The Dropbox Active Directory Connector

The Active Directory Connector (AD Connector) allows syncing between an Active Directory (AD) and a Dropbox Business team. The AD Connector automatically syncs changes made in Active Directory to Dropbox. This syncing simplifies the provisioning and deprovisioning Dropbox Business users.

The AD Connector can also (optionally) sync Active Directory groups and group members to your Dropbox Business team.

Follow the steps below to install and configure the AD Connector, and to ensure that it is running correctly. Be sure to read each subsection linked to from the main instructions.

How do I install, configure, and run the AD Connector?

  1. Review the AD Connector best practices.
  2. Download the AD Connector Microsoft Installer (MSI).
  3. Install the AD Connector.
  4. Set up the Configure AD Connector tool.
  5. Perform a test run with Run AD Connector, and verify that it's working successfully.
  6. Locate the scheduled task, and enable it to run.
  7. Answers to some important FAQs about groups and groups sync.
  8. Troubleshooting, FAQs, and more info.
  9. The AD Connector sync failed: How can I determine the cause?

AD Connector best practices

Required:

  • All users you'd like to sync from Active Directory must be active users in a single AD domain
  • PowerShell 4.0 or higher
  • Windows Server 2008 (or later)
  • Remote Server Administration Tools

Recommended:

  • Create a single group called "Dropbox" that contains all the members you’d like to provision. You can place both users and groups within the Dropbox group.
  • Install the AD Connector on a server with read-only access (the AD Connector only syncs changes that originate from AD).
  • Upgrading from previous versions of the AD Connector: A simple installation usually updates correctly when upgrading from version 2.0.1 to version 2.0.2. However, when upgrading between major versions (from 1.0 to 2.0), uninstall the current version before updating to the new one.
  • For the current release of the AD Connector, we recommend syncing no more than 10,000 users from Active Directory. Check with your Dropbox Customer Success team if you’d like to use the AD Connector with more than 10,000 users.

Return to the top of the article

Download the AD Connector

Return to the top of the article

Install the AD Connector

  1. Locate and run the Dropbox-AD-Connector.msi installer.
  2. Click Next to continue through the install wizard.
  3. Check the box to accept the terms, and click Next.
  4. Click Next to install to the default path.
  5. Click Install, and then choose Yes if User Account Control (UAC) prompts you.
  6. Getting Started is checked by default—if you already have this guide open, uncheck it.
  7. Select Finish to complete the installation.

Return to the top of the article

Complete the Configure AD Connector step

There are five steps in the process of completing the AD Connector configuration:

  1. Setup.
  2. Active Directory users sync.
  3. Active Directory groups sync.
  4. Log.
  5. Email notifications.

To complete configuration, carefully follow each step:

Setup

  1. Locate and open the Configure AD Connector shortcut on your desktop.
  2. Click Get OAuth2 Token to connect to the team admin of your Dropbox Business team.
    • If needed, sign in to Dropbox as an Admin of the Dropbox Business team
    • If needed, approve the AD Connector app permissions
  3. Copy the token.
  4. Paste the copied token into the OAuth 2 DfB Token field.
  5. If you'd like to run setup tests, select the Simulation Mode checkbox.
    • Note: In Simulation Mode, no changes are made to your Dropbox Business team

AD Connector configuration

Active Directory sync users

  1. Select the Active Directory group you'd like to sync with your Dropbox Business team.
    • It's easiest to create an Active Directory group called "Dropbox"
  2. Check that Email Attribute is set to Email Address.
  3. Check Manage existing users to sync changes to users that were manually created through the Dropbox Business admin console.

Active Directory sync groups

  1. Choose whether you'd like to sync groups to your Dropbox Business team (syncing groups is optional).
  2. To sync groups, select whether you'd like to use the same group you chose to sync individual users.
  3. If you chose to use a different group to sync groups, select the name of the group.

Log

  1. If you wish to provide a different path for the log file, click Change.
    • Note: If you don't provide a different file path, the log is saved to the default location: C:\ProgramData\Dropbox\AD Connector\db_ad_connector.log

Email notifications

  1. If you’d like to receive email notifications, click Settings.
    • Note: Use port 587 or port 25 (unencrypted); port 465 is not currently supported
  2. After finishing each section, use Test Connection to verify that the configuration is correct.
  3. Email notification settings

  4. Click OK when finished configuring the email options.

Finish

  1. Click Save to save all configuration settings.

Return to the top of the article

Locate the "Run AD Connector" file and review it's working successfully

  1. Locate the Run AD Connector shortcut on the desktop.
  2. Right-click the Run AD Connector tool and Run as Administrator.
  3. Review the results to ensure that the expected users are listed.
  4. If yes, reopen the Config AD Connector tool and uncheck Simulation Mode.
  5. Use the Run AD Connector tool to sync new members to your Dropbox Business team.

Return to the top of the article

Create the scheduled task to run the Dropbox Business AD Connector sync script

  1. Browse to Program Files \ Dropbox \ AD Connector \ Helpers.
  2. Right-click on the file AD-Connector-CreateTask.bat and Run as Administrator.
  3. Open the Task Scheduler application for Windows Server.
  4. Open the Dropbox Tasks folder.
  5. Right-click on the Dropbox AD Connector task, and choose Enable.
    • Note: If you can't find this task, right-click the Task Scheduler Library and choose Refresh.
  6. Right-click on the task, and choose Run.
  7. Ensure that the test ran successfully: locate and review the AD Connector sync log.
  8. Verify that invites were sent to team members: Review the Members page of the Dropbox Business Admin Console.

Notes on creating scheduled tasks:

  • By default, this task is set to run once a day at 2:00 am (local time)
  • You can increase the frequency of this task, but we recommend running it no more than once every three hours
  • Ensure that scheduled tasks don't interrupt each other: select Do not start a new instance in the Settings tab:

Scheduled tasks settings

Return to the top of the article

What's the behavior of groups sync?

Group mirroring is only synced to Dropbox Business. Changes from Dropbox Business do not sync back to Active Directory. Once created, deleting a group from Active Directory does not delete the group from Dropbox Business. Instead, all users are removed from the group if either:

  • All members are removed from the sync group in Active Directory
  • The sync group is removed from the configuration step

What happens when you select a single group to sync both your users and groups?

For groups with users that aren't in the sync group, the group fails to sync to Dropbox Business.

What if I have multiple groups with the same name between Active Directory and Dropbox Business?

Group sync fails when there's a naming conflict between groups in Active Directory and Dropbox Business. An error is also logged.

Can I nest groups inside other groups?

Groups cannot have multiple layers in Dropbox Business. Each group is flat and does not contain other groups.

How do groups sync when you select a different group to sync groups as opposed to users?

All users in the user sync group are synced. Any groups in the user sync group are ignored. Users placed in the group sync group are ignored unless also in the user group. Groups placed in the user sync group are ignored unless also in the group sync group.

Return to the top of the article

How does the AD Connector work with account transfer?

The AD Connector does not support the automatic transfer of an account to a different team member. However, deleted accounts (and any associated files) are held in the Admin Console. These accounts can then be transferred or permanently deleted. Team admins can transfer an account via the Dropbox Admin Console.

What rules does the AD Connector follow when updating users in my Dropbox Business account?

The AD Connector is a one-way mirror: that is, it reflects user state from the configured Active Directory to your Dropbox Business account. The AD Connector does not change AD. The AD Connector overrides changes made to a managed user in the Admin Console.

How can I enable the remote wipe function when deprovisioning users with the AD Connector?

When suspending or deleting users with the AD Connector, all devices are automatically remotely wiped. Use the Admin Console to remove a user or device without remotely wiping all content.

Can I use the AD Connector in a language other than English?

No, the AD Connector is only available in English.

The AD Connector sync failed: How can I determine the cause?

Each time the AD Connector runs, an exit code is added to the end of the log file. This code attributes the reason for the failure, and/or determines what part of the process failed. This table provides examples of reasons a failure could occur.

  • Note: The AD Connector logs a 0 when the run completes successfully

Code

Reason for failure

How to correct this error

-1

Powershell version not supported

  • Upgrade to Powershell versions 4, 5, or higher

-10

Unable to read configuration file

  • If you manually edited the config file, there may a file error that our script cannot read. Rerun the config script to overwrite manual edits
  • Check config file permission—the run script should have permission to run this file
  • Re-run the config file to save new file

-11

Script must be run with admin privileges

  • When selecting the script, right-click and choose run with admin privileges

-12

Could not initialize Active Directory module

  • Ensure AD is up, and on the same machine as AD Connector
  • Ensure script privileges to AD
  • Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)

-13

Failed to initialize Dropbox Business API

-14

Failed to fetch team info from Dropbox Business API

  • Check the error code
  • Verify OAuth token is valid (rerun the config script to get a new OAuth token)
  • Ensure that the admin was successfully authenticated, and that the team still exists
  • Verify dropbox.com is accessible at status.dropbox.com

-15

No users found in configured Active Directory group

  • Verify that the chosen group contains the users you wanted to sync (only users in this group sync to your Dropbox Business team)

-16

Failed to get team members from Dropbox Business API

  • Try again—you may have encountered a temporary network issue
  • Verify dropbox.com is accessible at status.dropbox.com

-17

Failed while syncing

  • Try again—you may have encountered a temporary network issue
  • Check to see if the machine was interrupted by another process or error
  • Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)
  • We suggest limiting synced group size to 2000 users with current version (v2.0)—try to limit your group size to 2000 or fewer users
  • Contact Dropbox support

What are the stages of the AD Connector running process?

  1. Identify managed users.
    • The AD Connector only updates managed users. Managed users are identified in this first step; they are considered managed when the following criteria are met:
      • The AD Connector first completes the provisioning. Provisioning happens when:
        • A user email address is added to the configured Active Directory group
        • This email address is not found in Dropbox Business
      • They are existing users on your Dropbox Business team. "Existing users" means that the email addresses match between the team and the configured Active Directory group.
  2. Note: This check only happens if Manage existing users is checked in the AD Connector configuration.

    If either of these two conditions aren't met, the user is considered unmanaged. The AD Connector doesn't update unmanaged users. For most administrators, Manage existing users is the best option.

  3. Update user information for managed users only.
    • User first name
    • User last name
    • User email address
  4. For managed users from step one, the AD Connector ensures that the following match between Dropbox Business and AD:

    Exception: The AD Connector does not update information for users who are in the “Invited” state in Dropbox Business. The AD Connector reattempts the update on subsequent runs.

  5. Update user state for managed users only.
    • Disabling managed users doesn't delete them from your Dropbox Business team. Neither does removing users from the Active Directory sync group. Instead, these users are suspended in your Dropbox Business team.
  6. For managed users identified in the first step: The AD Connector updates user state (active, disabled, or deleted) in Dropbox Business to match the user state in AD.

Return to the top of the article

Did this article answer your question?

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback!

Community answers
    Community answers

      Other ways to get help

      Community

      Twitter support

      Guided help