Active Directory synchronization
- Kiss, Mate
Overview
Users stored in the company's Active Directory (or any other LDAP server) can be synchronized by the Verba database. It can be administered on the web interface under the Administration / Active Directory Synchronization menu item.
If you delete a user from your Active Directory Verba won't delete the user from it's database. Instead of that the system will invalidate that user. This way functions/calls are not "lost", e.g. searching back for the user in the Users Call list is available, the name of the user is displayed in the call lists. Invalidating the user will disable the user login by setting the Valid To field to the current date and time. Invalidated users have * symbol next to their name.
Synchronization Interval and Run Now Feature
A full synchronization process might take long time (especially if there are many synchronized users) so it is scheduled to run once a day at 1 AM. (in pre Verba 9.1 versions)
For testing purposes and urgent cases, the synchronization can be started on the web interface. After creating and saving your profile (see below) you can start the synchronization under Administration / Active Directory Synchronization / Run Each Active Directory Profile Now.
It is also possible to run the configured synchronization profiles individually. In order to do that navigate to the Administration / Active Directory Synchronization menu, select the synchronization profile you want to run, then click on the Run this Active Directory Profile Now link. This method also runs the profile if the Automatic Rollback Threshold on Invalidated Users setting is reached.
Synchronization from Azure Active Directory
AVAILABLE IN 9.3 AND LATER
Verba ca be configured to synchronize users and extensions from Azure Active Directory instead. The prerequisite for this is registering Verba as a Connector App on the Azure side.
The Azure AD Synchronization has some limitations:
- Organizational Units are not available
- Users can only be searched by a graph filter query parameter
- Manager / Direct Reports are not available
- Security Group Hierarchy synchronization is not available, the direct group membership is synchronized instead
- Connection test is not available
- Group names are not calculated from OU, instead, a property will be the name.
Differential synchronization
AVAILABLE IN 9.1 AND LATER
After the first full synchronization, Active Directory synchronization does differential user synchronization in every hour.
A typical full synchronization for 100K users synchronization time is ~10 hours.
With differential synchronization this time shortens significantly:
- 100K users differential synchronization time when there is no change: ~1 minute
- 100K users differential synchronization time when 1,000 users changed: ~2 minutes
In case of a change in the AD Synchronization profile, full synchronization is required. This can be done by setting the Highest USN setting to 0, then invoking a synchronization by clicking on the "Run this Active Directory Profile now" link.
Adding a new Active Directory Profile
Multiple Active Directory Profiles can be set up in Verba so multiple AD servers or users with different privileges can be synchronized. The profiles will always be executed in a configurable order, and each user will be processed by only one Active Directory Profile, so the Profile with the smaller sequence will process users read from multiple profiles.
Navigate to Administration / Active Directory Synchronization and select the Add new Active Directory Profile option on the top right corner of the page.
For the configuration guides, see: