Deployment Guide for Directory Connector

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Deployment Guide for Directory Connector

Chapter Title

Appendix

Results

Updated:
May 11, 2023

Chapter: Appendix

Appendix

Manage New and Departing Employees and Their Webex App Accounts

Scenario

A medium-sized company, with more than 8,000 employees across various departments is in a phase of rapid development and are opening multiple locations. The company purchased a few Webex services such as Messaging, Meetings, and Hybrid Services. The customer IT administrator needs to provision the users to the Webex cloud, after which the users can use assigned Webex services.

With the rapid development of the company, there are employees joining and leaving. The IT team want to manage these changes, so they need to add new users into their enterprise directory and also delete the user accounts for people who left.

Problem

The IT team produced a report that shows that former employees and contractors can still access services. The IT team didn’t immediately remove the user from the cloud after they finished the update in the HR service system. IT teams generally don’t have sufficient availability to support frequent changes. As a result, there is a discrepancy in the financial report and the service usage summary report. This poses a risk of leaked confidential information because users who already left the company can still access services.

The issues in this scenario require an automated solution.

Organizational Goals

The organization expects a low maintenance effort to:

  • Automatically provision new users to the cloud and automatically remove the deleted users from cloud. The new users are automatically assigned services and the former employees are denied to access to the services.

  • Synchronize the user changes from on-premises to the cloud.

  • Strictly make the cloud user account information consistent with on-premises directory.

Solution

Directory Connector solves this problem and facilitate the customers to provision users to the identity service in the Webex cloud.

Directory Connector is an on-premises application that you can set up on the AD DS devices. Then, the Directory Connector can talk with the on-Premises Active Directory and monitor the changes to sync the changes to the cloud.

The Directory Connector is easy to set up and maintain. After you set up Directory Connector, you never have to worry about the security and consistency between the cloud and on-premises Active Directory. Here are examples of benefits that the software provides:

  • The user is completely deleted from the cloud once the user is removed from on-premises Active Directory. This ensures that the departed user is denied permission to access services.

  • The software can be a distributed deployment for High Availability. The other Connector can be automatically activated when the previous active one is disconnected. So, High Availability can serve your business without you worrying about missing changes in the on-premises AD.

  • The software prevents accidental changes to user data. Directory Connector maintains the integrity of the user data. Once the Directory Connector is enabled, the only data source is the on-premises Active Directory.

  • The software can synchronize data to the cloud at a frequency of your choosing. You can choose either a full or incremental synchronization of the changes.

Conclusion

Directory Connector simplifies provisioning users to Webex for big enterprise customers with hundreds of users. With this tool, you can keep your user data in sync and prevent the issues that are covered in the scenario.

AD LDS and Cisco directory connector

AD LDS with Cisco directory connector


Note

While still supported, AD LDS is not required for a multiple domain, single forest Active Directory deployment. You can use Cisco directory connector itself for multiple domains with either single forest or multiple forests.

A data model restriction (a single LDAP partition view or a single organizational unit (OU) view) may be imposed on an enterprise directory-enabled application. This application must access data that is associated with AD DS-authenticated users, applications, or network resources that are located in multiple forests, domains, or OUs in the enterprise.

In this situation, AD LDS is used to synchronize its user database with different AD Domain Controllers or other LDAP sources. In such a case, choose Domain Account for AD LDS item when you install Cisco directory connector.

If your environment has multiple domains in a single forest, set up AD LDS and bind the Cisco directory connector to the parent domain. AD LDS provides Cisco directory connector with a consolidated view of multiple domains.

About AD LDS

You can use Microsoft Active Directory Lightweight Directory Service (AD LDS), to provide directory services for directory-enabled applications. Rather than use your organization's Active Directory Domain Service (AD DS) database to store the directory-enabled application data, AD LDS can be used to store the data.

You can use AD LDS with AD DS so that you can have a central location for security accounts (AD DS) and a separate location to support the application configuration and directory data (AD LDS).

With AD LDS you can:

  • Reduce the overhead associated with AD replication

  • Avoid the need to extend the AD schema in order to support the application

  • Partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application

See When Should I Use AD LDS Role? to understand seven scenarios that require using AD LDS.

You can set up your AD LDS environment by following the AD LDS Getting Started Step-by-Step Guide.

Use AD LDS with Cisco directory connector

A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based systems.

Before you begin

Review the Using AD LDS documentation.

Procedure

Step 1

To install the AD LDS server role on a computer running Windows Server 2008, see Install the AD LDS Server Role.

Step 2

To begin working with AD LDS instances, see Practice Working with AD LDS Instances.

Step 3

To import data from a file into an AD LDS instance, see:Import data into an AD LDS instance.

Step 4

To import from AD DS, see:Synchronize with AD DS.

Step 5

If you set up multiple partitions in AD LDS, choose the one you need, and then click Confirm in the Cisco directory connector Confirm Organization window.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco