Global Address List Synchronization Walkthrough: Scenario Design
Applies To: Windows Server 2003 with SP1
Previous Steps in This Walkthrough
Walkthrough Scenario Description
In this walkthrough, you implement an MIIS 2003 solution to synchronize global address lists between two organizations so they each have contact objects in their respective global address lists to represent the users, groups, and contacts from the other organization. The two organizations, Fabrikam and Contoso, each maintain their own e-mail environments by using Microsoft Exchange Server 2003. Each organization maintains its own Active Directory forest, which is used to host the GAL for that organization’s e-mail. To synchronize their global address lists, the users, groups, and contacts in the Contoso forest need to have corresponding contact objects added to the GAL in the Fabrikam forest. The users, groups, and contacts in the Fabrikam forest need to be added to the Contoso GAL. In this walkthrough, you use the management agent for Active Directory global address list (GAL) to implement this solution.
The Testing Environment
This walkthrough uses two servers. Each server hosts one Active Directory forest and acts as an Exchange server for that forest. One of the servers also hosts MIIS 2003 and acts as the DNS server for both forests. The servers are connected to a network and DNS is configured so the servers can locate each other.
Note
To avoid the possibility of interfering with your identity management environment, the procedures in this walkthrough should not be performed on an MIIS 2003 server that is currently acting as part of the identity management infrastructure in your production environment.
For complete instructions about how to build and configure the test environment for this walkthrough, see Lab Setup.
The lab environment for this walkthrough requires the following hardware and software:
Hardware
To complete this walkthrough, you must configure two server computers. Use hardware that meets or exceeds the following specifications:
Pentium II 500
256 MB of RAM
8-GB hard disk
512-KB L2 cache
Network adapter
4-MB video adapter
SVGA monitor (17 inch)
Microsoft Mouse or compatible pointing device
All hardware must be on the Microsoft Windows Server 2003, Enterprise Edition, Windows Catalog, available on the Microsoft web site (https://www.microsoft.com/windows/catalog/server/).
Software
Ensure that you have the installation media for the following software available before you begin this scenario:
Microsoft Windows Server 2003, Enterprise Edition.
Microsoft Exchange Server 2003, Standard Edition; or Microsoft Exchange Server 2003, Enterprise Edition.
Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1.
Note
The Identity Integration Feature Pack (IIFP) 1a for Microsoft Windows Server Active Directory can also be used for this walkthrough if Microsoft Identity Integration Server 2003, Enterprise Edition is not available.
Microsoft SQL Server 2000, Enterprise Edition with Service Pack 3a.
If you are configuring a new server, then Microsoft SQL Server 2000 Standard Edition (with Service Pack 3a) can be used, but a new installation of MIIS 2003 with Service Pack 1 or IIFP 1a must also be used. You cannot use a prior version of MIIS 2003 with SQL Server 2000 Standard Edition and then apply the MIIS 2003 SP1 update. Microsoft SQL Server 2000 Enterprise Edition is required for versions of MIIS 2003 earlier than Service Pack 1.
Optionally, if you intend to complete the Live Communications Server procedures at the end of this walkthrough, you also need Live Communications Server 2005 SP1 Standard or Enterprise Edition.
Setup Files
In addition to the installation media mentioned above, this walkthrough also uses a number of support files to help streamline the setup of the lab environment. The Windows Installer package that contains this walkthrough also includes the required support files. The Windows Installer package can be downloaded from the Microsoft Download Center. Copy these support files into a folder named C:\MIIS\GALSynchronization on the server running MIIS 2003, as described in the following section.
Sample Data
To support this MIIS 2003 GAL synchronization walkthrough, command line scripts are provided to create user accounts and organizational units in each of the Active Directory forests. Instructions for the use of these scripts are included in Lab Setup.
Before using these scripts to create these organizational units, understand the organizational unit structure common to all MIIS 2003 GAL synchronization implementations and the specific implementation for this scenario. In addition, become familiar with metaverse schema extensions that are used to support this MIIS 2003 GAL synchronization scenario.
Active Directory Organizational Unit Structure
GAL synchronization between Active Directory forests involves a source forest and a target forest. Each forest uses organizational units created specifically for GAL synchronization. In the source forest are organizational units for Users, Groups, and Contacts that MIIS 2003 uses to populate a specific Contacts organizational unit in the target forest. All Active Directory objects used to support GAL synchronization are stored in these organizational units.
The following table lists the organizational units required by each Active Directory forest used in this walkthrough.
| Description | Contoso Organizational Units | Fabrikam Organizational Units |
|---|---|---|
Domain controller name |
CONNOA-DC-01 |
FABNOA-DC-01 |
Synchronization organizational unit |
GALSynchronization |
GALSynchronization |
Local (source) domain |
Contoso |
Fabrikam |
User |
Users |
Users |
Group |
Groups |
Groups |
Contacts |
Contacts |
Contacts |
Remote (target) domain |
Fabrikam |
Contoso |
Organizational unit for remote contacts |
Contacts |
Contacts |
Important
If you build this scenario by using a different organizational unit structure, the example will vary; however, the label of the lowest OU in the OU structure (Contacts) for each forest must be named Contacts when you deploy the Microsoft Identity Integration Server 2003 GAL synchronization solution.
The following figure shows the correct organizational unit structure for the Connoa forest as viewed in the Active Directory Users and Computers snap-in.
.gif "Art Image")
The connoa and fabnoa forests have an organizational unit with the name of the local domain controller (CONNOA-DC-01 or FABNOA-DC-01) under which a GAL synchronization organizational unit (GALSynchronization) exists. The GALSynchronization OU contains additional organizational units for contacts, groups, and users. Also under the organizational unit named after the domain controller is an organizational unit named after the remote forest (Contoso or Fabrikam), which contains an organizational unit named Contacts where the synchronized contact objects are stored. In the connoa domain, the OU that accommodates the Fabrikam contacts is named Fabrikam. In the fabnoa domain, the OU is named Contoso.
Note
If the scripts included with the support files for this walkthrough are used to setup the lab environment, the proper organizational unit structure will be created on each lab server. Instructions for the use of these scripts are included in Lab Setup.
Using the computer name of the Active Directory domain controller in the OU structure is uncommon in an Active Directory forest; however, by including the computer name, variations on the scenario within this document can use the same Active Directory forests.
You can use any hierarchical OU structure you want when implementing GAL synchronization. To use the scripts included with this walkthrough, however, you must use the structure described here. To use a different OU structure, create your own users, groups, and contacts for testing because the scripts cannot populate the customized OU structure.
Also remember that if you build this scenario by using a different OU structure, the label of the lowest OU in the OU structure (Contacts) for each forest must be named Contacts when you deploy the Microsoft Identity Integration Server 2003 GAL synchronization solution.
For example, the Lightweight Directory Access Protocol (LDAP) string for the Contacts organizational unit in the Connoa forest is:
ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=CONNOA-DC-01,DC=connoa,DC=concorp,DC=contoso,DC=com
The computer name parameter (ou=CONNOA-DC-01) is replaced by the computer name of the domain controller.
The LDAP string for the organizational units in the Connoa forest is:
ou=Contacts,ou=Contoso,ou=GALSynchronization,ou=CONNOA-DC-01,DC=connoa,DC=concorp,DC=contoso,DC=com
ou=Users,ou=Contoso,ou=GALSynchronization,ou=CONNOA-DC-01,DC=connoa,DC=concorp,DC=contoso,DC=com
ou=Groups,ou=Contoso,ou=GALSynchronization,ou=CONNOA-DC-01,DC=connoa,DC=concorp,DC=contoso,DC=com
ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=CONNOA-DC-01,DC=connoa,DC=concorp,DC=contoso,DC=com
As stated earlier, the last parent organizational unit is named Fabrikam to indicate that the contacts in its Contacts organizational unit are from the remote (target) Fabrikam forest.
The LDAP string for the organizational units in the Fabrikam forest is:
ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com
ou=Users,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com
ou=Groups,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com
ou=Contacts,ou=Contoso,ou=GALSynchronization,ou=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com
Following the convention used in the Contoso organizational units, the last of the Fabrikam organizational units uses the Contoso name to indicate that the contacts in its Contacts organizational unit are from the remote (target) Contoso forest.
The Active Directory users in this scenario use Exchange mailboxes, and the groups use Exchange e-mail addresses. Both of these are created from the Active Directory Users and Computers snap-in. Contacts are already mail-enabled.
Metaverse Schema Extensions
When you create the first management agent for Active Directory GAL, the metaverse schema is extended to include additional attributes that are required for contact objects stored in the GAL. Attributes are added for the following metaverse object types:
Person
Group
contact_Contoso_galma
contact_Fabrikam_galma
The extensions enable the metaverse to represent user objects from each forest as metaverse person objects, Active Directory group objects as metaverse group objects, and Active Directory contact objects as separate metaverse contact_forest objects.
The management agent generates the attributes listed in the following table for the Person metaverse object.
| Attribute | Type |
|---|---|
hideFromAddressLists (hideDLMembership) |
Boolean |
legacyExchangeDN |
Indexable String |
Name |
Indexable String |
proxyAddresses |
Indexable String |
targetAddress |
Indexable String |
userAccountControl |
Number |
The management agent generates the attributes listed in the following table for the Group metaverse object.
| Attribute | Type | Multivalued |
|---|---|---|
hideFromAddressLists |
Boolean |
No |
legacyExchangeDN |
Indexable String |
No |
proxyAddresses |
Indexable String |
Yes |
TargetAddress |
Indexable String |
No |
The management agent adds two new object types, contact_fabrikam_galma and contact_contoso_galma, to the metaverse schema and generates the attributes listed in the following table for those objects.
| Attribute | Type | Multi-valued |
|---|---|---|
cn |
Indexable String |
No |
company |
Indexable String |
No |
displayName |
Indexable String |
No |
employeeID |
Indexable String |
No |
givenName |
Indexable String |
No |
hideFromAddressLists |
Boolean |
No |
L |
Indexable String |
No |
legacyExchangeDN |
Indexable String |
No |
Indexable String |
No |
|
mailNickname |
Indexable String |
No |
sn |
Indexable String |
No |
proxyAddresses |
Indexable String |
Yes |
targetAddress |
Indexable String |
No |