Microsoft Active Directory and G Suite Sync Using GCDS on GCP Platform

Google Cloud Directory Sync(GCDS) is a very useful tool that enables users to automatically synchronize information from their Active Directory(AD) to Google so that account information doesn’t have to be manually duplicated in Google. GCDS helps to synchronize data between  Google Account and Microsoft AD or LDAP server except email messages, calendar events, or files.

1. Prerequisite

a. The Windows Server must have Active Directory Domain Service Enabled and a domain controller must be set.

b. A G Suite domain.

2. Configure Active Directory Certificate Service and install SSL certificate for connection over 636 port

a. Login to the Windows Server with a user having administrator privileges(e.g Administrator).

b. Select  “Add Roles and Features” from the Server manager.

c. On “Add Roles and Features Wizard”, click Next for Before You Begin section.

d. Select “Role-based or feature-based installation” as Installation Type and click Next.

e. Select your server from the server pool at the Server Selection section. Click Next.

f. On the Server Roles, check Active Directory Certificate Services, click on Add Features.

g. Click Next on Features.

h. Click Next on AD CS.

i. Check Certification Authority at Roles Services.

j. At Confirmation, check “Restart the destination server automatically if required” and click on Install.

k. After completion of the installation, click on the Flag sign at top-right corner and click on “Configure Active Directory Certificate Service on Destination Server”.

l. On the AD CS Configuration window at Credentials, click on Change and login with Administrator user credential.

After successful login, click on Next.

m. At Roles Services, check Certification Authority and click Next.

n. As Setup Type, select Enterprise CA and click Next.

o. As CA Type, select Root CA and click Next.

p. As a Private Key, select “Create a new private key”. One may also select “Use existing private key” if there is an existing certificate or key. In this guide “Create a new private key” has been used. Click on Next.

q. Keep the default values in the Cryptography section (Screenshot given below for reference). Click on Next.

r. In the CA name section, one may change the Common name for this  CA but it is suggested to keep the Distinguished name suffix unchanged. Click on Next.

s. Enter a value of choice as Validity Period and Click Next.

t. Click Next on Certificate Database.

u. On the Confirmation Page, click on Configure.

v. If everything goes  well, the Result will be “Configuration Succeeded”. Click on Close.

w. Restart the Microsoft AD server and re login with the administrative user .

x. Open Command Prompt(CMD), type ldp and hit enter.

y. In the Ldp window click on Connection and then connect.

z. On the Connect window, enter “localhost” as server, “636” as port and check on SSL. Click Ok.

aa. Again Open CMD and  execute-

certutil -store My DomainController dccert.cer

On successful execution, result will be “CertUtil: -store command completed successfully”

bb. Download GCDS(Google Cloud Directory Sync) from this link and Install on the Microsoft Active Directory server.

cc. After completion of installation, open CMD and execute -  

cd c:\Program Files\Google Cloud Directory Sync\jre

bin\keytool -keystore lib\security\cacerts -storepass 

changeit -import -file C:\Users\Administrator\dccert.cer 

-alias mydccert

On the confirmation prompt type “yes”.

On successful execution, the result will be “certificate was added to keystore”.

dd. Next, using Windows  Explorer, goto - 

“C:\Program Files\Google Cloud Directory Sync”

Open “config-manager.vmoptions” in text editor(notepad) and delete the following lines and save the file- 

“-Djavax.net.ssl.trustStoreProvider=SunMSCAPI

-Djavax.net.ssl.trustStoreType=Windows-ROOT”

Open “sync-cmd.vmoptions” in text editor(notepad) and deleted the following lines and save the file- 

“-Djavax.net.ssl.trustStoreProvider=SunMSCAPI

-Djavax.net.ssl.trustStoreType=Windows-ROOT”

3. Configure GCDS to sync Microsoft AD with G-Suite domain

a. Open the GCDS Configuration manager from the start menu of the server.

b. While configuring Google Domain, enter the primary G-Suite domain name and click on  Authorize Now.

c. Login with G Suite domain admin user and on the next page click on Allow.

On successful authorisation, the result will be “Received verification code. You may now close this window.” on the web browser and on the GCDS configuration manager a green tick mark will present.

d. Refer to screenshot for LDAP configuration. Here 636 port has been used for LDAP+SSL connection.

Type administrative user name followed by “@<ldap dc name>” as Authorized User. Here for example, administrator@test.com has been used. Base  DN will be as per domain controller forest name.(e.g if test.com then DC=test,DC=com).

Click on Test Connection. On successful connection the result will be as below. 

e. Select General settings as per choice. 

f. At User Account settings,

For User Attributes, set the following values -

Email Address Attribute - mail

(NOTE: All the AD users must have Email address field populated with a value to make this sync work properly)

Unique Identifier Attribute - Active Directory objectGUID

(For objectGUID refer to this link)

Select Google Domain User Deletion/Suspension Policy as per choice

Click on Use defaults for Additional User Attributes.

For Search Rules click on Use default.

g. For Notifications, use smtp.gmail.com as SMTP relay host, use a user credential(preferably admin user of G-Suite domain) and add sender and recipient email address.

h. For Logging, select filename, file size and Log level as per choice.

i. And finally, click on Sync and apply changes after running Simulate sync.

j. If the Sync works properly, save this configuration file using the File menu in a .xml file.

Conclusion

Google created the Google Cloud Directory Sync(GCDS) to make a bridge between a LDAP server and a G Suite. GCDS can be used to sync Users, Groups between G Suite domain and LDAP server, e.g Microsoft Active Directory(AD) server. This synchronization needs user intervention. One may need to use Task Scheduler to schedule this synchronization. In this tutorial a step-by-step guidance has been given to configure GCDS in Microsoft AD server.