Configuring AD Sync in a Multi-Domain Controller Environment

Prerequisites

  • 64-bit
  • Windows Server 2008 R2 and newer promoted to a Domain Controller (i.e. has the FSMO roles RID, PDC and Infrastructure)
  • Windows Server Core is NOT currently supported at this time as the OS GUI is required to facilitate authentication
  • Should you prefer a 'headless' installation not requiring the server GUI, please raise a Feature Request via the Partner Success Center

  • The Passportal agent to function besides those that are automatically assigned after promoting a Windows Server to a Domain Controller (these being RID, PDC and Infrastructure from what I can see on out test DC’s).

  • Domain Admin access on Domain Controller
  • Supports TLS 1.2 or higher. More information on which versions of windows server support which TLS protocols can be found in this article.
  • C++ 2015 Redistributable (64-bit version) and .NET 4.5 installed on target device.
  • Outbound FTP Endpoint: agent.passportalmsp.com port 21 should be enabled (Optional)
  • Ports 7771 and 7777 open for internal network communuications
  • Port 443 (TLS) for communications with the Passportal dashboard

For clarification on the Windows Agent toggles, see Active Directory Integration.

If you intend to enable Windows Sync for your Company Vault:
  1. Go into the Company Vault > Credentials on the left hand navigation bar
  2. Click on Edit at the top of the screen
  3. Choose Edit Client
  4. Enable Windows Sync, and select any other required options
  5. Click Save
  6. Install the Windows Agent in your network and select your company from the Client drop-down when configuring the agent during the install process

Terminology

We refer to Primary and Secondary DC's throughout the installation procedure

The Primary DC is one of your own choosing (that meets the required Prerequisites above) where you will install the Primary Passportal Agent

Any Secondary DC's are where you will install the Secondary Passportal Agents

In a Multi-DC environment, each DC will require a sync agent to be installed. The Passportal agent is installed on your Primary DC, and during that installation you decide whether or not to auto-install the secondary DC sync listeners.

  • During the install process - the Windows Agent is installed on your Primary Domain Controller
  • Select to Auto-install for detected secondary DC's for them to receive their listener Agent

Multi-Domain Controller - Primary Domain Controller Setup Instructions

  1. Edit the client to enable Windows Sync, and download the Windows Agent.
  2. Once the Windows Agent has been downloaded, transfer the installer to the Primary Domain Controller and launch the installer using Setup.exe.
  3. Click Next.
  4. Read the License Agreement, click the I Agree radio button, and then click Next.
  5. Accept the default target Install Folder or enter a preferred location. Leave the Everyone radio button selected. Click Next.
  6. Select the Auto install on all detected secondary DCs radio button and then click Next
    • If you already have secondary DC listeners installed, select Auto update previously installed on secondary DCs to update them.
    • If you intend to install secondary DC listeners later, or only on specific secondary DC's, select Do not auto install on any secondary DCs. Manual Secondary DC installs are detailed in the Secondary Domain Controller Manual Setup Instructions
  7. Enter the IP Address of the Primary DC
  8. Confirm the Install by clicking Next.
  9. The Windows Agent will now install. Once completed, you will be prompted to reboot the Domain Controller to enable 2-Way Password Sync. This does not need to be done immediately, and clicking OK will not cause a reboot to happen. Please ensure the Domain Controller is rebooted at a suitable time. Click Close in the main dialog, to close the installer.
  10. The Windows Agent application will launch to continue with its configuration - Enter the Agent Install Key for the Client and your Organization Keyand click Authenticate
  11. The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.

  12. A message advising you have Successfully Authenticated is displayed, along with the Passportal Client name - Click Continue
  13. You are now prompted to create the Windows Service Account which is used to run the Passportal and PassportalUpdater services. Enter an appropriate name for the service, such as N_ableSync. Also enter a password for the account or click Random to generate a random password. Click Save and Start Agent
  14. As the Windows Service Account does not exist on the Domain Controller, you will be prompted to create it. Click Yes to do so.
  15. When the account has been created you will receive message advising Passportal Windows Services were restarted successfully and then the window automatically closes.
  16. Once the Windows Agent has been installed, we recommend to confirm the newly created Windows Service account has been populated into Passportal.
  17. If you opted to auto-install on Secondary DC's, we recommend you check the SecondaryAgentInstaller.log (%PROGRAMFILES%\n-able\Passportal Agent\Logs) on the Primary DC as it shows if installation has been successful or not.

If you did not restart the Domain Controller after installing the Windows Agent, please do so at the next convenient time so that Two-Way Sync will function.