The Google Workspace Directory Sync or Google Cloud Directory Sync (GCDS) is a technology that helps to synchronize your Google account data with the LDAP (Lightweight directory access Protocol) server or Microsoft Active Directory. The GCDS adjusts the data from your Google users, shared contacts, and groups with the LDAP server. You need a Super Admin account to authorize your GCDS.
What’s new on GCDS?
It gives better performance when you sync the users’ profiles.
Now it supports the User Search Query to filter out the retrieved users from your Google account. It helps to find out the users you don’t want to delete or suspend. You can use the Google exclusion rule if this query doesn't work.
The current version of GCDS supports the user display name attribute. Thus you can manage your users’ information, such as – user name, ID, primary email, password, phone number, address, IP whitelisting, and more. Also, you can manage your users' aliases and Google profile photos.
Overview of Directory API
The Directory API creates and manages the Administrative resources of a Google Workspace account. It does these tasks with a programming aspect. It’s a part of the Admin SDK Directory API. The common terminologies for the Directory API are –
- User: It’s a Google Workspace user account. An end user regulates this account to access Google products and services. The User resource represents this account.
- Organizational Unit (OU): It’s a subunit of the Google Workspace organizational tree. It helps to sort and group the users for particular policies, services, and authorizations.
- Privilege: The privilege gives the capability to act as the Google workspace. The Google Admins are responsible for setting the privileges for the users.
- Role: It’s a predefined set of privileges for the users or a group of users.
- Customer: The owner of the Google Workspace account is known as the customer.
The other terminologies are – Domain, Role assignment, and Schema.
Basic Structure of Active Directory
The main architecture of an active directory is based on a forest. The forest contains one or multiple domains. These domains inherit their names from the root domain name of the forest. The domain contains user groups and resources. These domains manage administrative privileges and resources. Users can access resources from the same or different domains within a forest. Accessing resources from a different domain is possible because the domains of a forest trust each other and permit the users to access resources from another domain. But there is no trust or security between different forests. Thus the users from one forest can’t access the resources from other forests.
Components of active directory and Google Cloud integration
1. Provisioning your users: The provisioning confirms the selected users and groups from the active directory become synchronized with the Google Workspace or Google Cloud. This process happens periodically. When you create a new user in the active directory, the provision ensures the user’s existence in the Google Cloud. Also, it ensures the user’s deletion process. But the provisioning process is unidirectional. That indicates the changes in the active directory will be stored in the Google Cloud. But the opposite action is impossible.
2. Single sign-on: It is an authentication process for the provisioned users in the active directory. The Google Cloud applies the SAML (Security Assertion Markup Language) protocol to establish this process. This protocol ensures that only the active directory can manage the users’ credentials and policies.
Setting up your Google active directory sync
To set up your Active Directory sync, you should perform the following actions –
- Establish proper connectivity between the Active Directory and Google Cloud
First, you should ensure the proper network connection between the LDAP server and Google Cloud. You can establish your network connection through two types of servers- LDAP servers within Google Cloud and outside the Google Cloud. You must have Google Cloud Project access to set up these communications.
For the internal LDAP servers, you have to create a VPC (Virtual Private Cloud) access connector. It enables the directory sync for your LDAP server. For the external LDAP servers, you can either use Google Cloud Virtual Private Network (VPN) or Google Interconnect to set up the network connection.
- VPC access connector for the Google Cloud
You need to create a VPC access connector in your Google Cloud project to enable the directory sync. But make sure you’re creating the VPC within the same project and region hosting the VPN or Cloud Interconnect.
- Enabling data connectors API
You need to enable the Data connectors API for the same Google Cloud project with VPC access. You can manage this configuration from the API & Services of your Google Cloud.
- Enabling directory sync for the LDAP server
Now enable directory sync for your LDAP server through the Admin Console. Again, you can set up multiple directory settings in this regard. But you should point to one directory for one active directory server. You can’t set multiple directories for one active directory server.
- Configuration for the group sync and users
Set up the synchronization for your groups by entering your group names from the active directory. It will sync the individual users of your group to your Google Cloud. Select the users from the directory, map their attributes (first name, last name, primary email, recovery email, and recovery phone) and enable safeguards. Following these steps, a directory synchronization is simulated.
- Run your synchronization
Finally, check the simulation result from the simulation log. Accordingly, you should activate or deactivate a sync. Syncing may take a few minutes to several hours.
System requirement
- Your Google Cloud and LDAP server should connect properly. Already you learned this process in the previous section.
- If you have a Google Cloud account, you need super administrative privileges and data connectors to perform the sync. If you want to manage directory sync, then you need a Manage Directory Sync Settings privilege.
- Also, you need an LDAP server with an active directory (with LDAPv3 support), a valid username, and a password.
- Again you need to manage information of your active directory server – host, port number, TLS client certificate, and DNS server.
Types of synchronization
You can perform two types of synchronization on the Google Workspace active directory sync -
- Manual sync
The Configuration Manager will help you to perform this synchronization. You can perform it at any time. But before performing the manual sync, you must check your sync is simulated.
- Automated sync
The automated synchronization runs based on the user’s number and the frequency of your update. Generally, the time interval between two automated syncs is 1 to 6 hours. But you have to perform this syncing process using third-party tools, such as – the Task Scheduler tool. Otherwise, you can prefer Synchronize using the command line.
Configuration Manager
The Configuration Manager is a user interface within GCDS that helps you to create, test, and run your synchronization. That means –
- You can test the network connection between the LDAP server and your Google account.
- Select the items for synchronizing the data. You can sync OUs, user profiles, licenses, groups, and more from your LDAP server.
- Check up your settings with a simulated sync run.
- You can perform manual synchronization and more.
Syncing your GCDS with Configuration Manager (CM)
A good example of synchronization with the configuration manager is synchronizing the mailing lists with the Google groups.
You can perform the synchronization activity from the Groups page of the CM. Then you need to enter your search rules and exclusion rules information to sync the mailing lists for your LDAP server. But remember, you have to do everything without changing the group’s default permission.
Benefits and best practices of GCDS for data syncing
Benefits
- Synchronization with The GCDS enhances your data security. GCDS offers advanced features to protect your data. Nobody can access your LDAP server data from outside.
- It helps to sync your users, groups, aliases, OUs, contacts, and other data with your Google account to the active directory.
- It supports custom mapping between users, aliases, groups, calendars, resources, and more. The active directory and Google Cloud integration take place with forest mapping, DNS mapping, user mapping, etc.
- GCDS uses Configuration Manager for running a manual synchronization. The CM notifies you about your mail server, emails, and logging information for a file, and generates reports after synchronization.
- Moreover, it helps to remove unnecessary data from the users, groups, aliases, or OUs from syncing with the exclusion rules.
Best practices
- Check the system requirements and ensure you fulfill them. Also, you require enough RAM to perform the sync and the latest version of GCDS.
- Use a computer with a secured setup to install the GCDS.
- Update the LDAP data and run a simulated sync to verify the settings of GCDS.
- Review and ask the unmanaged users to transfer their Google accounts to your OU’s managed account.
Learn more from here.
Troubleshoot common GCDS issues and their solutions
- Synchronization doesn’t work for some users of a group. So, the sync doesn’t show them as group members.
Solutions:
- Try to solve the issue with user search rules. You have to execute this rule even if you have turned your user account sync off from the general settings.
- Use the sync as group members for the users you add for sync.
2. Sometimes you can see duplicate contacts in your domain directory after synchronization with GCDS. It happens if you build your search results and shared contacts synchronization incorrectly.
Solution:
You have to exclude some users by correcting the search rules in your domain. Also, you may need to manage the limitation for deleting the shared contacts for the first sync.
Foresight and its problem-solving capacity with no-code automation
Foresight helps to automate the complex business workflows within the Google Workspace for the Administrators and users. The most important point is you don’t need to deploy any code to perform the automation with Foresight. Different organizations use different IT policies, processes, or even in-house automation scripts to manage their employees’ information, groups, departments, and other resources. So, it results in time-wasting, lengthy, repetitive, and daunting tasks. Thus Foresight streamlines your business workflows with no-code automation to manage your expensive time and improve productivity, and communication. Also, it solves the loopholes and missing features of the Google Admin Console. Learn the use cases of Foresight, such as - Bulk Show Or Hide Users In Google Workspace, etc.
Conclusion
Google Workspace directory sync protects your users, OUs, and other resources by applying synchronization on your Google account. The GCDS tool helps you perform the sync and provides end-to-end security to your account. Learn this blog from Foresight and know the benefits of using Foresight. It’s an excellent no-code automation platform to improve your business productivity. Try a 14-day free trial of Foresight and know its amazing features!