Global Address List Synchronization Walkthrough: Implementation Steps

  • Article

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Overview

  2. Scenario Design

  3. Lab Setup

To implement this walkthrough, set up a server by using the procedures outlined in Lab Setup.

Note

This walkthrough assumes the design and planning process has been completed based on the information presented earlier and the worksheets are complete. The walkthrough is designed to step the reader through the implementation of the proposed design. For complete information about designing and planning an MIIS 2003 deployment, see the MIIS 2003 Design and Planning Collection.

Creating the Management Agents

To run this GAL synchronization walkthrough and synchronize data between the two forests, you need to create two management agents for Active Directory GAL. These management agents are named Contoso GALMA and Fabrikam GALMA.

The rules required for GAL synchronization are built into the management agents and do not require that you configure each page in Management Agent Designer. The following options are preconfigured:

  • Select object types

  • Select attributes

  • Configure connector filters

  • Configure join an projection rules

  • Configure attribute flow

  • Configure deprovisioning

  • Configure extensions

Creating the Contoso GALMA

Create the Contoso GALMA first and then create the Fabrikam GALMA.

To create the Contoso GALMA

  1. On the domain controller for the connoa Active Directory domain, open Identity Manager.

  2. From the Tools menu, click Management Agents.

  3. From the Actions menu, click Create.

  4. In Management Agent Designer, in the Management agent for drop-down list, click Active Directory global address list (GAL).

  5. In Name, type Contoso GALMA and click Next.

  6. When configuring the management agent for Active Directory global address lists, the first step is to provide the name of the forest that the management agent connects to during import and export operations. If you use the example provided in this walkthrough, this management agent connects to the Contoso forest.

  7. On the Connect to an Active Directory Forest page, type the values for forest name (connoa.concorp.contoso.com), user name, password, and domain.

  8. Note   If you used different domain names than those suggested for this walkthrough, enter that information about this page.

  9. Click Next.

  10. Next, specify the directory partition and organizational units (OUs) the management agent uses for GAL synchronization. If you used the scripts accompanying this walkthrough to configure your test environment, then the necessary OU structure has been created in the Contoso forest inside the CONNOA-DC-01 OU.

  11. On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=connoa,DC=concorp,DC=contoso,DC=com).

  12. Clear the Sign and encrypt LDAP traffic check box.

  13. Click Containers.

  14. Clear the check box next to the directory partition to clear all organizational units under it.

  15. Expand the directory partition if necessary, and then expand the domain controller name.

  16. Select the GALSynchronization organizational unit. The organizational units beneath it, Fabrikam and Contoso, will also be selected.

  17. Click OK, and then click Next.

    The next step is to identify the container that will be used to store the contacts from other forests. Based on the sample data provided with this walkthrough, GAL synchronization will take place between the Contoso and Fabrikam forests. If the scripts accompanying this walkthrough are used, a Fabrikam container is created in the OU structure. Inside the Fabrikam container, an additional container named Contacts is created to act as the storage location for contacts imported from the Fabrikam forest.

  18. On the Configure GAL page, under GAL container information, click Target.

  19. In Target Container, in Select a partition, select the DC=connoa,DC=concorp,DC=contoso,DC=com target organizational unit.

  20. Click Container.

  21. In Select Containers, expand CONNOA-DC-01, expand the GAL Synchronization container, expand the Fabrikam container, and then select only the Contacts container beneath it.

  22. Click OK to close Select Containers, and then click OK again to close Target Container.

    Next, you need to identify the container used to store the contacts from the local forest, in this case Contoso, which contains the contact information that is to be sent to the other forest.

  23. Click Source….

  24. Make sure DC=connoa,DC=concorp,DC=contoso,DC=com is selected in the Select a partition drop-down list.

  25. Click Add Containers….

  26. Expand CONNOA-DC-01, expand the GAL Synchronizationcontainer, expand the Contoso container, and then select only the Contacts container beneath the Contoso container.

  27. Click OK to close Select Containers, and then click OK again to close Source Container.

  28. On the same Configure GAL page, under Exchange configuration, click Edit….

  29. Enter the e-mail suffix @Contoso.com and click Add. Click OK.

    Note

    On the Configure GAL page, do not select the check boxes for routing mail to contacts or specifying an administrative group.

  30. Click Next.

    The management agent for Active Directory GAL is preconfigured to select specific objects and specific attributes of those objects so MIIS 2003 can synchronize the information necessary to create valid contact objects in the other forest.

  31. On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Any object types that are already selected should remain selected. If they are not selected by default, ensure the following object types are selected: contact, container, domainDNS, group, organizationalUnit, and user.

  32. Click Next.

  33. On the Select Attributes page, select Show All. Any attributes that are already can remain selected. In addition, verify that the following attributes required for GAL synchronization are selected:

    • cn

    • company

    • displayName

    • employeeID

    • givenName

    • hideDLMembership

    • l

    • legacyExchangeDN

    • mail

    • mailNickname

    • Name

    • proxyAddresses

    • sn

    • targetAddress

    • userAccountControl

  34. Click Next.

  35. The management agent for Active Directory GAL is preconfigured to use rules extensions. On the Configure Connector Filter page, ensure that contact, group, and user are configured to use a rules extension as their filter type. Click Next.

    Join and Projection, Attribute Flow, and Deprovisioning rules are all preconfigured and require no changes.

  36. On the Configure Join and Projection Rules page, you can see that four join and one projection rules for GAL synchronization are specified.

    Note

    You can expand the join and projection rules to see data source attribute, mapping type, and metaverse attribute for each rule.

  37. Click Next.

  38. In Configure Attribute Flow, you can see that five preconfigured attribute flow mappings for GAL synchronization are specified.

    Note

    You can expand the attribute flows to see data source attribute, flow type, and metaverse attribute for each attribute flow mapping.

  39. Click Next.

  40. On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected.

  41. Click Next.

  42. On the Configure Extensions page, in Rules extension name, verify that the GALSync.dll file is specified.

    Note

    The Contoso GALMA looks for this file in the following location: C:\Program Files\Microsoft Identity Integration Server\Extensions.

  43. Click Finish.

Creating the Fabrikam GALMA

The Fabrikam GALMA is similar to the Contoso GALMA, except for the management agent name and forest information.

To create the Fabrikam GALMA

  1. On the domain controller for the connoa Active Directory domain, open Identity Manager.

  2. From the Tools menu, click Management Agents.

  3. From the Actions menu, click Create.

  4. In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL).

  5. In Name, type Fabrikam GALMA, and then click Next.

  6. Identify the forest and partition that the management agent needs to connect to.

  7. On the Connect to an Active Directory forest page, type the values for forest name (fabnoa.fabcorp.fabrikam.com), user name, password and domain.

  8. Note   If you used different domain names than those suggested for this walkthrough, enter that information about this page.

  9. Click Next.

  10. On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com).

  11. Clear the Sign and encrypt LDAP traffic check box.

  12. Identify the containers that are to be used for synchronizing the GALs.

  13. Click Containers….

  14. Clear the check box next to the directory partition to clear all organizational units under the directory partition.

  15. Expand the directory partition if necessary, and then expand the domain controller name, FABNOA-DC-01.

  16. Select the GALSynchronization organizational unit. Note that this also selects the Fabrikam and Contoso organizational units.

  17. Click OK, and then click Next.

  18. Identify the target container for contact information received from the other forest and the container from this forest that will be used to send contact information to the other forest.

  19. On the Configure GAL page, under GAL container configuration, click Target.

  20. In Target Container, in Select a partition, select the DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com target organizational unit.

  21. Click Container….

  22. In Select Containers, expand the directory partition (DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com), expand the node with name of the fabnoa domain controller (FABNOA-DC-01), expand GALSynchronization, expand Contoso, and then check Contacts.

  23. Click OK to close Select Containers, and then click OK again to close Target Container.

  24. Click Source….

  25. Click Add Containers….

  26. Expand the FABNOA-DC-01 branch of the tree until you see the Contacts container under Fabrikam. Make sure that Contacts container is selected.

  27. Click OK to close Select Containers, and then click OK again to close Source Container.

  28. On the Configure GAL page, configure the settings under Exchange configuration. Click Edit….

  29. Enter @Fabrikam.com and click Add. Click OK.

  30. Note   On the Configure GAL page, do not select the check boxes for routing mail to contacts or specifying an administrative group.

  31. Click Next.

  32. On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Any object types that are already selected should remain selected. If they are not selected by default, ensure the following object types are selected: contact, container, domainDNS, group, organizationalUnit, and user.

  33. Click Next.

  34. On the Select Attributes page, select Show All. Any attributes that are already selected should remain selected. In addition, verify that the attributes required for GAL synchronization are selected (use the same list provided for the Contoso GALMA earlier).

  35. Click Next.

  36. Connector Filters, Join and Projection Rules, Attribute Flow, and Deprovisioning are all preconfigured for the management agent and require no changes. Click Next to proceed through each screen until you see the Configure Extensions screen.

  37. On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified.

  38. Note   The Fabrikam GALMA looks for this file in the following location: C:\Program Files\ Microsoft Identity Integration Server\Extensions.

  39. Click Finish.

Running the Management Agents

By running the Contoso GALMA and Fabrikam GALMA, you populate the MIIS 2003 metaverse and create contacts in both Active Directory forests.

Using Management Agent Run Profiles

Run profiles are created when you create the Contoso GALMA and Fabrikam GALMA. The following table lists and describes the eight run profiles that are created automatically.

Run Profile Description

Delta Import

All changed data flows from the Active Directory data source to the MIIS 2003 connector space and metaverse.

Delta Import (Stage Only)

All changed data flows from the Active Directory data source to the MIIS 2003 connector space and is staged for inbound synchronization with the metaverse.

Delta Synchronization

After changed data source data is staged, changed data flows from the MIIS 2003 connector space to the metaverse during inbound synchronization and from the metaverse to the connector space during outbound synchronization.

Export

All data staged for export flows from the MIIS 2003 connector space to the Active Directory data source.

Full Import

All specified data flows from the Active Directory data source to the MIIS 2003 connector space and metaverse.

Full Import (Stage Only)

All specified data flows from the Active Directory data source to the MIIS 2003 connector space and is staged for inbound synchronization with the metaverse.

Full Import and Full Synchronization

All specified data flows from the Active Directory data source to the MIIS 2003 connector space. Then, all specified data flows from the MIIS 2003 connector space to the metaverse during inbound synchronization and from the metaverse to the connector space during outbound synchronization.

Full Synchronization

Any staged data flows from the MIIS 2003 connector space to the metaverse during inbound synchronization and from the metaverse to the connector space during outbound synchronization.

Enable provisioning, and then run both management agents by using the run profiles in the following order:

  1. Full Import (Staging Only) to the connector space. This step imports all specified Active Directory data into the connector space.

  2. Full Synchronization. This synchronizes connector space data with the metaverse.

  3. Export. This exports connector space data to the Active Directory forests.

  4. Delta Import. This confirms that the export was successful.

Run each management agent by using the listed run profile before you run the next run profile in the list. In other words, run the Contoso GALMA by using Full Import (Staging Only) and then run the Fabrikam GALMA by using Full Import (Staging Only) before you run the Full Synchronization run profile for either management agent.

Important

Use this run profile sequence the first time you run the management agents after creating them. Running the profiles in the order specified is necessary to properly populate the metaverse and connector space. After you complete these run profile steps for both management agents once, you need to complete the run profile steps in a different order for all subsequent management agent operations.

For all subsequent management agent operations, use the run profiles in the following order:

  1. Delta Import (Staging Only) to the connector space. This step imports all updated Active Directory data into the connector space.

  2. Delta Synchronization. This synchronizes updated connector space data with the metaverse.

  3. Export. This exports connector space data to the Active Directory forests.

  4. Delta Import. This confirms that the export was successful.

If your environment has existing contact objects that have been created by previous synchronization solutions, the first time the management agents are run, the following order for the run profiles is recommended instead of the order listed above. Running the profiles in this order ensures that all objects are joined and that duplicate mail recipient objects are not provisioned during the initial setup of GAL synchronization. The recommended order is:

  1. Full Import with staging to the connector space on all management agents

  2. Delta Synchronization on all management agents

  3. Repeat Delta Synchronization on all management agents

  4. Export on all management agents

Running the Run Profiles and Enabling Provisioning

In order for the GAL Synchronization management agent to function properly, provisioning must be enabled. Verify that provisioning is enabled before you begin to stage data.

To verify that provisioning is enabled

  1. On the domain controller for the connoa Active Directory domain, open Identity Manager.

  2. From the Tools menu, click Options.

  3. In Metaverse Rules Extensions, ensure that the Enable metaverse rules extensions check box is selected.

  4. Ensure that the Enable Provisioning Rules Extension check box is selected.

  5. Click OK.

After you verify that provisioning is enabled, stage the Contoso data by using the Contoso GALMA. This step creates all the Contoso objects in the connector space.

To run the Full Import (Staging Only) run profile for the Contoso GALMA

  1. In Identity Manager, in Management Agents view, click the Contoso GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Full Import (Stage Only), and then click OK.

The Synchronization Statistics should show 34 Adds. This represents the nine OUs (forest, DC, GALSynchronization, Contoso, Contoso Contacts, Fabrikam, Fabrikam Contacts, Users and Groups) and the 25 user, group, and contact objects.

Next, you stage the data for the Fabrikam GALMA. This step creates all the Fabrikam objects in the connector space.

To run the Full Import (Staging Only) run profile for the Fabrikam GALMA

  1. In Identity Manager, in Management Agents view, click the Fabrikam GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Full Import (Staging Only), and then click OK.

Again you should see 34 Adds listed in the Synchronization Statistics.

Next, you perform a full synchronization for each of the management agents. This causes the join and projection rules to be processed. All objects will be created in the metaverse and linked to their corresponding connector space objects. Export attribute flow rules will also prepare any objects that are to be exported. The contact information from the Contoso GAL will be flagged for export to the Fabrikam GAL. The Fabrikam contact information will be flagged for export to the Contoso GAL.

To run full synchronization for the Contoso GALMA

  1. In Identity Manager, in Management Agents view, click the Contoso GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Full Synchronization, and then click OK.

The Synchronization Statistics should show a total of 25 projections. These are the new objects created in the metaverse for storing the user, group, and contact information for the objects in the Contoso forest.

To run full synchronization for the Fabrikam GALMA

  1. In Identity Manager, in Management Agents view, click the Fabrikam GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Full Synchronization, and then click OK.

Again you should see 25 projections. These are the new metaverse objects used to store the Fabrikam object data.

Next, you export the data to each Active Directory forest. During this step, any objects staged for export will be exported from the connector space to the connected data source. The Contoso contact objects, staged during the previous synchronization, will be exported to the Fabrikam directory. The staged Fabrikam contact objects will be exported to the Contoso directory.

To run the export run profile for the Contoso GALMA

  1. In Identity Manager, in Management Agents view, click the Contoso GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Export, and then click OK.

In the Synchronization Statistics, you should see 25 Adds, indicating that the 25 objects from the Fabrikam forest have been exported to the Contoso forest.

To run the export run profile for the Fabrikam GALMA

  1. In Identity Manager, in Management Agents view, click the Fabrikam GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Export, and then click OK.

Again you will see 25 Adds, indicating that the 25 objects from the Contoso forest have been exported to the Fabrikam forest.

Note

When you perform an export, MIIS 2003 cannot be certain that the export completed successfully. To confirm the export, MIIS 2003 stores the exported changes for an object in the connector space. During the next import, MIIS 2003 compares the imported data with the exported changes.

Now you must perform an import so that MIIS 2003 can confirm that the export was successful.

To run a delta import for the Contoso GALMA

  1. In Identity Manager, in Management Agents view, click the Contoso GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Delta Import, and then click OK.

Verify that 25 Adds and 25 Updates are reported back from Active Directory to MIIS 2003 as a result of the Delta Import run profile.

To run a delta import for the Fabrikam GALMA

  1. In Identity Manager, in Management Agents view, click the Fabrikam GALMA.

  2. From the Actions menu, click Run.

  3. In Run Management Agent, in Run Profiles, click Delta Import, and then click OK.

Verify that 25 Adds and 25 Updates are reported back from Active Directory to MIIS 2003 as a result of the Delta Import run profile.

The GAL Synchronization management agent synchronizes the mail-enabled contacts from one forest to another. All the users, groups, and contacts created by the scripts for this walkthrough are mail-enabled. You can test the behavior of the management agent for Active Directory GAL by creating a user who does not have a mailbox and witnessing what happens to the account during synchronization.

To verify synchronization behavior for accounts that are not mail-enabled

  1. On the domain controller for Connoa, use Active Directory Users and Computers to create a new user account. Create the new user in the Users OU located in the Contoso OU under the CONNOA-DC-01 OU. Use the following options when you create the account:

  2. First Name: Contoso

  3. Last Name: NoMailUser

  4. User Logon Name: NoMailUser

  5. Make sure you clear the Create an Exchange mailbox check box when given the choice.

  6. Accept the defaults for all other settings.

  7. Once the user account is created, synchronize the contact data between the two forests. Use the Contoso GALMA and perform a Delta Import.

Upon completion of the Delta Import, you can see one filtered disconnector object listed in the Synchronization Statistics. If you open the object details for the disconnector object, you can see that it is the new user account you created with no e-mail. Because the account is not mail-enabled, it is filtered during synchronization and is not added to the metaverse.

Verifying the Results

You can examine the results of the GAL synchronization process by using the Active Directory Users and Computers console on each of the domain controllers to view the Contacts imported from the other forest.

To verify the synchronized contacts in the Connoa domain

  1. On the domain controller for the connoa Active Directory domain, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Expand the organizational unit named after the domain controller, and then expand GALSynchronization.

  3. Expand Fabrikam, and then click Contacts.

Verify that 25 new contacts now exist in this organizational unit.

To verify the synchronized contacts in the Fabnoa domain

  1. On the domain controller for the fabnoa Active Directory domain, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Expand the organizational unit named after the domain controller, and then expand GALSynchronization.

  3. Expand Contoso, and then click Contacts.

Verify that 25 new contacts now exist in this organizational unit.

Next