Last Updated: Oct 6th, 2011

I am planning to extend this article to more tips and tricks as I have more time and discover more, so feel free to bookmark this page (permalink) and visit from time to time to see if there is new information. I am putting last updated mark on the top of this page for your easy tracking.

As anyone, who is constantly deploying Google Apps Business for customers in Israel and abroad, I am using Google Apps Directory Sync (GADS) on a daily basis.

While GADS is relatively not complex tool, it has it's hidden gems which are worth discovering for any Google Apps admin.

Before we start, I'll mention that GADS only works with Google Apps Business edition,  Education Edition and Non-Profit Edition. Standard Edition (free version which is now limited to 10 users) isn't supported due to lack of API access which GADS require. 

Tip 1 - How to use both GADS and GADS for Email Security

Well, maybe not really a tip, but good-to-know thing. As you probably know, GADS comes in two versions, - for Google Apps (called Google Apps Sync for Directory Sync) and another version, - Google Apps Directory Sync for Email Security (pretty long name, right?).

While the first product is known and doesn't require further introduction (hey, if you're reading GADS's Tips and Tricks - you already know what it does, right?). GADS for Email Security is used to sync Users and Mailing Lists from LDAP servers (like Microsoft Active Directory) with Postini products, like Google Message Security or Google Message Discovery.

Both tools are based on the same technology but are not interchangeable, i.e. each one can only be used for it's own purpose. What do you do if you have both Google Apps & Postini (a stand-alone version of Postini to be more specific, since integrated version has it's own syncing mechanism)? 

Well, you need to use both tools. Luckily for us, both can be installed on the same machine. However, there is a catch. You cannot have both tools running simultaneously. Both tools require you to configure a scheduled task (using Windows Scheduler or similar tool) which will run "sync-cmd.exe" with certain parameters.

So, you'll need to configure both tasks to run at a different time as running both tasks at the same time will cause a Java error and both tasks will fail to complete. I am usually setting first task to start at 12:00 and run each 30 mins, while 2nd task is set to start at 12:10 and again to repeat each 30 mins.

Tip 2 - The Magic of (memberof=)

Everyone who learned to use GADS knows how to setup LDAP queries (also known as "Rules") which look at certain OU's in LDAP server and selected certain accounts for syncing.

But working with OU isn't always very efficient as sometimes your Active Directory structure doesn't really fit well with your Google Apps users. More, using OU's to select users for synching is pretty limiting and will make changing OU structure risky as it will ruin the syncing with Google Apps.

Wouldn't it be much easier to use groups? Just create a group in Active Directory (can be either Security or Distribution, it doesn't matter for our task) and assign it a set of users you'd like to sync with Google Apps.

Once you're done, use this LDAP Rule notation in GADS to select user accounts:

(objectclass=user)(&(memberof=CN=AppsUsers,OU=Groups,DC=enterprise-expert,DC=com))

Much more flexible, isn't it?

Tip 3 - Email Notifications

For some unclear reason, you have to configure Notifications in GADS to receive sync logs, including errors and warnings (if there are any). If you don't configure Notifications - GADS won't give you an option to continue until you do.. Weird.. 

But, ok - let's configure it. If you're using GADS, you're are probably a Google Apps customer, right? However, the documentation of GADS suggest you to setup an SMTP server in your IT environment and have it relay notifications to your Google Apps email account. Yeah, you've heard me right..

Since all of us are trying to get rid of as many servers/services as we can (by moving to cloud for instance), I don't like setting new servers/services.

Easy workaround - use Google Apps's own SMTP host to relay those messages to your inbox. Use ASPMX.L.GOOGLE.COM as SMTP host in GADS. You don't need username/password as this SMTP host accepting anonymous and unencrypted connections which is exactly what we need.

The only thing you should know, - if your notification destination address isn't hosted on Google Apps (like you want to receive those notifications in your Yahoo's email), this trick won't work. The ASPMX.L.GOOGLE.COM only relays to Google Apps accounts ;(
Posted
AuthorVadim Solovey