Active Directory Synchronization tool

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in Windows Server operating systems as a set of processes and services. One or more active directory domain controllers authenticate and manage users. The AD Synchronization tool works with self managed Active Directory Domain Services (AD DS).

Microsoft has an alternate authentication technology called Entra ID. This technology can coexist with AD in what Microsoft calls a "hybrid" authentication environment. The AD synchronization tool will work in a hybrid envirionment, but it does not know about Entra ID. FileHold offers another option to authentication with an identity provider like Entra ID for cases where you do not want to use AD or hybrid AD. FileHold publishes a comparison table of the different authentication technologies available for FileHold.

Customers that license the optional AD Synchronization tool of FileHold can manage users in the active directory domain and can minimize or eliminate user management in FileHold. This includes automating the updating of details like names, email addresses, job titles, etc. in FileHold. It also provides for authenticating users against the domain, instead of the FileHold server and enables the use of integrated Windows authentication (IWA), also known as single sign on.

This article is meant for Active Directory administrators. You will need FileHold system administration credentials and domain list credentials to setup synchronization.

Configuring a domain for synchronization

Domain synchronization is configured using FileHold Instrumentation Tools (FHIT). When configuration is complete, it will be updated every hour using the Windows scheduled task "FH synchronization with domains".

  1. On the FileHold server, run FHIT in C:\Program Files\FileHold Systems\Application Server\FHInstrumentation.

  2. In FHIT, go to AD Synchronization and click on Start.

  3. You will be first prompted for credentials. Enter the login details for a FileHold system administrator and click Connect.

  4. In the Synchronized Domains window, click Add.

  5. In the Domain Properties window, enter the following information and click Retrieve:

  • Address – Enter the address for the Active Directory domain. This could be the address of a single domain server.

  • User – Enter the user name for a user with permission to list the contents of the domain.

  • Password – Enter the user's password.

This user will be saved with the domain configuration and used by the scheduled task to get the latest information from the domain. Do not use a user that might later become disabled. For example, an IT administrator's password will be disabled after they leave the organization and break your synchronization if that was the name used. You may wish to create a user specifically for the purpose of synchronization and with the minimum permissions necessary.

  1. The Domain name and Container is populated with the top level domain information. Click OK.

If you plan to use an OU other than the top level OU, you can make the necessary changes in the container field. You may not want to use a top level OU for a large domain if only a small number of users will access FileHold.

  1. The domain is added to the list of domains. Continue to add domains as needed.
  2. To synchronize, select the domain name from the list and click Synchronize.
  3. The following message appears, "FileHold will now be synchronized with the selected domain. This operation may take a few minutes. Are you sure you want to continue?" Click OK to continue.
  4. The user interface will block while the synchronization is working. Once the synchronization process is completed, the message, "Synchronization was successfully completed" appears. Click OK.
  5. After the synchronization process is completed, you can now set the default domain in the administration panel.

Considerations for large domains

As a rule of thumb, treat a domain with 50,000 or more objects in your domain organizational unit (OU) as large. This includes computers, printers, users, groups and, service accounts. You may wish to reduce the size of the OU by creating one specifically for FileHold users and groups. If you cannot reduce the size, it is recommended that the following timeout values are increased by a factor of 100. Update the values for the following values keys in the configuration files on the FileHold server. They are found in the <appSettings/> section of the configuration.

  • C:\Program Files\FileHold Systems\Application Server\UserRoleManager\web.config
    • LongSQLCommand
    • WebServiceCall
    • executionTimeout
  • C:\Program Files\FileHold Systems\Application Server\fileholdadm\fileholdadm.exe.config
    • Web service timeout seconds
  • C:\Program Files\FileHold Systems\Application Server\FHInstrumentation\FHInstrumentation.exe.config FHInstrumentation
    • WebServiceCallTimeoutSec

Considerations for multiple domains

There is no published maximum number of domains you can synchronize with FileHold. The standard installation synchronizes once per hour, but you may wish to change this if you have a significant number of objects across all your domains. Alternately you can synchronize with OUs in the domain that have a reduced size related to the users of FileHold. Regardless of how many domains you synchronize with, there can only be one default domain and it is only possible to use IWA with a single domain. The FileHold server must be trusted in this domain as must all the client devices that will use IWA.

Further reading about using Active Directory and FileHold

Adding Active Directory Users and Groups as FileHold Users

Synchronizing Microsoft Active Directory Groups with FileHold Groups

Single Sign On with Microsoft Active Directory

Direct Access for Single Sign On with a Browser