Set up Active Directory user and group import

If you carry out the steps in the following, you'll get these features:

  • A sync. service user in Active Directory (AD)

  • A Zylinc solution that can use the sync. service user, to import AD users, and AD groups

  • Imported user pictures from the AD thumbnail or JPEG fields

  • An AD group to control which users will use Zylinc licenses and be visible in Zylinc

If you have empty groups in Active Directory, the Zylinc solution ignores them by design. That means that such empty groups will be missing in the Zylinc Administration Portal and in the Zylinc clients.

To make a missing group visible, add at least one user to the group. That user must be visible to the Zylinc solution, i.e. a member of the group that you use to make users visible.

  1. Active Directory itself may have a delay before all data is replicated to all servers. A typical value for that delay is 900 seconds (15 minutes)
  2. Zylinc Directory Server service runs with a default interval of 5000 seconds (83 minutes), so a new user may exist for up to 83 minutes before the rest of the Zylinc solution can see that user.
  3. Zylinc Client Manager caches the list of users for up to 6000 seconds (100 minutes)
  4. ZyDesk and Administration Portal loads the list of users when you log in, and then caches that list in memory until the next time that you log in.

All in all, there can be a delay of up to 15+83+100=198 minutes (3 hours and 18 minutes) before new users will work, and before changes to the directory become available.

After that delay, you'll need to log out of ZyDesk or the Administration Portal, and then log in again, to load the new users or view changes.

As an administrator, you can do the following to make changes to AD take immediate effect in the Zylinc solution:

  1. In the Administration Portal menu, select NETWORK > Directory Settings, and click Reinitialize

  2. Clear Client Manager cache

    1. Open the following URL in a browser: https://<Zylinc Windows Application Server>:8443/ClientManager/

      Example: https://WinAppServer:8443/ClientManager

    2. Ignore the security warning about the certificate, and continue to the website

    3. Click Snapshot

    4. Log in as: User name:adminPassword: the password for Windows Tomcat 8080 user admin

    5. Click Reload Settings

  3. Log out of ZyDesk or the Administration Portal, and then log in again.

Make sure your environment was installed as described in Install a Zylinc solution from scratch

Create the following groups, users, and memberships in AD.

A PowerShell script for all this is available in the following.

  1. Create a global group ZylincVisible with the description: Members of this group are visible to Zylinc client software

  2. Create another global group ZylincTestQueue1000 with the description: Members of this group will receive calls from Zylinc queue TestQueue1000

  3. Create a user ZylincAgent1

    • Description: A test user who can be used to log in to the Zylinc solution as an agent and receive calls from a queue
    • Password: Password1 (change it to a real password)
    • Password never expires
    • User is enabled
    • E-mail address: ZylincAgent1@<domain DNS suffix>

  4. Create a user ZylincSyncSVC

    • Description: Service account user that the Zylinc solution uses to synchronize from Active Directory
    • Password: Password1 (change it to a real password)
    • Password never expires
    • User is enabled

  5. Add the user ZylincAgent1 as a member of the group ZylincTestQueue1000

  6. Add the user ZylincAgent1 as a member of the group ZylincVisible

You can use the following script to do all that:

  1. Log in to a domain controller as a domain administrator, and start PowerShell.

  2. Make a copy of the following PowerShell code, and then right-click inside the PowerShell window. This will effectively paste and run the code in PowerShell.

    Remember to search for Password1 and replace it with real passwords before you run the script.

    #

    New-ADGroup -Name "ZylincVisible" -GroupScope Global -Description "Members of this group are visible to Zylinc client software"

    New-ADGroup -Name "ZylincTestQueue1000" -GroupScope Global -Description "Members of this group will receive calls from Zylinc queue TestQueue1000"

    New-ADUser ZylincAgent1 -DisplayName "ZylincAgent1" -SAMAccountName ZylincAgent1 -EmailAddress "ZylincAgent1@$([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name)" -UserPrincipalName "ZylincAgent1@$([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name)" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force) -PasswordNeverExpires $true -Enabled $true -Description "A test user that can be used to log in to the Zylinc solution as an agent and receive calls from a queue"

    New-ADUser ZylincSyncSVC -DisplayName "ZylincSyncSVC" -SAMAccountName ZylincSyncSVC -UserPrincipalName "ZylincSyncSVC@$([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name)" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force) -PasswordNeverExpires $true -Enabled $true -Description "Service account user, that the Zylinc solution uses to synchronize from Active Directory"

    Add-ADGroupMember "ZylincTestQueue1000" ZylincAgent1

    Add-ADGroupMember "ZylincVisible" ZylincAgent1

    #

  1. In the Administration Portal menu, select INSTALL > Portal Configuration

  2. Select Directory Sync, and click Save

  3. In the Administration Portal menu, select NETWORK > Directory Settings

  4. In Server Address, enter the hostname or IP address of the Zylinc Windows Application Server.

  5. In Port, enter 35035

  6. Select Enable LDAP Search

  7. In Picture import, Priority, add AD,Jpeg and AD Thumbnail to Selected Sources

  8. Use the up and down arrow icons to move AD Jpeg to the top of the list, and AD Thumbnail to second position.

  9. Click Save

  1. In the Deployment Manager menu, select Deployment > Installation
  2. In Installers, select DirectoryServer
  3. Click Install Applications
  4. In the Deployment Manager menu, select Deployment > Windows Services
  5. Click Refresh Services
  6. Start Directory Server

  1. In the Administration Portal menu, select NETWORK > Directory Settings

  2. Click Add new Domain

  3. Select Expand members

  4. In Domain name, enter a name to identify the domain. Example: domain.local

  5. In Server, enter the hostname or IP address of a domain controller. Example: dc01

  6. In Port, enter 389

  7. In User, enter user login name for the sync. service user in the format commonly known as User Principal Name (UPN). A User Principal Name (UPN) is the name of a system user in an e-mail address format, or in another format that looks like an e-mail address, where the suffix is the DNS name of the domain.

    Example: ZylincSyncSVC@domain.local

    To view a list of all users and their User Principal Names (UPN), log in to a domain controller as a domain admin, and copy/paste the following command in to PowerShell:

    get-aduser -filter * |select DistinguishedName, SamAccountName, UserPrincipalName

  8. In Pwd, enter the password for the sync. service user

  9. Click Save

  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. In LDAP Sync Settings, Configurations, click the Domain Name of the domain that you previously added
  3. Click Test

You should see a list of all groups in the domain.

If you see an error message, Error response received: Padding is invalid and cannot be removed., you can solve the error if you clear the password, save, and then re-enter the password:

  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. In LDAP Sync Settings, Configurations, click the Domain Name of the domain
  3. Delete the contents of the Pwd field, and click Save
  4. In LDAP Sync Settings, Configurations, click the Domain Name of the domain
  5. In the password field, Pwd, re-enter the password, and click Save

If you see an error message, Error connecting to Directory Server on WinAppServer/35035 - Connection refused (Connection refused), check that the Directory Server service is running, and that the server that hosts the Administration Portal (that's typically the Media Server) can reach port 35035 on the server that hosts the Directory Server (that's typically Zylinc Windows Application Server). Note that you need to restart the service if you change the address or port.

You'll start with a filter that simply imports all users: (CN=*). With this filter you can test that the import works.

  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. Click Add new Sync
  3. In Config name, enter a name for this configuration, for example all users
  4. In User Filter, enter CN=*
  5. Click Save
  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. In LDAP Sync Settings, Configurations, click the Sync. Name of the configuration that you previously created (the one that syncs all users with CN=*)
  3. In LDAP User Configuration Settings, click Test

You should see a list of all users in the domain.

If you see an error message and no users , refer to If you see an error message and no groups

  1. In the Administration Portal menu, select NETWORK > Directory Settings

  2. Click Add new Sync

  3. In Config name, enter a name for the configuration, for example: members of ZylincVisible

  4. Get DistinguishedName of the group ZylincVisible

    Log in to a domain controller as a domain administrator, and copy/paste the following command into PowerShell:


    get-adgroup -identity "ZylincVisible"| select DistinguishedName

    Make a copy of the line that begins with CN=ZylincVisible.

    Example:

    CN=ZylincVisible,CN=Users,DC=domain,DC=local

  5. In User Filter, enter (memberOf:1.2.840.113556.1.4.1941:=<Distinguished Name of the group ZylincVisible>)

    Example:

    (memberOf:1.2.840.113556.1.4.1941:=CN=ZylincVisible,CN=Users,DC=domain,DC=local)

  6. Click Save

  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. In LDAP Sync Settings, Configurations, click the Sync. Name of the configuration you previously created that filters members of ZylincVisible
  3. In LDAP User Configuration Settings, click Test

You should see a list that only contains users who are members of ZylincVisible

To optimize the use of available licenses you only want the users from AD who are members of ZylincVisible. That's why you'll want to disable the other sync.

The fact that you'll disable the sync, rather than delete it, ensures that the test button will be available if you later want to inspect all users in the domain. With the test button, you'll be able to view information from Name, DN, and E-mail.

To disable the CN=* all users sync:

  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. In LDAP Sync Settings, Configurations, click the Sync. Name of the configuration that you previously created (the one that syncs all users with CN=*)
  3. Clear Enabled
  4. Click Save
  1. In the Administration Portal menu, select NETWORK > Directory Settings
  2. Click Reinitialize

  1. Open the following URL in a browser: https://<Zylinc Windows Application Server>:8443/ClientManager/

    Example: https://WinAppServer:8443/ClientManager

  2. Ignore the security warning about the certificate, and continue to the website

  3. Click Snapshot

  4. Log in as: User name:adminPassword: the password for Windows Tomcat 8080 user admin

  5. Click Reload Settings

The cache will also be cleared if you just restart the Windows service ZyTomcat1-8080-8443, but beware that this will disconnect all users.

  1. In the Administration Portal, click Logout
  2. Log in to the portal again

This will reload the Administration Portal cache of users and groups.

  1. In the Administration Portal menu, select USERS > ZyDesk Users

    You should see a list of all users who are members of the groups that were included in your import. It's OK if the users are shown in strikethrough font (that's just because they're not yet ZyDesk users).

  2. In the Administration Portal menu, select NETWORK > Directory Settings

    In CSV User import, Group Member-of, Available, you should see a list of non-empty groups that were included in your import.

    Empty groups, or groups that appear empty to the Zylinc solution because the users were excluded by the user filter, will not be visible.

If you're a supporter or system consultant, you can do the following to check that the Directory Server service works as expected:

  1. In the Administration Portal menu, select NETWORK > Directory Settings, and click Reinitialize.
  2. Next to the Reinitialize button, you should see the message Directory successfully re-initialized!
  3. Locate the current version of the Directory Server log file, and open it in a text editor
  4. A line close to the bottom of the log file should contain a very recent date stamp and the text Directory Search Finished
  5. Another line close to the bottom of the log file should contain a very recent date stamp and the text AdDirectory. The same line should also contain three counters: Total identites: XX, Total groups: YY, Total Organization groups: ZZ.
  6. XX must be greater than zero. If you use groups, YY must also be greater than zero.

The following command carries out steps 3-5. To use the script, log in to the Zylinc Windows Application Server, press Windows+R on your keyboard, and then copy and paste the following command and click OK.

powershell Get-Content(dir C:\ProgramData\Zylinc\DirectoryServer -filter """"*log*.txt"""" -rec|group directory|foreach{@($_.group|sort {[datetime]$_.lastwritetime} -desc)[0].fullname}) -wait|where {$_ -match """"AdDirectory|Search Finished""""}

The command locates and opens the current version of the Directory Server log file, and sets up a filter so that you only see the lines mentioned in steps 4 and 5.

The window remains open and continues to update. If you click Reinitialize again (step 1), two new lines will be added to the bottom of the log pile, if the service appears to work as expected.

Next: Set up single sign-on and agent queue subscription