Home » Troubleshooting AD sync issues
Applicable For Endpoint Central MSP 
 
 

Optimizing Active Directory Sync for Endpoint Central

Integrating Endpoint Central with Active Directory (AD) offers significant benefits for managing your endpoints. This guide outlines best practices and key configurations to ensure seamless synchronization and maximize the potential of your environment.

Service Account Permissions

For optimal functionality, the Endpoint Central service account requires specific permissions within Active Directory:

  • View Access: Grant read access to all AD objects, including computers, users, containers, groups, and organizational units (OUs). Ensure visibility to crucial attributes like `whenChanged`, `whenCreated`, `objectGUID`, `Name`, `distinguishedName`, etc.
  • Deleted Objects Retrieval: Provide credentials with access to the AD recycle bin to facilitate retrieval of deleted objects. Refer to Microsoft's guide for detailed permission requirements. 

After the credential has been setup, we can confirm whether all the objects, OU can be retrieved by using the Basic LDP tool analysis.

Automatic Computer Removal

Endpoint Central can automatically remove computers from its inventory when they're deleted from AD. Here's how to ensure this process functions effectively:

  • SoM Policy: In the Admin console, navigate to Agent > Active Directory Sync and verify if 'Delete Inactive Computers' is enabled and select 'Delete the computers from SoM and notify me' option. You may also configure email notifications for these events.
  • AD Recycle Bin: Make sure your AD recycle bin is enabled. Refer here for activation instructions.
  • Sync Status and Credentials: Navigate to Agent -> Domains and ensure that the last sync timestamp supersedes the computer's deletion time in AD. Additionally, ensure that the AD recycle bin can be accessed using the configured credentials.
  • Network Configuration: In environments with multiple Domain Controllers, verify synchronization between them is working correctly. Use the hostname (not FQDN or IP address) of the Domain Controller on the Domain page.
  • Domain Controller Configuration: Confirm if the deleted computers are no longer present under the concerned Domain Controller.

To check if the credential has access to fetch deleted objects from AD recycle bin, refer here.

By following these best practices, you can establish a reliable and efficient Active Directory synchronization with Endpoint Central, improving your endpoint management experience.

Please note that this guide provides general recommendations. For specific instructions, contact our dedicated support here.