Summary
This document outlines the best practices to maintain the Virtru Active Directory (AD) Sync Tool to ensure seamless synchronization and operational efficiency. Please review the prerequisites document to ensure all necessary steps are completed correctly.
Update Steps
-
Update Configuration File:
- If your Virtru AD on-premise sync tool is failing, update the URL in the current
ad.config.json
file. - Steps:
- Log into the server running the sync tool.
- Navigate to
C:\ProgramData\Virtru\ActiveDirectorySync\Config
. - Open
ad.config.json
in a text editor (e.g., Notepad++). - Replace the "URL" variable with the updated endpoint:
"https://api.virtru.com/accounts/api/org/domain-map-upload-v2"
- Save and close the file.
- If your Virtru AD on-premise sync tool is failing, update the URL in the current
-
Verify Service Account Settings:
- To ensure the sync tool runs continuously, a dedicated service account with administrative privileges is required.
- Steps:
- Open Windows Services (
services.msc
). - Locate "Virtru Domain Sync" service.
- Right-click, open properties, and click on the "Log On" tab.
- Verify or update the service account settings (default: Network Service).
- Apply and save the changes
- Open Windows Services (
-
Download and Install the Latest Version:
- Always ensure the latest version of the tool is installed.
- Steps:
- Download the latest installer from the provided link.
- Run the MSI installer as a local administrator.
- Follow the installation prompts.
- Click Install
- To reinstall - Click Yes, when asked if you want to allow the app to make changes to your device.
- Select "Automatically close and attempt to restart applications."
- Click Install
- Ensure previous HMAC token and secret are verified.
- You should see your previous HMAC token and secret, click "Verify"
- Click OK and Save.
- You should see your HMAC signature and validated token.
- You should see your previous HMAC token and secret, click "Verify"
Troubleshooting and Maintenance
-
Confirm Sync Status:
- Regularly check if the AD Sync tool is running successfully.
- Verify the last successful sync date in logs.
-
HMAC Credential Verification:
- Ensure the HMAC credentials are correctly set in the following location:
C:\Program Files (x86)\Virtru Corporation\Virtru Domain Sync Service\Virtru.DomainMapGenerator.Setup.Custom
- Ensure the HMAC credentials are correctly set in the following location:
-
Reinitializing the Sync Process:
- If sync issues persist, consider reinitializing the sync:
- Delete the
domainMapObject.json
file located at:C:\ProgramData\Virtru\ActiveDirectorySync\Data\domainMapObject.json
- Manually stop and start the Virtru Domain Sync service.
- Delete the
- If sync issues persist, consider reinitializing the sync:
-
Verify a Successful Sync:
-
You can verify if the sync was successful by going to the data folder on the server and see if the domain map is being built.
C:\ProgramData\Virtru\ActiveDirectorySync\Data\domainMapObject.json
-
-
Send Logs to Virtru for Troubleshooting:
-
To further troubleshoot, send the following files from the sync directory:
-
Active Directory Sync log files
-
domainMap.json
-
ldapqueries.json
-
-
These files are located in:
C:\ProgramData\Virtru\ActiveDirectorySyncectorySync
-
-
Sync Time Configuration:
Default Sync Time: The default synchronization interval for the Virtru Active Directory Sync Tool is set to 1440 minutes, which means the tool runs once daily.
Updating Sync Time: If you need to modify the default sync time to better fit your organization's requirements, follow these steps:
-
Locate the Configuration File:
- Navigate to the following directory on the server running the sync tool:
C:\ProgramData\Virtru\ActiveDirectorySync\Config
- Navigate to the following directory on the server running the sync tool:
-
Edit the Schedule Setting:
- Open the
schecdule.txt
file using a text editor such as Notepad++. - Update the value to the desired interval in minutes (e.g., setting it to
720
for a sync every 12 hours).
- Open the
-
Save and Apply Changes:
- Save the file after making the changes.
- Restart the "Virtru Domain Sync" service to apply the updated schedule.
Example:
720
Verification: After updating the schedule, verify that the sync runs at the expected interval by checking the sync logs or monitoring the last sync timestamp.
-
To optimize performance and minimize system load, the synchronization schedule should be set to run no more than four times per day, which equates to a sync interval of every 6 hours at most. Adjusting the schedule beyond this recommendation may impact system efficiency and increase resource consumption.
-
Verifying the LDAP Query in Active Directory Users and Computers (ADUC)
To verify the LDAP query in Active Directory Users and Computers (ADUC), follow these steps to ensure that the distinguished names and group memberships are correctly configured.
Steps to Verify LDAP Query in ADUC:
-
Access Active Directory Users and Computers (ADUC):
- Open the ADUC console on your Active Directory server.
- Navigate to
Start > Administrative Tools > Active Directory Users and Computers
.
-
Locate the Group Distinguished Name:
-
In the left pane, find and select the group you want to verify (e.g.,
Virtru-Users
). -
Right-click on the group and select Properties.
-
Go to the Attribute Editor tab.
-
Locate and copy the distinguishedName attribute.
Example:
CN=Virtru-Users,OU=EnterpriseGroups,DC=company,DC=org
-
-
Construct the LDAP Query: Use the copied distinguished name to create an LDAP query in the required JSON format.
Example LDAP Queries:
[ { "Name": "AllUsers", "Command": "(&(objectclass=user)(memberOf=CN=Virtru-Users,OU=EnterpriseGroups,DC=company,DC=org))", "Type": "user" }, { "Name": "Admin Groups", "Command": "(&(objectCategory=group)(Name=Virtru-Admins))", "Type": "admingroup" } ]
- The Users group (for encryption policies) includes both users and admins.
- The Admins group (for administrative purposes) should contain only admin accounts.
-
Verifying the Query in ADUC:
- Open ADUC and select Find Users, Contacts, and Groups.
- In the search field, paste the distinguished name or enter the LDAP filter manually.
- Click Find Now to confirm if the expected users and admins appear in the results.
-
Troubleshooting:
- If users or groups do not appear as expected:
- Verify that the distinguished name is correct.
- Ensure that group memberships are accurately set in Active Directory.
- Test variations of the LDAP filter for accuracy.
- If users or groups do not appear as expected:
By following these steps, you can confirm that your LDAP query is correctly pulling the required users and admins from your Active Directory environment.
-
Important Notes:
- If your service account settings were changed from "Network Service" before updating, restore them after the update and restart the service.
- Ensure firewall rules allow access to the endpoint:
virtru-com-us-east-2-domain-maps-production.s3.us-east-2.amazonaws.com
. - Contact Virtru Support for any assistance or if issues persist.
By following these best practices, you can maintain a reliable and secure integration between your Active Directory and Virtru services.