🌐 Beginner’s Guide to Google Cloud Directory Sync (GCDS) for Google Workspace Part 1

If you manage a business that relies on Google Workspace and an Active Directory, you may be looking for an easy way to synchronize user information across these platforms. Google Cloud Directory Sync (GCDS) is designed to keep Google Workspace in sync with your Active Directory or LDAP server. In this article, we’ll learn the basics of setting up GCDS, configuring the essential settings, and performing your first sync. The GCDS can sync the following objects from AD to Google and will discuss the synchronization part in the second chapter of this blog.

1. Organizational units
2. Groups / Distribution lists (DLs) / Mailing lists
3. Users
4. User alias
5. User profile
6. Calendar
7. Rooms
8. Contacts

At Cloud Sultans, our mission is to help small and large businesses better collaborate and achieve high productivity with their teams by maximizing the power of Google Workspace (formerly GSuite).

Getting Started with GCDS Download & Installation 💾

To start, download the correct version of GCDS from Google’s official page and install it on the Windows server machine. Both 32-bit and 64-bit versions are available for Windows and Linux. Most companies use Active Directory on Windows Server 2019 or 2022, making the 64-bit version a common choice. GCDS offers a straightforward setup if you’re using Windows Server with Desktop Experience. However, if you’re installing on a server without a graphical interface, refer to Google’s support pages for additional command-line steps.

Exploring the Active Directory Setup 🖥️

Before diving into GCDS configuration, let’s take a closer look at the Active Directory setup. In this example, let us assume that a Windows domain has Organizational Units (OUs) containing users that are already configured in Google Workspace, along with some new accounts to be created in Google Workspace. Additionally, there are few AD groups to keep things organized. With this setup, you’re ready to configure GCDS to synchronize users, groups, and OUs. Following is an example AD screenshot.

Configuring GCDS for Your Google Workspace 🔧

After completing the download and installation steps from the above, search for the “Google Cloud Directory Sync” folder from the Windows menu in your AD machine. Then launch the option named “Configuration Manager”. It should show a similar window, something like below.

Important note: In the following screenshot you can see all the configuration options on the left side pane (e.g., General settings, user accounts, groups, notifications, etc.) but these options may not be visible at the initial stage (for example when you are running GCDS the first time) but it will become available as soon as you proceed further.

In the Primary Domain section, enter your Google Workspace domain and select “Replace domain names in LDAP email addresses” to keep everything consistent. GCDS will need a Google Workspace administrative account to “Authorize & Access” GCDS with the Google Workspace Directory API and Domain Shared Contacts API, so you can use your Super Admin account but it is highly recommended to create a dedicated user in Google Workspace, such as “gcds@yourdomain.com”, specifically for this purpose. This way, if there is something wrong one day (GCDS stopped sync or “over syn”) you will be able to track it easily in the admin logs of the admin console. You can simply go to “Investigation Tool” in the GW Admin Console and then under the “Admin Audit Section”, you can enter the dedicated GCDS Super Admin account(gcds@yourdomain.com) to filter the actions performed by GCDS.

Now carefully navigate to the “Exclusion Rules” tab and make sure to exclude existing super admin users from syncing to prevent changes to their accounts using the exclusion rules. This would help admins by preventing GCDS from making changes to Super Admin accounts.

Warning: Doing so, the super admin account managing will be excluded from change created in the AD For example: gcds@domain.com will not be sync/added to AD Groups.

Now you can switch back to the original tab named “Connection Settings” and then click on the “Authorize Now” button to authenticate GCDS with your Google Workspace tenant. It will now redirect you to a browser and will ask for multiple admin permissions that you need to allow to complete the setup. After completing the authentication workflow, the GCDS should show the status Authorized as below.

Setting Up the LDAP Configuration ⚙️

Next, configure LDAP. Since this example uses Microsoft Active Directory, select “Server Type” as “MS Active Directory” and select “Connection Type” as “Standard LDAP”. GCDS is running locally, so use 127.0.0.1 (localhost) as the hostname with the default port 389. If you prefer SSL for additional security, change the port to 636. For authentication, provide the AD Admin username and password. You’ll also need the Base Distinguished Name (DN), which is the root of your domain. The Base Distinguished Name (Base DN) in Microsoft Active Directory is the starting point or “root” from where a directory search begins. Think of it as the directory’s home base. For example, in a domain named example.com, the Base DN might look like dc=example,dc=com, which tells the system to start searching from the example.com domain structure.

Tip: You can run the following command in Power Shell to get the Base DN
get-aduser administrator -Properties ProxyAddresses

Confirm your settings by clicking “Test Connection” and upon successful connection, it should show the “Connection Succeeded!” result as shown in the following picture.

The basic settings for GCDS are configured and now it is time to choose the services that we want to get synced from AD to Google Workspace. There are the following services that we can sync from AD.

1. Organizational units
2. Groups / Distribution lists (DLs) / Mailing lists
   • GCDS doesn’t synchronize security groups. A security group on your LDAP server syncs to Google as a regular group.
3. Users
   • User alias
   • User profile
4. Calendar
   • Rooms
5. Contacts
   • Shared external contacts
   • GCDS doesn’t synchronize personal contacts.

In the next part, we will see the instructions to sync services from the above list. Please follow the next guidelines by clicking here.

Any questions, comments, or reactions about our article? We’re happy to hear them in the comment section below. We always love diving into healthy discussions. If you also feel that you haven’t been using Google Workspace at its best, reach us at (Cloud Sultans: contact@cloudsultans.com).