Active Directory synchronization installation FAQ
Find answers to common questions about installing and setting up Active Directory (AD) synchronization in Sophos Central Admin.
AD synchronization allows you to implement a service that maps users, devices and groups from AD to Sophos Central Admin and keeps them synchronized. You can set it up with Active Directory Synchronization Setup.
The FAQ is in two parts.
-
This page contains information about Active Directory Synchronization Setup, installation, supported platforms, synchronization errors, changing directory services, and removing AD synchronization.
-
For general information about AD synchronization in Sophos Central Admin, see Active Directory synchronization FAQ.
What is Active Directory Synchronization Setup?
Active Directory Synchronization Setup imports the following objects from AD:
- Username
- Login
- Email address
- Groups and the members of each group
Active Directory Synchronization Setup works as follows:
-
It synchronizes active users and user groups.
It doesn't duplicate existing users or groups when they match an existing Sophos Central user or group. For example, it can add an email address from AD to an existing user in Sophos Central.
-
It only creates groups with more than one member.
- It synchronizes devices and device groups. You can find information on how it matches devices and groups and other useful information in Device group discovery FAQ.
You can find more information on how synchronization works in Active Directory synchronization FAQ.
What does Active Directory Synchronization Setup expect from AD?
To synchronize an entire AD forest, you need to provide Active Directory credentials for a user with permissions across the entire forest.
In the root of the directory tree of the host server, you need the following:
- An attribute called
rootDomainNamingContext
that contains the Domain Name (DN) of the root for the AD forest. - An attribute called
defaultNamingContext
that contains the DN of the host server.
You also need a collection of entries under CN=Partitions
, CN=Configuration
, and <rootDomainNamingContext>
, with one or more entries containing all of the following:
- a
netBiosName
attribute - a
dnsRoot
attribute - a
nCName
attribute
For each of these entries, we include the value of its nCName
attribute (it's a DN) in areas to search (but only if that DN isn’t an ancestor DN of the host server specified in Active Directory Synchronization Setup).
What is the maximum number of objects I can synchronize at once?
The maximum number of AD objects we've tested is 30,000.
If you've more objects than this, it'll take longer to synchronize with Sophos Central.
The user interface will respond more slowly if you've more than 40,000 user entries in your environment.
What platforms are supported?
You can install and run Active Directory Synchronization Setup on the following platforms:
- Windows 7
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Restriction
We only support 64-bit versions.
You can install the Domain Controller (DC) on the following platforms:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
Can I synchronize multiple AD forests?
You can select and synchronize multiple forests with a Sophos Central Admin account.
We recommend that you synchronize a forest with one Sophos Central Admin account. If you synchronize a forest with multiple accounts it can result in unpredictable behavior in Sophos Central Admin. You must not include a user or email address in more than one forest. If you have duplicate objects, we'll update them with information from each forest during synchronization. Synchronization doesn't merge data. This means the owner of the objects (directory source) can change in Sophos Central Admin after every synchronization.
Where can I download Active Directory Synchronization Setup?
See Set up synchronization with Active Directory.
Subsequent upgrades are done automatically in Active Directory Synchronization Setup. Each time you synchronize, it checks if there’s a later version.
How do I install Active Directory Synchronization Setup?
How do I move Active Directory synchronization servers?
How do I remove Active Directory synchronization?
Why can I see '???' in place of UTF16 or double-byte characters?
The preview in Active Directory Synchronization Setup can't show double-byte characters.
All data is sent and shown in Sophos Central. This issue affects the preview or pending changes window in Active Directory Synchronization Setup.
We plan to address this in a future version of Active Directory Synchronization Setup.
Error: The object does not exist.
If you've got a custom filter defined in Active Directory Synchronization Setup and you remove that Organizational Unit (OU) from AD, you'll see the following errors:
Failed
active directory synchronization. Reason: SophosCloudADSyncLib.DisplayableException: Error
making a request over LDAP. Please review the connection settings you specified. The LDAP
server returned the following error: 0000208D: NameErr: DSID-03100213, problem 2001
(NO_OBJECT), data 0, best match of:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
The error doesn't reference the name of the removed OU. To resolve this error, you need to review any filters you have set up under AD Filters. To do this, do as follows:
- Click Define Filters.
- Remove any filters referencing objects removed from your AD.
Error: Failed active directory synchronization
The error message is Error: Failed active directory synchronization. Characters with hexadecimal values 0xFFFE and 0xFFFF are not valid
.
You may see this error at the Preview & Sync step when you run Active Directory Synchronization Setup manually.
AD may contain invalid characters. When Active Directory Synchronization Setup previews the data that needs to be synchronized, it fails with this error.
To bypass this error, use Sync on Schedule - automatic (within next 2-3 minutes). This bypasses the preview step. The synchronization should be successful.
Error: Error syncing record
The error message is Error: Error syncing record: Error deleting login...Reason: foreign key endpoint_user_sessions.user_match_id
.
You can get this error if there's an issue removing a login associated with a user who was removed or disabled in Active Directory. Synchronization continues and finishes even if you see this error.
You can't remove this error until this is resolved with Sophos Central Admin.
Error: Failed to validate configuration settings
The error message is Error: Failed to validate configuration settings. Reason: Unable to access Active Directory
.
This failure indicates Active Directory Synchronization Setup can't connect to your Active Directory using the credentials or connection provided. Try the following:
- Verify that your settings are correct (under AD Configuration in Active Directory Synchronization Setup) and that you provided credentials that have access to the entire forest (Enterprise Admin users typically have such access).
- If your LDAP environment doesn't support SSL, you need to turn off Use Secure LDAP and change the port number accordingly. We don't recommend this.
- Try connecting to your AD with a separate AD synchronization tool, such as Microsoft's
LDP.EXE
, with the same credentials.