Active Directory synchronization installation FAQ

Find answers to common questions about installing and setting up Active Directory synchronization in Sophos Central Admin.

Active Directory synchronization allows administrators to implement a service that maps users and groups from Active Directory to Sophos Central Admin and keeps them synced. You can set it up with Active Directory Synchronization Setup.

The Active Directory FAQ is in two parts.

  • This page contains information about Active Directory Synchronization Setup, installation, supported platforms, synchronization errors, changing directory services, and removing Active Directory Synchronization.
  • For general information about Active Directory synchronization in Sophos Central Admin, see Active Directory synchronization FAQ.

What is Active Directory Synchronization Setup?

Active Directory Synchronization Setup imports the following objects from Active Directory:

  • Username
  • Login
  • Email address
  • Groups and the members of each group

Active Directory Synchronization Setup works as follows:

  • It synchronizes active users and user groups.

    It doesn't duplicate existing users or groups when they match an existing Sophos Central user or group. For example, it can add an email address from Active Directory to an existing user in Sophos Central.

  • It only creates groups with more than one member.
  • It synchronizes devices and device groups. You can find information on how it matches devices and groups, and other useful information in Device group discovery FAQ.

You can find more information on how synchronization works in Active Directory synchronization FAQ.

What does Active Directory Synchronization Setup expect from Active Directory?

To synchronize an entire Active Directory forest, you need to provide Active Directory credentials for a user with permissions across the entire forest.

In the root of the directory tree of the host server, you need the following:

  • An attribute called rootDomainNamingContext that contains the Domain Name (DN) of the root for the Active Directory forest.
  • An attribute called defaultNamingContext that contains the DN of the host server.

You also need a collection of entries under CN=Partitions, CN=Configuration, and <rootDomainNamingContext>, with one or more entries containing all of the following:

  • a netBiosName attribute
  • a dnsRoot attribute
  • a nCName attribute

For each of these entries, we include the value of its nCName attribute (it's a DN) in areas to search (but only if that DN isn’t an ancestor DN of the host server specified in Active Directory Synchronization Setup).

What is the maximum number of objects I can synchronize at once?

The maximum number of AD objects we've tested is 30,000.

If you've more objects than this, it'll take longer to synchronize with Sophos Central.

If you have more than 40,000 user entries in your environment the UI will respond more slowly.

What platforms are supported?

You can install and run Active Directory Synchronization Setup on the following platforms:

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
Note We only support 64-bit versions.

You can install the Domain Controller (DC) on the following platforms:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

Can I synchronize multiple Active Directory forests?

You can't synchronize multiple forests with a Sophos Central Admin account. You can only use one copy of Active Directory Synchronization Setup for a Sophos Central Admin account. You can select multiple child domains within a single forest. You can't select multiple forests.

Active Directory Synchronization Setup calculates synchronization deltas at the tenant level. If you want to synchronize multiple forests, you need to segregate the forests into separate Sophos Central Enterprise sub-estates. This gives each forest a separate Sophos Central Admin account. You can then use a separate Active Directory Synchronization Setup account to synchronize each forest. Each forest synchronizes with its own Sophos Central Admin account. You can manage these accounts in Sophos Central Enterprise.

You also need to make sure the users and email addresses are unique in each Sophos Central Enterprise sub-estate.

Where can I download Active Directory Synchronization Setup?

See Set up synchronization with Active Directory.

Subsequent upgrades are done automatically in Active Directory Synchronization Setup. Each time you synchronize, it checks if there’s a later version.

How do I install Active Directory Synchronization Setup?

See Set up synchronization with Active Directory.

Can I replace Active Directory Synchronization Setup with the Azure AD sync?

You can do this. See Change directory service.

Can I use a different directory service?

You can use Microsoft Azure. See Set up synchronization with Azure AD.

How do I move Active Directory synchronization servers?

See Move Active Directory synchronization servers in Set up synchronization with Active Directory.

How do I remove Active Directory synchronization?

You can choose not to use a directory service. See Change directory service.

For help on removing synchronized data, see Delete synchronized Active Directory data.

Why can I see '???' in place of UTF16 or double-byte characters?

The preview in Active Directory Synchronization Setup can't show double-byte characters.

Example of character display issue

All data is sent and shown in Sophos Central. This issue affects the preview or pending changes window in Active Directory Synchronization Setup.

We plan to address this in a future version of Active Directory Synchronization Setup.

Error: The object does not exist.

If you have a custom filter defined in Active Directory Synchronization Setup and you remove that Organizational Unit (OU) from Active Directory, you'll see the following errors:

  • Failed
              active directory synchronization. Reason: SophosCloudADSyncLib.DisplayableException: Error
              making a request over LDAP. Please review the connection settings you specified. The LDAP
              server returned the following error: 0000208D: NameErr: DSID-03100213, problem 2001
              (NO_OBJECT), data 0, best match of:
  • System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.

The error doesn't reference the name of the removed OU. You need to review any filters you have set up under AD Filters to resolve this error. To do this, do as follows:

  1. Click Define Filters.
  2. Remove any filters referencing objects removed from your Active Directory.

Error: Failed active directory synchronization

The full error message is Error: Failed active directory synchronization. Characters with hexadecimal values 0xFFFE and 0xFFFF are not valid.

You may see this error at the Preview & Sync step when you run Active Directory Synchronization Setup manually.

Active Directory may contain invalid characters. When Active Directory Synchronization Setup previews the data that needs to be synchronized, it fails with this error.

To bypass this error, use Sync on Schedule - automatic (within next 2-3 minutes). This bypasses the preview step. The synchronization should be successful.

Error: Error syncing record

The full error message is Error: Error syncing record: Error deleting login...Reason: foreign key endpoint_user_sessions.user_match_id.

You can get this error if there's an issue removing a login associated with a user who was removed or disabled in Active Directory. Synchronization continues and finishes even if you see this error.

You can't remove this error until this is resolved with Sophos Central Admin.

Error: Failed to validate configuration settings

The full error message is Error: Failed to validate configuration settings. Reason: Unable to access Active Directory.

This failure indicates Active Directory Synchronization Setup can't connect to your Active Directory using the credentials or connection provided. Try the following:

  • Verify that your settings are correct (under AD Configuration in Active Directory Synchronization Setup) and that you provided credentials that have access to the entire forest (Enterprise Admin users typically have such access).
  • If your LDAP environment doesn't support SSL, you need to turn off Use Secure LDAP and change the port number accordingly. We don't recommend this.
  • Try connecting to your Active Directory with a separate AD synchronization tool, such as Microsoft's LDP.EXE, with the same credentials.