This knowledge base article provides a number of frequently asked questions regarding the Sophos Central Admin AD Sync Utility.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central AdminSophos Cloud AD Sync Utility
Active Directory synchronization allows administrators to implement a service that maps users and groups from Active Directory to Sophos Central.
Sophos Central AD Sync utility will import the following objects from the Active Directory:
Note: Only groups with more than one member will be created
You can synchronize multiple Active Directory forests using separate installations of the ADsync utility. To do this, you need to install the utility on multiple machines and configure each utility to synchronize a different AD forest. We strongly recommend to synchronize different AD forests at different times of day, so that the synchronizations do not overlap.
Note: There is an unexpected behavior that can be seen when syncing between two separate AD forests.
The AD Sync Utility tool can be downloaded from the following:
Note: Subsequent upgrades are done automatically within the utility itself. Each time a sync is triggered, the utility will check if there is a newer version.
A step-by-step review of the process and interface can be reviewed in Sophos Central: How to set up Active Directory Sync.
The utility can be installed on Windows computers only at this time. It is advisable to install it on a server operating system especially if you have configured the utility to sync on a schedule.
AD Sync logs in three locations. Information about these locations can be found in Active Directory Sync Utility logging locations.
Note: If the customer needs to raise a case with support, please provide all logging information possible.
Please see Sophos AD Sync Utility fails to create a group or fails to reflect the correct number of users.
Users are filtered with the LDAP query:
The group LDAP filter for groups is simply:
These filters can be extended on a per domain basis. For more information about Filtering and LDAP queries, please see Sophos Central Admin AD Sync Utility filters.
The AD Sync tool uses the Display name attribute when importing user information
The AD Sync tool uses the attribute proxyAddresses for the alias.
The AD Sync tool matches AD users by Domain Login (Domain/user) and/or by email address.
Note: You can see which accounts will be matched prior to committing to a sync by choosing the Preview and Sync... option. If there is a match, you will see this listed under the Users to Modify tab. If there is no match, you will see the user under the Users to Add tab. You can choose to reject changes if you do not want to commit to the modifications.
Sophos AD Sync utility imports login names in the format of [NetBIOSDomainName]\[User]. A Mac, although joined to a domain reports the username as [MacComputerName]\[User]. As a result, the Mac computer does not associate with the existing Sophos Central AD Synced user and a new user is created based on the [MacComputerName]\[User] login name.
To map the Mac to the Central user the customer can delete the auto-generated Central user ([MacComputerName]\[User]) and then map the login, for example, [MacComputerName]\[User] to the AD Sync created user.
See Sophos Central for OS X - How to enable domain overrides for reported users for information on how to override this information locally on a client.
The AD Sync utility obtains a number of attributes that are common to a number of directory services such as OpenLDAP but only Active Directory is supported at this time.
By default, the AD Sync utility is configured to connect to the AD using port 636 (secure). If the customer does not have a certificate setup on their domain controller they can use 389 (non-secure). For more information see Active Directory Sync Utility re-prompts for the LDAP credentials.
Sophos strongly suggests the LDAP queries take place over port 636, especially for queries across the network. In addition to connecting to AD, the utility also makes a request of Sophos Central. These queries are made over port 443/HTTPS.
To sync an entire AD forest, it is necessary to provide Active Directory credentials for a user with permissions across the entire forest.
In the root of the directory tree of the host server, an attribute called rootDomainNamingContext which contains the DN of the root of this Active Directory forest.
In the root of the directory tree of the host server, an attribute called defaultNamingContext which contains the DN of this host server.
A collection of entries under CN=Partitions, CN=Configuration, <rootDomainNamingContext>, with at least one or more entries containing all of the following:
For each of these entries, we include the value of its nCName attribute (it's a DN) in areas to search (but only if that DN is not an ancestor DN of the host server specified in the AD Sync setup wizard).
This error can be encountered if the Sophos Account used to link your ADsync utility does not have Admin rights (eg. help desk or read-only roles).
The Central account you use to connect our ADsync utility with must not have MFA enabled for it. If all of your accounts have MFA enabled in Central Administrator - configure one of them, or a new account to have this disabled. Also, see KBA 128142
If you have a custom filter defined in AD Sync tool, and that OU is removed from Active Directory afterward, you will see the following errors:
Failed active directory synchronization. Reason: SophosCloudADSyncLib.DisplayableException: Error making a request over LDAP. Please review the connection settings you specified. The LDAP server returned the following error: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
The error does not reference the name of the removed OU. To resolve this error, you will need to review any filters you have set up under the AD Filters tab and Define Filters button. Remove any filters referencing objects removed from your Active Directory.
Any user that is configured with a role within Central Admin for example Read-only, Help Desk, Admin and Super Admin and is also an AD sync account, will not be removed automatically by the AD Sync utility, regardless of its state in the Active Directory.
In order to remove an AD Sync user with a Role assigned (after it has been removed in Active Directory), you can either manually delete this user from Central Admin, or demote that account (in Central Admin) to a regular user, which will first remove the role and ability for them to login. After the next Central AD sync scan, that account will be removed.
This can be seen if there is a back end issue removing a login that was associated with a user who was removed or disabled in Active Directory. The AD sync will continue and finish even if this error is seen.
There is nothing that can be done to remove this particular error from showing until this is resolved with Sophos Central. In the interim of this being resolved, these errors can be ignored.
This behavior has be seen if there are duplicate ad sync users. Please follow the instructions provided below:
Currently, proxy details cannot be configured with the AD sync utility. The service runs using a local service account which by default will not have access to authenticate through any proxies. We commonly see the following error when dealing with a Proxy connection issue:
If you need to create an account that does have access, this account that will be used to log in should have the following rights (minimum for AD sync utility portion)
C:\ProgramData\Sophos\Sophos Cloud AD Sync
Note: Every time you change the service account used for the Sophos AD sync service - the Active Directory Sync tool will need to be reconfigured.
There is also an additional AD sync Proxy workaround described in the following community post
On the local server or system you installed the AD sync utility on, go to the Programs and Features and choose to remove the Sophos Central AD Sync Utility.
It is not currently possible to change from using the on premise AD sync utility over to the Azure AD sync function (used by Central Email only licenses. also see help file for Azure AD sync set up for more information.)
The Sophos Central help page can be found here.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.