The Dropbox Active Directory Connector
Starting April 13, 2022, the Active Directory Connector requires calls to use TLS 1.2 or higher. After that date, calls using TLS 1.0 and 1.1 won't longer be supported.
To avoid service interruptions, update your TLS configurations as soon as possible.
Note: Changes made to managed users in the Dropbox admin console will be overridden by the AD Connector. However, changes and additions made to non-managed users in the Dropbox admin console won't be reflected in AD.
Step 1: Review the AD Connector best practices
Required
- All users you'd like to sync from Active Directory must be active users in a single AD domain
- PowerShell 4.0 or later
- Windows Server 2008 (or later)
- Remote Server Administration Tools
Recommended
- Create a single group called "Dropbox" that contains all the members you’d like to provision. You can place both users and groups within the Dropbox group.
- Install the AD Connector on a server with read-only access (the AD Connector only syncs changes that originate from AD).
- Upgrading from previous versions of the AD Connector: A simple installation usually updates correctly when upgrading from version 2.0.1 to version 2.0.2. However, when upgrading between major versions (from 1.0 to 2.0), uninstall the current version before updating to the newer one.
- For the current release of the AD Connector, we recommend syncing no more than 10,000 users from Active Directory. Check with your Dropbox Customer Success team if you’d like to use the AD Connector with more than 10,000 users.
Step 2: Download the AD Connector Microsoft Installer (MSI)
Step 3: Install the AD Connector
- Locate and run the Dropbox-AD-Connector.msi installer.
- Click Next to continue through the install wizard.
- Check the box to accept the terms, and click Next.
- Click Next to install to the default path.
- Click Install, and then choose Yes if User Account Control (UAC) prompts you.
- Getting Started is checked by default—if you already have this guide open, uncheck it.
- Select Finish to complete the installation.
Step 4: Complete the AD Connector configuration
Setup
- Locate and open the Configure AD Connector shortcut on your desktop.
- Click Get OAuth2 Token to connect to your Dropbox account.
- If needed, log in to Dropbox with your admin credentials
- If needed, approve the AD Connector app permissions
- Copy the token.
- Paste the copied token into the OAuth 2 DfB Token field.
- If you'd like to run setup tests, select the Simulation Mode checkbox.
- Note: In Simulation Mode, no changes are made to your Dropbox team.
Active Directory sync users
- Select the Active Directory group you'd like to sync with your Dropbox team.
- It's easiest to create an Active Directory group called "Dropbox"
- Check that Email Attribute is set to Email Address.
- Check Manage existing users to sync changes to users that were manually created through the admin console.
Active Directory sync groups
- Choose whether you'd like to sync groups to your Dropbox team (syncing groups is optional).
- To sync groups, select whether you'd like to use the same group you chose to sync individual users.
- If you chose to use a different group to sync groups, select the name of the group.
Log
- If you wish to provide a different path for the log file, click Change.
- Note: If you don't provide a different file path, the log is saved to the default location: C:\ProgramData\Dropbox\AD Connector\db_ad_connector.log
Email notifications
- If you’d like to receive email notifications about any errors with sync, click Settings.
- Note: Use port 587 or port 25 (unencrypted); port 465 isn't currently supported.
- After finishing each section, use Test Connection to verify that the configuration is correct.
- Click OK when finished configuring the email options.
Finish
- Click Save to save all configuration settings.
Step 5: Perform a test run with Run AD Connector, and verify that it's working successfully
- Locate the Run AD Connector shortcut on the desktop.
- Right-click the Run AD Connector tool and Run as Administrator.
- Review the results to ensure that the expected users are listed.
- If yes, reopen the Config AD Connector tool and uncheck Simulation Mode.
- Use the Run AD Connector tool to sync new members to your Dropbox team.
Step 6: Locate the scheduled task, and enable it to run
- Browse to Program Files \ Dropbox \ AD Connector \ Helpers.
- Right-click on the file AD-Connector-CreateTask.bat and Run as Administrator.
- Open the Task Scheduler application for Windows Server.
- Open the Dropbox Tasks folder.
- Right-click on the Dropbox AD Connector task, and choose Enable.
- Note: If you can't find this task, right-click the Task Scheduler Library and choose Refresh.
- Right-click on the task, and choose Run.
- Locate and review the AD Connector sync log to ensure that the test ran successfully.
- Review the Members page of the admin console to verify that invites were sent to team members.
Notes on creating scheduled tasks:
- By default, this task is set to run once a day at 2:00 am (local time).
- You can increase the frequency of this task, but we recommend running it no more than once every three hours.
Advanced setup and troubleshooting (Optional)
Groups and the Dropbox Active Directory Connector
Groups in the Active Directory sync with Dropbox, but Dropbox groups don’t sync with AD. Changes from Dropbox don't sync back to the Active Directory. Deleting a group from Dropbox doesn't delete the group from the Active Directory.
To delete a group in both Dropbox and the Active Directory, you’ll need to:
- Remove all members from the sync group in the Active Directory
- Remove the sync group from the configuration step
Important:
- If you have multiple groups with the same name between the Active Directory and Dropbox, group sync fails. An error is also logged.
- You can't nest groups inside other groups in Dropbox. Groups can't have multiple layers in Dropbox. Each group is flat and doesn't contain other groups.
What happens when you select a single group to sync both your users and groups?
For groups with users that aren't in the sync group, the group fails to sync to Dropbox.
How do groups sync to Dropbox if I use a different Active Directory group to sync user accounts?
All users in the user sync group are synced. Any groups in the user sync group are ignored. Users placed in the group sync group are ignored unless also in the user sync group. Groups placed in the user sync group are ignored unless also in the group sync group.
Account transfers and the Dropbox Active Directory Connector
The AD Connector doesn't support the automatic transfer of an account to a different team member. However, deleted accounts (and any associated files) are held in the admin console. These accounts can then be transferred or permanently deleted.
Learn how to transfer a deleted user’s files.
Remote wipe and the Dropbox Active Directory Connector
When suspending or deleting users with the AD Connector, all devices are automatically remotely wiped. Use the admin console to remove a user or device without remotely wiping all content.
What should I do if the Active Directory Connector sync failed?
Each time the AD Connector runs, an exit code is added to the end of the log file. This code attributes the reason for the failure, and/or determines which part of the process failed. This table provides examples of reasons a failure could occur.
The AD Connector logs a 0 when the run completes successfully.
Code |
Reason for failure |
How to correct this error |
Couldn't create SSL/TLS secure channel |
The server or the client doesn't support TLS 1.2 |
|
-1 |
Powershell version not supported |
|
-10 |
Unable to read configuration file |
|
-11 |
Script must be run with admin privileges |
|
-12 |
Couldn't initialize Active Directory module |
|
-13 |
Failed to initialize Dropbox API |
|
-14 |
Failed to fetch team info from Dropbox API |
|
-15 |
No users found in configured Active Directory group |
|
-16 |
Failed to get team members from Dropbox API |
|
-17 |
Failed while syncing |
|
What are the stages of the AD Connector running process?
Stage 1: Identify managed users
The AD Connector only updates managed users. Managed users are identified when the following criteria are met:
- The AD Connector first completes the provisioning. Provisioning happens when
- A user email address is added to the configured Active Directory group
- This email address isn't found in Dropbox
- The user is an existing user on your Dropbox team. "Existing users" means that the email addresses match between the team and the configured Active Directory group.
Notes:
- This check only happens if Manage existing users is checked in the AD Connector configuration.
- If either of these two conditions aren't met, the user is considered unmanaged. The AD Connector doesn't update unmanaged users. For most administrators, Manage existing users is the best option.
Stage 2: Update user information for managed users only
- User first name
- User last name
- User email address
The AD Connector ensures that the external ID for the user matches between Dropbox and the AD for managed users from Stage 1.
Exception: The AD Connector doesn't update information for users who are in the “Invited” state in Dropbox. The AD Connector reattempts the update on subsequent runs.
Stage 3: Update user state for managed users only
Disabling managed users doesn't delete them from your Dropbox team. Neither does removing users from the Active Directory sync group. Instead, these users are suspended in your Dropbox team.
For managed users identified in the first step: The AD Connector updates the user state (active, disabled, or deleted) in Dropbox to match the user state in the AD.