How to manage the AD Sync Tool in Zoom App
Contents
- 1 Managing the AD Sync Too
- 2 Prerequisites for the AD Sync Tool
- 3 Quick start of the AD Sync Tool
- 4 What is the AD Sync Tool and how to configure it
- 5 Sync commands
- 6 Setup
- 7 Examples of command executions for the AD Sync Tool
- 8 How to run the tool as a service (Windows)
- 9 How to start automatically after system startup (Windows)
- 10 AD Sync Tool log files
- 11 Abnormal data files
- 12 AD Sync Tool security
- 12.1 Enabling SSL/TLS connection for ADFS
- 12.2 Installation and retrieval of the SSL certificate
- 12.3 Frequently Asked Questions
- 12.4 What is the SSO button for Zoom?
- 12.5 What is managed domain in Zoom?
- 12.6 Where is the SSO button on Zoom?
- 12.7 Does Zoom support SAML?
- 12.8 How do I enable SSO in Azure?
- 12.9 Related Articles
Managing the AD Sync Too
Syncing users between your Active Directory (AD) or LDAP Server and your Zoom account is made easy with the AD Sync Tool that can be run from a command line on a Windows, Linux, or Mac OS system. In order to manage your Zoom users from this tool, all you need to do is notify Zoom when a change in your LDAP/AD is occurring for those users.
It runs on the console, without a GUI or web interface, and can be run on any computer that has a console. Whenever you do a change or troubleshoot an error, you can examine the log files to see the details of the change or to see which error occurred.
When you use the AD Sync Tool, you can create, update, and deactivate/delete users according to the changes in your LDAP/AD server. You can also update the Zoom user’s email address (the domain of the new email address must be in the associated domain), and sign users out once they have changed their password or been disabled.
There are a number of attributes that the AD Sync Tool can support:
- First Name
- Last Name
- Department
- Job Title
- Phone Number
- Company
- Cost Center
- Employee Unique ID
Prerequisites for the AD Sync Tool
- If you are using Zoom, make sure that the following features are enabled:
- Vanity URL
- REST API
- Active Directory
- Integration has been integrated into Zoom and configured for single sign-on
- so that AD Sync Tool has been enabled (contact Zoom Support)
- We have successfully installed a LDAP service, such as Active Directory Federation Services (ADFS) on your server.
- The username and password to an LDAP (or a Microsoft Active Directory) administrator account that contains the information you need to access
Quick start of the AD Sync Tool
- Once you have installed the JDK 8 version, you will need to run the following command to ensure that Java is correctly installed:
java -version
- Please download the zoomadsynctool.zip file from the following location: http://cdn.zoom.us/prod/tools/zoomadsynctool.zip
- Unzip the ad-tool-${version}.zip file.
- In the Configuration section, you’ll find instructions for updating the config.properties file. If the config.properties file is not located in the same folder where the adtool-$[version].jar file is, then copy the file into that folder.
- The tool configuration files must be protected with a secret code in order to prevent access by unauthorized users. In order to run the tool, you must enter the secret code every time.
- Run the following command in order to start the tool:
bin/adtool.cmd start
Caution: If no users exist in Active Directory for those users from your Zoom account, running the start command can remove them and deactivate them. If you need more details refer to this setup:
-
zoom.allow.delete.missing.user
Note :- You should run the AD Sync Tool as a daemon to check for missing users. This will be the first time a full synchronization is run. The incremental synchronization will continue to run every 40 minutes after the first synchronization. Password changes will also be tracked by the incremental synchronization.
- The following command will allow you to view synchronization results before any changes are applied to your Zoom account:
preview
- In the event you fail to run any of the commands, please check the log file.
What is the AD Sync Tool and how to configure it
There are a number of parameters listed in the configuration.properties file that determine how the synchronization will be carried out in the tool. There are two types of synchronizations that you can perform:
- Full sync: A comparison is carried out between all Zoom users and all AD users, and then synchronization occurs between all AD users, who have different Zoom attributes.
- Incremental sync:Only synchronizes to Zoom users who have changed since the last sync the AD user information.
In the following sections of the file, you will need to update the values.
Note: There is no need to include credentials in this file.
Zoom setting (updated values required)
- Zoom.vanity.url: Your Zoom vanity URL.
Sync options (updated values required)
- Zoom.default.user.type: This is the default user type when creating a new Zoom account. The user types are 1: Basic, 2: Licensed, and 3: On-Prem. The default value is 2.
- Zoom.allow.create.user: Specifies whether to allow new users to be created by Zoom when users already exist in your Active Directory. This property can have two values: true or false according to the situation.
- Zoom.allow.update.user: In the event that your Zoom users differ from your Active Directory, you will need to determine whether or not you wish to update them. Your update status will either be true or false, depending on the value.
- Zoom.allow.delete.user: It is up to you to decide whether you want to delete Zoom users when they are removed from your Active Directory. If the value is true, Zoom users will be deleted; if the value is false, Zoom users won’t be deleted.
- Zoom.default.user.delete.behavior: If you perform a “delete” action for a user, you need to decide whether you want to delete the user from Zoom or deactivate them. The values are 1: deactivate or 2: delete. The default value is 1. This depends on zoom.allow.delete.user or zoom.allow.delete.missing.user.
- Zoom.allow.delete.missing.user: Make sure you are setting up the full synchronization command for this tool but do not remove users from Zoom if these users don’t exist in AD when you first start the tool. True indicates that the missing users will be removed from Zoom; false indicates that the missing users will not be removed from Zoom. The value false is the default value. False is the default value if you don’t want any impact on existing Zoom users.
- Zoom.monitor.job.interval.minutes: Indicates the interval between monitor jobs being executed. For example, 15 minutes is the default amount of time.
- Zoom.incremental.sync.job.interval.minutes: Defines the interval in minutes during which the incremental sync job will be executed. A default of 40 minutes is set by default.
LDAP/AD settings (updated values required)
This tool supports multiple LDAP/AD server connections. The value “n” identifies the index of the LDAP Server. The value of n starts from 0.
- LDAP.servers[n].url: If you are using an LDAP server or Active Directory server, you need to input the URL of the LDAP server.
- LDAP.servers[n].base: Used for locating users within the LDAP.servers[n].base location.
- (Optional) LDAP.servers[n].groups[m]: The full domain name of the user group. Zoom will be able to sync users from all groups if this value is empty. If you specify a DN for a user group, only users in the group that you’ve specified will be synchronized with Zoom. If you want to avoid filtering users by groups, you should set it to empty. There can be more than one group set up for one server, and the value “m” which identifies the index of the group, can be used. The default value for this item is null.
- (Optional) LDAP.servers[n].deletedBase: Specifies the location of the base folder where deleted items are stored. The default is: CN=Deleted Objects,{Your LDAP Base Name}. You can update the values to reflect the environment.
- LDAP.default.query.pageSize:
- A LDAP server will return as many users as possible in a single query.
Attribute mapping (update of values is optional)
- LDAP.user.email: In AD, the email field is named LDAP.user.email. Typically, it is set to userPrincipalName by default.
- LDAP.user.firstname: This is the name of the first name field within AD. By default, givenName appears as the first name field.
- Ldap.user.lastname: AD’s last name field is known as LDAP.user.lastname. AD’s last name field is known as LDAP.user.lastname.
- LDAP.user.department: A field in Active Directory that describes the department that a user belongs to. By default, this field is set to department.
- LDAP.user.phoneNumber (disabled by default): Identifies the telephone number field in Active Directory. By default, this field is set to telephoneNumber.
- LDAP.user.jobTitle (disabled by default): In AD, this is the field name of the job title field. Title is the default value of this field.
- LDAP.user.company (disabled by default): This is the name of the company field in Active Directory. It is set to the value company by default.
- LDAP.user.employeeId (disabled by default): This is the name of the Employee ID field in Active Directory. By default, the value of the field is employeeID.
- LDAP.user.costCenter (disabled by default): Is the name of the cost center field within Active Directory. Currently, there is no default value for this field. A value must be selected for this field.
- In order for your changes to take effect, you must run a full sync after you have commented or uncommented the mappings.
- A user mapping must be created for three mandatory fields: LDAP.user.email, LDAP.user.firstname, and LDAP.user.lastname. These fields must never be disabled.
- There is no case-insensitivity in the mapping values. You can find the correct field name in ADFS by going to Server Manager > Tools > Active Directory Users and Computers > [Select a user to map] and right-clicking Properties. Next, click the Attribute Editor > Attribute Column command.
Logging setting
- Log.dir: Set the base directory for log files.The relative path can be used instead of the absolute path.. like .., or you can use the absolute path like c: or d:. By default, adtool- $[version] .jar file location is . (current location of adtool- $[version] .jar files).
Sync commands
- General options:
- The tool will display information on how to use it and how to get help.
-h, --help
- This command displays information about the tool’s version.
-v, --version
- The tool will display information on how to use it and how to get help.
- Command options:
- This command will display help information about it.
-h, --help
- It should be specified to run in a service mode without requiring the secret code to be entered.
--service
- This command will display help information about it.
Setup
Configure the Zoom authentication credentials as well as the LDAP authentication credentials. If necessary, you may change any of the following:
Your password, or run the setup command to update your credentials. This command will ask you a number of questions regarding your credentials.
It is required that you enter Zoom API key, Zoom API secret, Active Directory username, and password.
Setup flow:
- Enter the secret code.
- Confirm the secret code.
- Enter the Zoom API key.
- Enter the Zoom API secret.
- Enter the user DN (distinguishedName) of the LDAP server.
- Enter the user password of the LDAP server.
Note: - During editing, you will not see the API secret, secret code, and password of the LDAP server.
Start
Install the AD Sync Tool on your computer and start it as a service. When you start the tool for the first time, it will carry out a full synchronization, and then immediately set up a schedule to run incremental synchronization every 40 minutes until you close the tool. Moreover, the password change event will be monitored by the tool. It is not necessary to create a Task Scheduler or CRON within your system in order to run this command.
Preview
Make sure that your Zoom account does not get affected by any changes made to the synchronization result. You can make use of this if you want to ensure that the tools options work as expected.
Reset
This tool can be reset to its default settings by clicking on the Reset button. All of the local configuration files for the tool will be cleaned, as well as any cached data. For any reason that prevents you from running this tool, you can run the reset command in order to make it work again.
Sync
- Option to specify to run a full sync:
--all
Perform one full synchronization from LDAP to Zoom or one incremental synchronization. We recommend running a preview before synchronizing a full sync to ensure the result is what we expect. During an incremental synchronization, a full synchronization will be run if a full synchronization has been undertaken previously. The sync command can be added with “–all” if you wish to run a full sync.
Monitor
If the password in LDAP/AD changes, Zoom will monitor the event and force log out the user from all devices once the password is changed in LDAP/AD. It monitors the event that the LDAP/AD password of the user has been changed, and it will not be able to retrieve the password of the LDAP/AD user.
Migrate
You should migrate all of the legacy configuration files (under version 1.0) to the latest version of the files. The setup command can be used to configure the settings manually if the migration of the setting fails.
Test
The configuration must be tested in order to see if it works. Using that credential it will test the connection between LDAP/AD server and Zoom and the authentication process.
Examples of command executions for the AD Sync Tool
There is a common pattern for executing a script: bin/{script file} {command}.
- In Windows systems, the script file is named adtool.cmd
- It is recommended you run the script adtool.sh if you have a Linux or macOS system
Examples for help/version information of the tool
This tool displays the following help information:
bin/{script file} -h bin/{script file} --help
Information about the current version of the tool is displayed:
bin/{script file} -v bin/{script file} --version
The setup command provides help information in the form of the following:
bin/{script file} setup -h bin/{script file} setup --help
Examples for set up the tool
In order to set up the tool in its default mode, follow these steps:
bin/{script file} setup
Using the service mode, you can set up the tool as follows:
bin/{script file} setup --service
Reset the tool:
bin/{script file} reset
Using the legacy configuration, configure the tool as follows:
bin/{script file} migrate
Examples for run the tool
In the default mode, you should run the tool as follows:
bin/{script file} start bin/{script file} sync bin/{script file} preview bin/{script file} monitor bin/{script file} test
Using the service mode, run the tool:
bin/{script file} {command} --service
How to run the tool as a service (Windows)
Prerequisite:
If the service mode needs to be set, run the following command (Note: If you run “bin/adtool.cmd setup” it will remove it from service mode):
bin/adtool.cmd setup --service
- Start: Upon double-clicking the start.bat file in the bin directory, you will be able to launch the tool as a background process. A log file will record the tool’s running status.
- Stop: By double-clicking the stop.bat file in the bin directory, you will be able to stop the process that is running the tool.
How to start automatically after system startup (Windows)
- The Task Scheduler program can be accessed from the Start menu by clicking on the Windows Administrative Tools icon.
- When the Program Action menu appears, click Create Task.
- The following steps are displayed on the General tab:
- Name the task, for instance “ADSyncToolTask”, by entering it in the text field.
- Choose the option Run regardless of whether the user is logged in or not in the Security options, and make sure that the box Run with highest privileges is selected.
- After clicking the Triggers tab, you will need to do the following:
- Click on the New button.
- Choose At startup from the drop-down list next to Begin the task.
- Click OK to proceed.
- In the Action pane, click on the following button:
- Then click the New button.
- Next, select the Start a program option from the Action drop-down list.
- Browse to the bin directory and select the start.bat file located in the bin directory, then click Open.
- Then click OK.
- After that, you need to click the Conditions tab and follow these steps:
- In the Power section, you need to clear the check box next to the option Start the task only if the computer is connected to AC power.
- Click OK.
- Now open the Settings tab and make the following changes:
- The Allow task to be run on demand check box needs to remain selected, and all other boxes need to be cleared.
- Then, click OK.
After the next restart of the system, the tool will automatically start.
AD Sync Tool log files
To help with debugging any sync failures, you should use the log files to see how the records were synchronized and for details regarding those records. For each type of log file, a maximum of one should be generated each day. It is possible for the Zoom AD Sync tool to be run multiple times in one day, the information that is gathered from each run being appended to the previous day’s file.
- Zoomadtool-sync.yyyy-MM–dd.{num}.log: This is the common log that is being used by the tool in order to diagnose any errors.
Abnormal data files
During the full synchronization, you can use the abnormal data file to get details of any anomalous data relating to specific users.
- Abnormal-data-yyyMMdd-HHmmss.txt: This file records any abnormal data that has been mentioned.
AD Sync Tool security
Enabling SSL/TLS connection for ADFS
It is mandatory to retrieve and install the SSL certificate, if you want to be able to connect to an Active Directory server via LDAPS using port 636. Otherwise, you will receive the following error:
In addition, if SSL/TLS is not already active on the connection, the server requires bind to enable integrity checking.”
or
I received the following error: “sun.security.provider.certpath.SunCertPathBuilderException: Cannot find a path to the requested target for validation.”
Installation and retrieval of the SSL certificate
In order to connect the AD Sync tool via TLS and import an SSL certificate, follow these steps:
- Launch the Windows Management Server Manager by clicking the Windows icon.
- Select the Certification Authority from the Tools menu.
- Right-click on the certificate you wish to see under Issued Certifications.
- Select the Property tab.
- From the Property tab, select Details.
- Choose the Base-64 encoded X.509 (.cer) file for exporting by clicking Copy to File.
- Once the certificate has been exported, click Next.
- Using the exported certificate, copy it to the local device storage (example: D:\ca.cert).
- In order to access the Java JDK bin location, open the Command Console and perform the following command: change directory:
cd C:\Program Files\Java\Jdk1.8.0_201\bin
- If this folder is not in the exact path as depicted above, then the command will need to be altered in order to point to the correct folder.
- In order to copy the certificate to the new location, you need to run the following command:
keytool.exe -importcert -keystore ..\jre\lib\security\cacerts -storepass changeit -file D:\ca.cer -alias myca
Note :
In this command structure, the following commands are used:- **-keystore**: Where the new certification stored. No need to change this.
- **-storepass**: The certification’s password.
- **-file**: The certification location you just exported.
- **-alias**: The alias of the new certification.
- Afterwards, you will have to import and install the certificate. The LDAP/AD URL should be updated to ldaps://[address]:636.
Read it also –
Frequently Asked Questions
What is managed domain in Zoom?
Domain management is made easier with the help of
With this feature, you will be able to use the email address domain of your organization (e.g. @ zoom.us) to add users to your account automatically. The admin domain will be verified as soon as it has been verified and all admin users from the specified domains, including free accounts, will then be added to the admin account simultaneously after they have been verified.
Does Zoom support SAML?
How do I enable SSO in Azure?
- I would appreciate if you could tell me how you signed in to the Azure Active Directory Admin Center if you use one of the roles listed in the prerequisites.
- Select Enterprise applications from the menu on the left side of the screen. …
- You can find the single sign-on pane by clicking on the Manage section on the left menu. When you click the single sign-on pane, you will be able to edit the information that appears under the Single sign-on section.