AD Sync to Zoom is a command line tool that you download and run on a Windows or Linux computer in your own system to sync users between your Active Directory server and your Zoom account. When you run this tool, you can add, update, and deactivate/delete users in your Zoom account if there is a change in your AD system for those users. For example, if a user's email address is changed in AD, this change is propagated to the Zoom account.
The tool runs in the background, and does not include a GUI or web interface. You configure the settings in this tool using a properties file, and then check the log files to see details about what was changed, or to troubleshoot any errors.
The AD Sync to Zoom tool supports only the following set of attributes:
- First Name
- Last Name
After the initial full synchronization between your AD server and Zoom, you can set up a Windows/Linux CRON job to launch the tool on at scheduled intervals or you can launch the tool manually. This saves time by updating your Zoom account only with the AD changes that occurred since the previous synchronization.
This article covers:
- Sync Commands
- Sync Result
- Sync Log
- Enabling TLS for the AD Sync tool
- Retrieving the SSL certificate
- A Zoom account with the following features enabled:
- Vanity URL
- REST API
- Active Directory
- Single Sign On has been enabled and configured in Zoom
- AD Sync Tool is enabled (contact Zoom support)
- Active Directory Federation Services (ADFS)
- A Microsoft AD admin account for which you have access to the username and password
To use the AD Sync to Zoom tool:
- Install Oracle JDK version 8, then run the following command to make sure that java is installed correctly:
- Obtain the zoomadsynctool.zip file from the following location: http://cdn.zoom.us/prod/tools/zoomadsynctool.zip
- Unzip the file.
- Update the override.properties file, as described in the Configuration section.
- Test your configuration by running the following command:
java -jar adtool-[version].jar test
If the test was successful, you will see a Success message on your console. You can also check the syncresult.yyyy-mm-dd.log file for the messages Zoom account setting is OK and AD account setting is OK.
This command does not make changes to your Zoom account.
- Start a full sync by running the following command:
java -jar adtool-[version].jar full
Caution: Running this command can delete or deactivate existing users from your Zoom account if those users do not exist on Active Directory. Refer to the Zoom account configuration: zoom.full.delete.missing.users
- Check the syncresult.yyyy-mm-dd.log file to verify that the job was successful and to see the changes that were made to the Zoom account. Check the sync.yyyy-mm-dd.log file to see the debug information if any errors occur.
- Periodically run the following command to sync any changes that occurred since the last time the tool was run:
java -jar adtool-[version].jar diff
Zoom recommends that you automate the execution of this task using a task automation tool such as Task Scheduler or CRON.
The override.properties file includes a set of parameters and values that determine how the tool will access Active Directory, which Zoom Account will be used, and the sync behavior. You must update the values in the following sections of the file. Do not update the values in the bottom portion of the file.
Zoom Account Settings (updated values required)
Update the following values in the ZOOM account section of the file.
- zoom.vanity.url: Your Zoom Vanity URL.
- zoom.api.key: The REST API key available on the Zoom Marketplace.
- zoom.api.secret: The REST API secret available on the Zoom Marketplace.
- zoom.default.user.type: The default Zoom account type that new Zoom users are assigned. The account types are 1: Basic, 2: Licensed, 3: On-Prem. The default is 2.
- zoom.default.user.deleted: Specifies whether users are deleted or deactivated from Zoom if they do not exist in AD. The default is deactivated.
Note: If you specify deleted, existing Zoom users that are not in AD are deleted from their Zoom accounts. Zoom recommends setting this value to zoom.default.user.deleted=deactivated.
- zoom.full.delete.missing.users: Specifies whether to delete users from Zoom if they do not exist in AD. Specify yes to delete or deactivate users from Zoom if they are missing from AD. Specify no to retain users as active in Zoom if they are missing from AD. The default is no.
Note: This option is used only for the initial sync activated with the full command. Set this value to zoom.full.delete.missing.users=no if existing users in Zoom are not in AD.
AD Account Datasource (updated values required)
Update the following values in the DataSource for LDAP section of the file.
- spring.ldap.urls: The LDAP URL for the Active Directory server.
- spring.ldap.base: The base folder location for locating users.
- spring.ldap.username: The username the tool uses when accessing Active Directory.
- spring.ldap.password: The password the tool uses when accessing Active Directory.
- spring.ldap.user.group: The full DN for a user group. If this value is empty, users from all groups will be synced to Zoom. If you specify a DN for a user group, only members in the specified group will be synced to Zoom. Set it to empty if you do not want to filter users by group. This value is empty by default.
- ldap.user.deleted.base: The base folder location to search for deleted items.The default is: CN=Deleted Objects,DC=devdc,DC=com. Update the DC values to reflect the environment.
- ldap.test.dn: A value that you can use to test a single DN. Specify CN=<value> with the short dn for the test user. This test user must be a known good user in your Active Directory system because it tests that Active Directory can be successfully accessed. This user is included (in addition to users specified in spring.ldap.base) when you run the full command.
- ldap.query.pagesize: The maximum number of results returned from Active Directory at one time.
Attribute Mapping (updated values optional)
Update the following values, if needed, in the Attribute settings section of the file.
- ldap.user.guid: The unique UUID in AD. The default is objectGUID.
- ldap.user.dn: The DN field name in AD. The default is distinguishedName
- ldap.user.email: The email field name in AD. The default is userPrincipalName
- ldap.user.firstname: The first name field name in AD. The default is givenName
- ldap.user.lastname: The last name field name in AD. The default is sn
- ldap.user.department: The department field name in AD. The default is department
- ldap.user.lastupdatedtime: The last modified time field name in AD. The default is whenChanged
- ldap.user.lastKnownParent: The deleted parent field name in AD. The default is lastKnownParent
Advanced AD Configuration (updated values optional)
Update the following values, if needed, in the Advanced configuration for LDAP filter section of the file.
- ldap.user.deleted.base: The filter string used to get deleted users from AD. Default is: CN=Deleted Objects, DC=devdc, DC=com
- ldap.user.enabled.filter: The filter string used to get enabled users from AD. Default is: (objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113518.104.22.1683:=2))
- ldap.user.disabled.filter: The filter string used to get disabled users from AD. Default is: (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113522.214.171.1243:=2)
- ldap.user.deleted.filter: The filter string used to get deleted users from AD. Default is: (objectClass=user)(isDeleted=TRUE)
- ldap.user.deleted.dn.separator: The separator used to get the short DN name from a deleted DN name. Default is: \
Run the following command to test whether the configuration file is configured correctly to access the Zoom account and the AD account for synchronization.
java -jar adtool-[version].jar test
If the test is successful, you will see a Success message on your console and the syncresult.yyyy-mm-dd.log file will include the messages Zoom account setting is OK and AD account setting is OK.
Run the following command to compare users from AD with users in your Zoom account, and then automatically add new users to Zoom. If configured, the tool will also deactivate or remove existing users from Zoom if they are not in AD. Additionally, this command updates the first name, last name, and department for Zoom users to match AD.
java -jar adtool-[version].jar full
Note: You must run the full command at least one time before you can run the diff or time command.
Run the following command to determine (from the sync result log) the last time the tool was run, and then sync any changes from AD to Zoom that were made after that time.
java -jar adtool-[version].jar diff
This is a default command.
Run a command similar to the following to sync changes from AD to Zoom that occurred after the specified time. In the following example, 20170427095902.0Z indicates the starting time to use for the sync. Copy this string from one of the log files. The time format used in this command is YYYYMMDDHHMMSS.0Z
java -jar adtool-[version].jar time 20170427095902.0Z
You can use this command in case the previous diff command did not work correctly. See the the sync result log to find the times and results of previous sync commands that were run.
Use the log files to see the details of the records that were synchronized and to help with debugging any sync failures. A maximum of one of each type of log file is generated each day. If you run the Zoom AD Sync tool multiple times in the same day, the information from that run is appended to the file that was previously generated for that day.
The following log file provides a detailed sync record: syncresult.yyyy-mm-dd.log
- If you run the test command, the file includes only information about whether the AD system and Zoom system are okay, indicating that they are ready for the full command. If any issues are detected with accessing the data in either system, this gives you the opportunity to fix them prior to running the full sync.
- If you run the full command, the file includes information about all AD users in the system who were added to Zoom, as well as Zoom users who were not found in the AD system.
If you run the diff or time command, the file includes information about how many users have been changed in your AD system since the last time or the specified time that the Zoom AD Sync tool was run. The log includes the list of changes made in Zoom based on changes detected in AD.
The following file provides the debug log: sync.yyyy-mm-dd.log
This file provides additional debug messages that are not included in the syncresult log file. These messages can be useful when investigating the cause of a sync failure.
Enabling TLS for the AD Sync tool
If you are using LDAPS via port 636 to connect to an Active Directory server using SSL, the SSL certificate must be retrieved and installed, or you may receive the following errors:
"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection..."
"sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target."
Retrieving and installing the SSL certificate
To import the SSL certificate and connect the AD Sync tool via TLS:
- Open the Windows Management Server Manager.
- Under Tools, open the Certification Authority.
- Under Issued Certifications, right-click on the desired certificate.
- Click Properties.
- Click the Details tab.
- Click Copy to File, and choose the Base-64 encoded x.509 (.cer) for exporting.
- Click Next to export the certificate.
- Copy the exported certification to your local device storage (ex. D:\ca.cert).
- Open the Command Console, and run the following change directory command to access the Java JDK bin location:
cd C:\Program Files\Java\Jdk1.8.0_201\binNote: This folder may not be in the exact path as above, and the command will need to be altered if the actual folder path is different.
- Run the following command to copy the certificate to the new location:
keytool.exe -importcert -keystore ..\jre\lib\security\cacerts -storepass changeit -file D:\ca.cer -alias mycaNote: The command structure is based on the following:
-keystore: Where the new certification stored. No need to change this.
-storepass: The certification's password.
-file: The certification location you just exported.
-alias: The alias of the new certification.
- Once complete, the certificate will be imported and installed.