval and Run Now Feature
A full synchronization process might take long time (especially if there are many synchronized users) so it is scheduled to run once a day at 1 AM. (in pre Verba 9.1 versions)
For testing purposes and urgent cases, the synchronization can be started on the web interface. After creating and saving your profile (see below) you can start the synchronization under Administration / Active Directory Synchronization / Run Each Active Directory Profile Now.
It is also possible to run the configured synchronization profiles individually. In order to do that navigate to the Administration / Active Directory Synchronization menu, select the synchronization profile you want to run, then click on the Run this Active Directory Profile Now link. This method also runs the profile if the Automatic Rollback Threshold on Invalidated Users setting is reached.
Synchronization from Microsoft Entra ID (formerly Azure Active Directory)
AVAILABLE IN 9.3 AND LATER
Verba can be configured to synchronize users and extensions from Microsoft Entra ID instead. The prerequisite for this is registering Verba as a Connector App on the Microsoft side.
The Microsoft Entra ID Synchronization has some limitations:
- Organizational Units are not available
- Manager / Direct Reports are not available
- Group names are not calculated from OU, instead, a property will be the name.
Differential synchronization
AVAILABLE IN 9.1 AND LATER
After the first full synchronization, Active Directory synchronization does differential user synchronization.
A typical full synchronization for 100K users synchronization time is ~10 hours.
With differential synchronization this time shortens significantly:
- 100K users differential synchronization time when there is no change: ~1 minute
- 100K users differential synchronization time when 1,000 users changed: ~2 minutes
In case of a change in the AD Synchronization profile, full synchronization is required. This can be done by setting the Highest USN setting to 0, then invoking a synchronization by clicking on the "Run this Active Directory Profile now" link.
Adding a new Active Directory Profile
Multiple Active Directory Profiles can be set up in Verba so multiple AD servers or users with different privileges can be synchronized. The profiles will always be executed in a configurable order, and each user will be processed by only one Active Directory Profile, so the Profile with the smaller sequence will process users read from multiple profiles.
Navigate to Administration / Active Directory Synchronization and select the Add new Active Directory Profile option on the top right corner of the page.
For the configuration guides, see:
Modifying AD Synchronized Users
Modifications to the "New Users Properties" tab of the AD synchronized profiles won't affect the already synchronized users. The new settings will be applied only to the newly synchronized users. However, there are some ways to modify the already synchronized users in a bulk way:
- Using the Bulk User and Extension Update.
- Creating a new AD synchronization profile with the new attributes, and adding it to the base profile at the Profiles to be Merged setting. With this approach, only the addition to the attributes is possible.
- Creating an additional New Users' Properties Rule, and adding it to the base profile at the Assign New Users' Properties Rules setting.
Export Options - Active Directory Synchronization Profiles
The system allows users to export the list of configured Active Directory Profiles.
The RTF and PDF export options will export the list of configured Active Directory Profiles, please note that these options will only display the visible column headers, as seen on the Find and List Active Directory Profiles screen.