|Technical Rating: |
|Published Date : 31 Aug 2017
Last Updated : 24 May 2023
Content Ref: TEC5797912
Note: RM Cloud Service Delivery can assist you with your Network Provisioning installation.
For non-CC4 Active Directory networks, Network Provisioning must be installed and configured by RM.
For Community Connect® 4 (CC4) networks, customers can self-install single-site Network Provisioning or purchase an installation service.
For further information, please refer TEC6284446 in the Other Useful Articles section, or please speak to your Sales representative on 0845 070 0300, or email email@example.com, quoting this article.
Note: Network Provisioning can provision users from one or more RM Unify establishments to a single or shared network. Please contact your Sales representative to find out how we provision multiple RM Unify establishments to a shared network.
Note: For CC4 customers, this is supported on CC4.5 (i.e. where your CC4 First server is 2012R2) and above networks. Matrix networks are not supported.
|RM Unify Network Provisioning scenarios and solutions|
- Where the MIS will be the source of new RM Unify users:
- Where CSV files will be the source of new RM Unify users:
Important note: Please ensure that you follow one of the flowcharts above (taking special note of the points highlighted below in some of the flowchart boxes) before proceeding with the installation of RM Unify Network Provisioning. If you do not follow this process accurately, there is a risk that you may compromise user accounts and their access to your network. Please contact the Cloud Support team if you would like advice.
The following notes match up with some of the boxes in the above flowcharts (i.e. they are not steps to follow in order, please read each relevant section when working through the flowchart).
- When the Network Agent first runs, it will retrieve the user list from RM Unify. It is, therefore, highly likely that you will have users in your AD that correspond to users in RM Unify.
If there is already a user in the AD with the same username as an RM Unify user and a matching user role, the AD user will be linked to and updated with the details from RM Unify:
- RM Unify Students will be matched with AD users located in the OU (or sub-OUs) that is specified for students in the Network Agent configuration.
- RM Unify Teaching Staff and Non-Teaching Staff will be matched with any AD users that are not located in the OU specified for students.
If there is no user in the AD with the same username as an RM Unify user (either because there is no AD account or because the AD username does not match), then a new AD account will be created using the RM Unify username.
To facilitate this cloud-to-network user matching, ensure that the usernames match by renaming RM Unify users and/or renaming AD users, before you install the Network Agent.
- To rename a user in RM Unify, find the user in the users page, from the Actions menu, click 'Change username'.
- To generate a CSV file of all RM Unify users, click here.
The above should prevent the Network Agent from creating multiple accounts for the same user in AD when you change to Network Provisioning later in the setup.
- Are there existing MIS users that correspond to RM Unify users?
If so, you must link the MIS user to their RM Unify account using MIS Sync in Link Mode. This prevents RM Unify from creating multiple accounts for the same user in RM Unify when you change to MIS Sync in Create Mode later in the setup. TEC5427652 in the Other Useful Articles section below gives more information on this. In Link Users (and using the 'Display as Table' view), confirm you have the user counts as below.
See TEC7674490 in the Other Useful Articles section below for more detailed help with linking users.
||Number of users
|Users with a likely MIS record match
|Users with a possible MIS record match
|Users not matched to an MIS record
|If an RM Unify user does not have an MIS record, then set it as 'User not in MIS'.|
|MIS records not matched to an RM Unify user
|If an MIS record does not have an RM Unify account, then set it as 'Has no RM Unify account'.|
Note: If you do not have the above user counts and/or intend to not link some of your users, please stop and seek advice from the Cloud Support team, as this can have adverse consequences beyond your AD and affect multiple apps.
- Are there AD users that exist in your MIS but do not exist in RM Unify?
If so, select the same username format as your existing AD users so that when you change to MIS Sync in Create Mode, the user will be provisioned into RM Unify with a username that matches the format of their existing AD account. If it is not possible to match the username format of existing AD users, then you may wish to import the AD users into RM Unify (and then link to the MIS records) so that the usernames are consistent.
- The RM Unify CSV Extraction Tool is available for download from DWN3182515 in the Other Useful Articles section below.
- Use the Download Passwords page to generate passwords for newly provisioned RM Unify users. This should be done after installation of the Network Agent so that the new passwords will be immediately synced to the AD. Following installation of the Network Agent, a user's password will be synced when their password is changed/generated or when the user next signs in to RM Unify via a browser.
This article covers the software prerequisites and other tasks we recommend before installing the RM Unify Network Provisioning components. There are two components for this feature:
- RM Unify Network Agent installed on one domain controller. We strongly recommend the primary domain controller (with PDC FSMO role) or CC4 First server.
- RM Unify Password Filter installed on all domain controllers that process password changes.
Note: If RM Unify Password Filter v18.104.22.168 or later is already installed and working on a DC from previous RM Unify AD Sync use, there is no need to reinstall.
|Requirements: RM Unify Network Agent|
- CC4: CC4 version
- CC4.5*, or
- Connect On Prem (CoP)*
*where Windows Server (WS) is 2012R2 or later
- Non-CC4: Operating system
- Domain controller running Windows® Server® (WS) 2012R2, WS 2016, WS 2019 or WS 2022. Core editions have not been validated and are, therefore, unsupported.
- .NET Framework 4.8 or later
- If your server is a CC4 server, then .NET Framework 4.8 should be installed by default via WSUS (Windows Server Update Services).
- Check if .NET Framework 4.8 is installed.
- On the Network Agent server, run regedit.
- Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full.
Note: If the Full subkey is missing, then .NET Framework 4.5 or later isn't installed and you should proceed to installing .NET Framework 4.8.
- Select the Full subkey and in the right-hand window, check the Release REG_DWORD value. If the value is less than 528040, please proceed to installing .NET Framework 4.8. If the value is 528040 or greater, .NET Framework 4.8 is already installed.
Install .NET Framework 4.8
- Download .NET Framework 4.8 and follow the installation instructions from this article: Microsoft .NET 4.8.
Note: You may be prompted to reboot your server as part of the installation.
|Requirements: RM Unify Password Filter|
- Operating system
- Windows Server (WS) 2012, WS 2012R2, WS 2016, WS 2019, or WS 2022 including Core editions.
- .NET Framework v3.51 SP1
- If your server is a CC4 server, then .NET Framework 3.51 SP1 should be installed by default via WSUS (Windows Server Update Services).
- Confirm whether .NET Framework version 3.5 SPI is installed.
- Run PowerShell by clicking the PowerShell icon on the Taskbar. Alternatively, on Server Core, type powershell in the Command Prompt window and press enter.
- Type import-module servermanager and press enter.
- Type Get-WindowsFeature -Name NET-Framework-core | fl Installed and press enter. The display will indicate whether or not the component is installed.
- If required, install .NET Framework version 3.5 SPI as follows.
- You will need the original WS 2012/2016 installation media. For the following example, this is assumed to be in drive E:.
- Type Install-WindowsFeature -Name NET-Framework-core -source E:\sources\sxs and press enter.
- Repeat step 1 above to confirm that the component has installed successfully.
- Microsoft Visual C++ 2010 Redistributable Package (x64)
- Confirm whether 'Microsoft Visual C++ 2010 Redistributable (x64)' is installed:
- Open a Command Prompt window.
- Type C: and press enter.
- Type cd %SYSTEMROOT%\system32 and press enter.
- Type dir /b msvcr100.dll and press enter. If the file is found, this command returns a single line of output with the same filename. This indicates that the 'Microsoft Visual C++ 2010 Redistributable (x64)' package is installed. If the command returns "File Not Found", the 'Microsoft Visual C++ 2010 Redistributable (x64) package' is not installed.
- If required, install 'Microsoft Visual C++ 2010 Redistributable (x64)':
- Download the latest version of Microsoft Visual C++ 2010 SPI Redistributable (x64).
- Follow the instructions in this URL: https://support.microsoft.com/en-us/topic/the-latest-supported-visual-c-downloads-2647da03-1eea-4433-9aff-95f26a218cc0
- Run vcredist_x64.exe to perform the installation.
- Repeat step 1 above to confirm that the component has installed successfully.
- On a CC4 network, CC4UPD206 is required so that passwords with special characters set through RM Unify will be correctly set on the network.
- Uninstall RM Unify AD Sync
- If RM Unify AD Sync is installed on your network, remove it as follows:
Remove RM Unify Linked User Provisioning or LGfL USO Linked RM User Provisioning components (RM Managed Service sites only)
- Log on as administrator to the server running the RM Unify AD Sync service.
- Navigate to Control Panel, Programs (or 'Programs and Features').
- Search for RM Unify AD Sync and select Uninstall. There is no need for a server reboot.
- Once uninstallation is completed, you may delete the C:\Program Files(x86)\RM\RM Unify AD Sync folder.
Set password policies in AD
- RM Managed Service sites that presently use RM Unify Linked User Provisioning or LGfL USO Linked RM User Provisioning should remove the relevant components prior to introducing RM Unify Network Provisioning. RM Unify Linked User Provisioning sites should follow TEC4502298 in the Other Useful Articles section below.
Add firewall or proxy server rules
- If a password set for a user in AD is not complex enough to meet the default RM Unify password policy, or your RM Unify establishment's password policies, if configured, then it will be rejected by RM Unify and the password will be out of sync between the network and the cloud. This rejection will be listed as an error in the User Audit page of the RM Unify Management Console. We suggest that you periodically check the User Audit page for password sync failures and assist affected users in setting a password which meets the required complexity.
- The current RM Unify password policies are detailed in TEC5943089 (in the Other Useful Articles section below) and use heuristics rather than composition rules to determine how strong a user's password is. Therefore, the RM Unify password policies cannot be represented with AD password policy rules, but we do suggest that you set password policies in your AD for Students and Staff to increase the chance of passwords being accepted by the RM Unify policy, e.g. a minimum of four characters for Students and a minimum of six characters for Staff. You can get a feel for the RM Unify password policy by signing into RM Unify, visiting the Change Password page (https://sts.platform.rmunify.com/Account/ChangePassword) and entering a 'New password'. We accept 'weak' passwords for Students but require 'acceptable' passwords for other roles.
- You may also wish to encourage users to change their passwords in RM Unify rather than on the local school network.
- If your network uses a firewall or proxy server that requires users to authenticate*, you need to add the following URLs to the whitelist:
*This applies to any firewall or proxy server that requires authentication - whether running locally or provided by a third party or LA, and even if authentication is transparent.
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: RM Unify Network Provisioning: prerequisites and preparation, rmunp, TEC5797912