Skip to main content
日本語 简体中文 繁體中文

[Access Control] Active Directory Replacement Procedure (Domain Controller Only, Without Password Synced)

Target

  • Customers who are only replacing (migrating/upgrading OS included) the Active Directory domain controller server
  • Customers who do not perform password synchronization from Active Directory

Purpose

This article explains the settings related to HENNGE Directory Sync Tool when replacing (migrating/upgrading OS included) an Active Directory server.

Notes

  1. This article is based on the current environment configuration and work details as confirmed in advance by your HENNGE representative.
    If you are planning a replacement, please refer to the following article:
    Request for customers planning to upgrade, replace, or add Windows Server
  2. Due to our company name change (HDE→HENNGE) on February 1, 2019, the names of services and sync tools have changed.
    However, the file names and installation folder names used in this procedure have not been changed to avoid impact on customers, so please use the names as described in this article.
  3. The content of this article is based on information as of March 2026 and may be changed without notice.

Table of Contents

  1. Work on the new Active Directory domain controller server (Windows Server 2016 or later) [After domain promotion / Common to all servers]
  2. Pre-demotion tasks for the old reference domain controller
  3. Restarting HENNGE Directory Sync Tool [After promotion of the new AD server]

Procedure

1. Work on the new Active Directory domain controller server (Windows Server 2016 or later)
 [After domain promotion / Common to all servers]

Check Active Directory Web Services (ADWS)

*Please perform this task after promoting the domain controller.

Open [Administrative Tools] – [Services] and confirm that the status of Active Directory Web Services is "Running" and the startup type is set to "Automatic".

Active Directory Web Services status confirmation screen
Example: Windows Server 2016

2. Pre-demotion tasks for the old reference domain controller

Check the server running Assign-HDEOnePasswordSyncGroup.bat

If the server running Assign-HDEOnePasswordSyncGroup.bat is the domain controller to be demoted, perform this procedure.
*If the HENNGE Directory Sync Tool is on a sync server separate from the domain controller, backup is not required.

Back up the entire C:\HDEOne\ folder where the bat file is stored.
This is preparation for moving it to the new domain controller server.

Stop HENNGE Directory Sync Tool service

On the sync server, stop the following service from [Administrative Tools] – [Services].

  • HDE One Directory Sync

3. Restarting HENNGE Directory Sync Tool [After promotion of the new AD server]

Re-deploy and configure Assign-HDEOnePasswordSyncGroup.bat

*Perform this procedure only if the bat was running on the old reference domain controller.

  1. Place the HDEOne folder obtained in the above step "Pre-demotion tasks for the old reference domain controller" directly under the C:\ drive on the new domain controller, maintaining the same folder structure as before.
  2. Refer to the "Scheduled Execution Settings" section in the following article and configure the scheduled execution for Assign-HDEOnePasswordSyncGroup.bat.
    *You do not need to check other items.
    [Access Control] Running Assign-HDEOnePasswordSyncGroup.bat

Check HENNGE Directory Sync Tool operation

During normal operation, HENNGE Directory Sync Tool runs periodically as a Windows service, but you can also perform an immediate user sync using a PowerShell command.
You can check the operation of user sync using the following procedure.

*Please perform this task with a User who has [Domain Admins] or [Enterprise Admins] role.

  1. Launch PowerShell as an administrator.

  2. Run a test sync with HENNGE Directory Sync Tool using the following command.
    * If you do not add the /n option, an actual sync will be performed, so please be careful.

    > cd "C:\Program Files\HDE One Directory Sync"
> .\console.exe /n

  3. Confirm that the differences for unsynced users are displayed.

    Example) ------------------------------------------------------------------
##### Sync set [sync01] #####
   Active Directory ---> HDE Access Control
Add: Administrator / iGcrgi8tjUy1NfaLulJ/5Q==
Add: Guest / qWEUYHX3DUOxPrZv6C271Q==
Add: test01 / test01@addc1.example.com / WEt4r/aDlE3wtGz0UbVoqQ==
Delete: aaa / aab@addc1.example.com / hfJV7x6cakym2AIWkThdA==
----------------------------------------------------------------------

    *If there are no users to be synced, the following will be output.

    Example) ------------------------------------------------------------------
##### Sync set [sync01] #####
   Active Directory ---> HDE Access Control
 * No sync data *
----------------------------------------------------------------------

Restart HENNGE Directory Sync Tool service

Start the following two services from [Administrative Tools] – [Services] on the sync server.

  • HDE One Directory Sync