Google Apps Directory Sync (GADS)
Google Apps Directory Sync (GADS) synchronizes your LDAP or Active Directory infrastructure with your Google Apps domain. The software is able to transfer across information about your AD organizational units, user accounts, groups, user profile attributes, shared contacts, and calendar resources.
It’s important to remember that GADS doesn’t sync changes live, so if you add a new user to your AD domain you either have to run GADS manually or wait until the tool runs on a schedule.
All syncing is one-way (AD > Google Apps), so changes made in the Google Apps domain control panel are not transferred back to Active Directory. Because of this, in some instances changing account information in Google Apps can cause Google accounts to become disassociated with AD accounts, or at worse deleted when GADS syncs. Be careful!
Once you’ve perfected your GADS configuration you can schedule regular synchronizations to update Google Apps with any changes made in Active Directory.
It’s important to note that GADS does not synchronize Active Directory passwords. The reason for this is that Active Directory passwords are not accessible via LDAP, and as such the GADS tool cannot access this data. To synchronize AD passwords to Google Apps another tool, Google Apps Password Sync (GAPS) is used.
In this example I am assuming you are using Google Apps Directory Sync version 3.1.3 to synchronize a Microsoft Active Directory environment.
One of the main issues I came across when using GADS is that documentation, even from Google, is patchy, and the terminology can be confusing as Google and Microsoft use different terms for similar features. What I wanted was a detailed overview of each of the options in GADS. This is what this is!
Enabling The Provisioning API
The provisioning API is the bit of Google Apps which allows external applications to plugin and manage Google Apps data. Before you can use GADS you need to enable the provisioning API in your Google Apps control panel:
- Log in to your Google Apps administrator control panel.
- Click Domain Settings from the top menu, and then click the User Settings tab.
- Check the box labelled Enable Provisioning API.
- Click Save Changes.
Installing Google Apps Directory Sync
Now to GADS itself. Download and install Google Apps Directory Sync. You can install it on any Windows or Linux machine. I’m using Windows, but the instructions are the very similar for Linux.
Installation is simple, and once installed you can access the software from the Windows Start Menu — you want the Configuration Manager application. If you’re on Windows Server 2012?
The first thing you will see is the General Settings tab. From here you can select which portions of your Active Directory are synchronized to Google.
To keep things simple we’re going to sync the three most common attributes — organizational units, user accounts, and groups.
Organizational Units (OU) refer directly to Active Directory organizational units. By synchronizing OUs you can retain the hierarchical structure of your Active Directory when synchronizing accounts with Google Apps.
Tip: AD Organisational Units are referred to as “Suborganizations” in Google Apps.
You don’t have to transfer your OUs one-to-one either, you can choose which OUs to sync, and even transfer one OU to a differently named Google Apps Suborganisation.
Which AD users GADS should sync?
It’s important to remember that GADS does not synchronize passwords, it doesn’t even transfer them across at all. So, even if you’ve successfully synchronised all of your AD accounts, your users won’t be able to login to them. This is because passwords in AD are stored outside of the LDAP AD user object in a place GADs is unable to access. To synchronize passwords you require Google Apps Password Sync (GAPS) — I’ll be posting an article on GAPS later.
Groups refers to your Active Directory groups. Group sync allows you to pass over objects such as mailing list groups from AD.
GADS also allows you to synchronize the following:
- User Profiles: Additional information from the AD user object, such as phone numbers, title, department etc.
- Shared Contacts: A synchronized list of all users pulled from AD’s Global Address List.
- Calendar Resources: Synchronize LDAP calendar resources.