Services
Directory Manager services are long-running, non-UI software applications that operate in the background and run in their own Windows sessions. They are usually started when you boot the machine they are hosted on, and are scheduled to run in the background to execute some tasks. You can also start, pause, and stop them manually.
Directory Manager relies on a few of its own services and third-party services for different functions.
Directory Manager Services
The following table discusses Directory Manager services.
| Service | Description |
|---|---|
| Data service | Directory Manager uses it to perform core operations and to communicate with Microsoft SQL Server for storing and fetching data in the database. |
| Security service | - Authenticates and authorizes users on different Directory Manager functions in accordance with their roles. - Encrypts and decrypts data that Directory Manager Data service stores and fetches from the SQL database. |
| Replication service | Replicates attributes of the group, user, contact, computer, and organizational unit object from the provider (such as Active Directory) to the Elasticsearch repository. In case of multiple Elasticsearch clusters, this service is also responsible for syncing data between clusters. |
| Email service | Maintains a queue of all notification requests generated by identity stores, and sends them one by one. |
| Scheduler service | Initiates schedule runs for scheduled jobs defined in Directory Manager. |
These services run in the context of specific accounts that are different from the logged-on user or the default computer account. See the Accounts to Run the Servicestopic for details.
Where are these Services Hosted?
Directory Manager services are hosted on a web server, that could be native IIS, remote IIS, and Docker.
You can create multiple Data services and Security services while hosting them on different web servers. For example, you can host one Data service in native IIS and another in Docker.
- To launch IIS on a machine, see Opening IIS Manager.
- To open Docker Desktop on Windows, search for Docker and select Docker Desktop in the search results.
Third-party Services
Directory Manager requires the following third-party services:
| Service | Description |
|---|---|
| SQL Server Browser service | This service fetches the SQL servers present in the environment and displays them on the Database Settings page of the Directory Manager Configuration Tool, where you configure a database for Directory Manager. Moreover, Directory Manager stops when this service stops. |
| Key Distribution Service (KDS) | You must enable the Key Distribution Service (KDS) on the Directory Manager server if you want to use Group Managed Service Accounts (gMSA) in Directory Manager. Directory Manager supports a gMSA in various contexts, such as for the Directory Manager app pool and as service account for an identity store. |
| Elasticsearch service | This service is responsible for searching the Elasticsearch repository to display object listings and search results in Directory Manager. If this service stops, Directory Manager will not work. |
Where are these Services Hosted?
Third-party services are created as Windows services in Windows Services Manager:
To launch the Services Manager, type ‘ services.msc’ in the Run dialog box and click OK. Here is an example of services in Windows Services Manager. You can start, stop, disable, and delay a service.
Accounts to Run the Services
The Directory Manager Configuration Tool enables you to specify the service accounts to use for the Directory Manager app pool and Windows services.
| Services | Service Account Description |
|---|---|
| Directory Manager App Pool in IIS | Use a domain account or a Group Managed Service Account (gMSA). The account must be a member of the Administrators group or both the Backup Operators and IIS_IUSRS groups. The account is used to manage the Directory Manager app pool in IIS. Data service, Security service, and the portals run under the app pool. For a Microsoft Entra ID identity store, you can specify a local account (with local administrator rights) in app pool for a machine that is not joined to any domain. |
| Windows services | Use a domain account, system user account, or gMSA. The account must be a member of the Backup Operators group. The account is used to run the Windows services for Directory Manager, as discussed in the Third-party Services topic. |
Elasticsearch Clusters, Nodes, and Directory Manager
When you have multiple Elasticsearch clusters in your environment and each cluster has multiple nodes, you will notice that for each node in a cluster the following are created.
- An Admin Center
- A Data service
- A Security service
- A Replication service
- A Scheduler service
- An Email service
Cluster syncing
To sync data between clusters, Directory Manager uses the Replication service. You have to enable data sync for at least one Replication service within a cluster to sync the cluster's data to other clusters. See the Enable Elastic Cluster Syncing topic for additional information.