Поділитися через


Synchronizing a Global Address List in an Exchange 2007 Environment

Applies To: Windows Server 2003 with SP2

Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) FP1 provides a solution to synchronize the global address list (GAL) between two Active Directory forests through a Microsoft® Exchange Server 2007 Service Pack 1(SP1) infrastructure. The goal of a GAL synchronization solution is to synchronize users, groups, and contacts from one forest with contact objects to another forest.

What This Document Covers

This document outlines the necessary steps to implement a simple GAL synchronization solution between two forests in an Exchange 2007 environment. This document guides you to:

  • Populate the initial Active Directory and Exchange 2007 SP1 infrastructures for both forests using scripts provided in the Appendix.

  • Assign the necessary permissions to the accounts used in the management agents for GAL synchronization,

  • Configure ILM 2007 FP1 to perform GAL synchronization between the two forests.

  • Verify that the contacts have successfully synchronized between the two forests.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an introduction to essential concepts, see the following documents:

For a design overview of GAL synchronization, see Microsoft Identity Integration Server 2003 Global Address List (GAL) Synchronization (https://go.microsoft.com/fwlink/?LinkId=41449).

For a description of all MIIS 2003 documentation, see Microsoft Identity Integration Server 2003 Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkID=82465).

Note

A description of how to set up, Active Directory, and Exchange Server 2007 is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology-decision makers, consultants, infrastructure planners, and IT personnel who plan and develop solutions to synchronize global address lists between two forests in an Exchange 2007 environment.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete. An experienced user can complete them in 30 to 40 minutes.

Scenario Description

Fabrikam and Contoso are two fictitious organizations who have an Exchange 2007 infrastructure, and would like to use the GAL synchronization feature in to synchronize their global address lists between their two Active Directory forests.

96397a3b-b586-4a33-9aa3-d805af9339f3

Testing environment

The testing environment for this document consists of two forests, Contoso (contoso.com) and Fabrikam (Fabrikam.com).

The following infrastructure is required for the Contoso forest:

  • One Active Directory domain controller (DC1)

    To simplify the testing environment for this guide, this server also hosts the DNS server role for this forest as well as the DNS zone for the Fabrikam (fabrikam.com) forest.

  • One server hosting Exchange Server 2007 SP1 (ConExch)

  • One server hosting FP1 (ILMSrv1)

Important

This server requires ILM 2007 FP1 for GAL synchronization to occur in an Exchange 2007 environment. Versions of Exchange Server prior to the release of Exchange 2007 FP1 will not work for implementing the scenario outlined in this document.

This server requires the following software:

  • Microsoft Windows Server 2003, Enterprise Edition

  • Microsoft SQL Server 2000 or Microsoft SQL Server 2005

  • Windows Powershell 1.0

  • Exchange Server 2007 SP1 Management tools

Important

The ILM 2007 FP1 server needs to be a domain member server. This is required because the installation of Exchange Server 2007 SP1 Management tools requires this as a prerequisite. It does not have to be member of either forest, but it must reside in a domain with DNS connectivity to both forests. To simplify the testing environment for this guide, the ILM 2007 FP1 server has been placed in the Contoso forest.

The following infrastructure is required for the Fabrikam forest:

  • One Active Directory domain controller (DC2)

  • One server hosting Exchange Server 2007 SP1 (FabExch)

714a3629-deae-4cbe-8d09-91d3f444e90d

Before You Begin

Before you begin the procedures required for GAL synchronization, you will need to create three accounts. These accounts will run the MIISServer service, GAL synchronization management agent, and the Identity Manager user interface.

In addition, to simplify administrative tasks such as populating your Active Directory and Exchange Server 2007 SP1 environment, you can use the scripts provided in the Appendix.

Accounts

To implement a GAL synchronization environment between the Contoso and Fabrikam forests, you have to create the following accounts.

  • A domain service account for the MIIServer service (miisrvc) - This service account has to be a domain account because the Exchange Management tools, which are a requirement on the ILM 2007 FP1 server, must run under a domain account. The Exchange management tools also run under the ILM 2007 FP1 service account credentials.

  • GAL synchronization domain user accounts (ilmgalsync) - You need to create these accounts in both forests. They are used to run the management agents for the Contoso and Fabrikam forests.

  • A domain or local user account to be given MIIS administrative privileges (testact1) - This account must reside in the MIISAdmins group. This account allows you to launch and perform the functions required to configure ILM 2007 FP1 to perform GAL synchronization using the user interface.

Scripts in this document

The following table shows the scripts that are included in the Appendix of this document.

Appendix Description

Appendix A: Script to populate Active Directory and Exchange Server 2007 SP1 objects

This script populates the Contoso forest with the required Active Directory and Exchange Server 2007 SP1 objects.

Appendix B: Script to populate Active Directory and Exchange Server 2007 SP1 objects

This script populates the Fabrikam forest with the required Active Directory and Exchange Server 2007 SP1 objects.

Running the Scripts

The scripts in this document are designed to run locally on the computer that is hosting Exchange Server 2007 SP1. These scripts have to run under the credentials with a user who has rights to create objects in Active Directory as well as Exchange Server 2007 SP1.

To run a script

  1. From the Appendix, copy the script, and then paste it into a new Notepad file.

  2. Save the Notepad file on the local drive of the computer hosting Exchange Server 2007 FP1 as a .ps1 file, for example c:\Appendix.ps1.

    Although the name of the file is irrelevant, it must have the .ps1 file name extension.

  3. Open the Exchange Management Shell, by clicking on Start, All Programs, Microsoft Exchange Server 2007 and choosing Exchange Management Shell from the list of options.

  4. At the command prompt, change the directory to the location of the saved .ps1 file.

  5. At the command prompt type in the name of the .ps1 file in the following format, ./filename.

  6. Open the Active Directory User and Computers and Exchange Management Console snap-ins to verify the results.

Implementing the Procedures in this Document

To implement the procedures in this document, you must complete the following steps in the following order:

  1. Configure the Active Directory and Exchange Server 2007 environments in the Contoso forest

  2. Configure the Active Directory and Exchange Server 2007 environments in the Fabrikam forest

  3. Assign the appropriate permissions to the domain user account used for the GAL synchronization management agent in the Contoso forest

  4. Assign the appropriate permissions to the domain user account used for the GAL synchronization management agent in the Contoso forest

  5. Configure the GAL synchronization management agent for the Contoso forest

  6. Configure the GAL synchronization management agent for the Fabrikam forest

  7. Enable provisioning

  8. Test the Configuration

Configure the Active Directory and Exchange Server 2007 environments in the Contoso forest

GAL synchronization between Active Directory forests involves a source forest and a target forest. Each forest uses organizational units (OUs) created specifically for GAL synchronization. In the source forest are organizational units for Users, Groups, and Contacts that ILM 2007 FP1 uses to populate a specific Contacts organizational unit in the target forest. All Active Directory objects used to support GAL synchronization are stored in these organizational units.

The following table lists the organizational units required by the Contoso Forest.

Description Contoso Forest

Synchronization organizational unit

GALSynchronization

Source Domain

Contoso

Contacts

Contacts

Groups

Groups

This OU will contain two universal mail enabled distribution groups, ConGroup1 and ConGroup2.

Members of ConGroup1 are ConUser1 and ConUser2.

Members of Congroup2 are ConUser3 and ConUser4.

Users

Users

This OU will contain four mail enabled test users, ConUser1, ConUser2, ConUser3, and ConUser4. Each user will have a password of p@ssword1.

Target Domain

Fabrikam

Organizational unit for target contacts

Contacts

This organizational unit will receive the mail-enabled contacts from the Fabrikam forest.

The following illustration shows the Contoso Active Directory Objects for this document.

22324f7d-a01b-4648-8172-415d0740793f

For this document, if you choose to build your scenario using a different organizational structure, the lowest OU in the OU structure for each forest must be named Contacts when you deploy the ILM 2007 FP1 GAL synchronization solution.

You can use the tools provided by Active Directory to create the Contoso Active Directory environment for this document or you can use the script in Appendix A to create the environment.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Active Directory tools

To create the required objects using the script

  1. In Appendix A, copy and paste the script into a new Notepad file.

  2. Save the Notepad file on the local drive of the machine hosting Exchange Server 2007 SP1 as a .ps1 file, for example, C:\AppendixA.ps1.

  3. Open the Exchange Management Shell, by clicking on Start, All Programs, Microsoft Exchange Server 2007 and choosing Exchange Management Shell from the list of options.

  4. At the command prompt, change the directory to the location of the saved .ps1 file.

  5. At the command prompt type in the name of the .ps1 file in the following format, ./filename.

  6. Open the Active Directory User and Computers and Exchange Management Console snap-ins to verify the results.

Configure the Active Directory and Exchange Server 2007 environments in the Fabrikam forest.

In this step, you create the Active Directory and Exchange Server 2007 environments in the Fabrikam forest. As stated in the '"Configure the Active Directory and Exchange Server 2007 environments in the Contoso forest" step, GAL synchronization requires a source forest and a target forest. In this procedure, you will configure the required Active Directory and Exchange Server 2007 environment for the Fabrikam forest.

The following table lists the organizational units required by the Contoso Forest.

Description Fabrikam Forest

Synchronization organizational unit

GALSynchronization

Source Domain

Fabrikam

Contacts

Contacts

This OU will contain four contacts, FabContact1, FabContact2, FabContact3, and FabContact4.

Groups

Groups

This OU will contain two universal mail enabled distribution groups, FabGroup1 and FabGroup2.

Members of FabGroup1 are FabUser1 and FabUser2.

Members of FabGroup2 are FabUser3 and FabUser4.

Users

Users

This OU will contain four mail enabled test users, FabUser1, FabUser2, FabUser3, and FabUser4. Each user will have a password of p@ssword1.

Target Domain

Contoso

Organizational unit for target contacts

Contacts

This organizational unit will receive the mail-enabled contacts from the Contoso forest.

The following illustration shows the Fabrikam Active Directory Objects for this document.

6cdef8e8-4701-4e56-aacc-7d16c3b00379

If you choose to build your scenario using a different organizational structure, the lowest OU in the OU structure for each forest must be named Contacts when you deploy the ILM 2007 FP1 GAL synchronization solution.

You can use the tools provided by Active Directory to create the Contoso Active Directory environment for this document of you can use the script in Appendix A to create the environment.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Active Directory tools

To create the required objects using the script

  1. In Appendix B, copy and paste the script into a new Notepad file.

  2. Save the Notepad file on the local drive of the machine hosting Exchange Server 2007 SP1 as a .ps1 file, for example, C:\AppendixB.ps1.

  3. Open the Exchange Management Shell, by clicking on Start, All Programs, Microsoft Exchange Server 2007 and choosing Exchange Management Shell from the list of options.

  4. At the command prompt, change the directory to the location of the saved .ps1 file.

  5. At the command prompt type in the name of the .ps1 file in the following format ./filename.

  6. Open the Active Directory User and Computers and Exchange Management Console snap-ins to verify the results.

Assign the appropriate permissions to the domain user account

The domain user account used by the GAL synchronization management agent in the Contoso forest needs several permissions granted to it in order for successful GAL synchronization to occur between the source forest (Contoso) and the target forest (Fabrikam).

The permissions this account must have are:

  • Replicate Directory Changes - When discovering objects in Active Directory using the Active Directory GAL synchronization management agent, the account that is specified for connecting to Active Directory must have this permission granted to it on the domain level, for example Contoso.com.

    You can assign this permission by using the ACL editor in Windows Server 2003.

    To grant Replicate Directory Changes permissions by using the ACL editor

    1. Open Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Right-click the domain object, contoso.com, and then click Properties.

    4. Click the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step seven.

    5. In the Select User, Computers, or Groups dialog box, select the desired account, and then click Add.

    6. Click OK to return to the Properties dialog box.

    7. Click the desired user account.

    8. Click to select the Replicate Directory Changes check box from the list.

      Ensure there is a check mark in the box under the Allow field in the box next to Replicate Directory Changes.

    9. Click Apply, and then click OK.

    10. Close the snap-in.

  • Write Permissions to the ProxyAddresses attribute in the source container - This permission is required for the account used by GAL synchronization to copy all legacyExchangeDN values for an object from its various corresponding connector space objects and write them to the proxyAddresses attribute.

    To assign this permission you must use the Adsiedit support tool in Windows Server 2003.

    To assign write permissions to the ProxyAddresses attribute in the source container

    1. Install the Windows Server 2003 support tools. For more information about how install the Windows Server 2003 support tools, see (https://go.microsoft.com/fwlink/?LinkID=100114).

    2. Run Adsiedit.msc as an administrator of the domain.

    3. Expand the domain naming context node. This is the uppermost node that contains an object with a name of DC=contoso,DC=com.

    4. Expand the object DC=contoso,DC=com.

    5. Under the object, DC=contoso,DC=com expand the OU=GalSynchronization object.

    6. Right click the OU=Contoso object and then select Properties.

    7. Click the Security tab.

    8. Click the Advanced button.

    9. Click the Add button and enter the name of the domain service account used for the GAL synchronization management agent.

    10. Click OK.

    11. Click the Properties tab.

    12. From the Apply onto dropdown box, select Child objects only.

    13. Scroll down the Permissions window, and click the box under Allow, next to Write proxyAddresses.

    14. Click OK.

    15. Click Apply.

    16. Click OK and then click OK again to close the OU=Contoso Properties dialog box.

  • Full Control permission for all child objects of the target container -This permission is required on the target container because the service account used by the GAL synchronization management agent needs the ability to create, modify, and delete contacts in this container. Since this OU only contains the GAL information, it does not pose a significant security risk to allow the GAL synchronization service account Full Control to all the child objects in this container.

    You can assign this permission by using the ACL editor in Windows Server 2003.

    To assign Full Control permissions for all child objects of the target container to the GAL synchronization service account

    1. Open Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Expand contoso.com.

    4. Expand GalSynchronization, and right click the target container, Fabrikam.

    5. Click Properties, click the Security tab, and then click Advanced.

    6. Click Add and type in the name of the domain service account used for the GAL synchronization management agent.

    7. Click OK.

    8. In the Apply onto dropdown box, choose Child objects only.

    9. Click the box located next to Full Control and under Allow.

    10. Click OK and then click Apply.

    11. Click OK and then click OK again.

    12. Close the snap-in.

  • Add the domain service account used by the GAL synchronization management agent to the Exchange Recipient Administrator group - This allows the domain service account to modify the Exchange property on an Active Directory service user, contact, group, dynamic distribution group or public folder object.

    You can add the account by using Active Directory Users and Computers snap-in.

    To add the domain service account used by the GAL synchronization management agent to the Exchange Recipient Administrators group

    1. Open Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Expand contoso.com.

    4. Expand Microsoft Exchange Security Groups.

    5. Right click the Exchange Recipient Administrators group.

    6. Click Properties.

    7. Click the Members tab.

    8. Click Add and type in the name of the domain service account used for the GAL synchronization management agent.

    9. Click OK and then click Apply.

    10. Click OK.

    11. Close the snap-in.

Assign appropriate permissions to the domain user account

The domain user account used by the GAL synchronization management agent in the Fabrikam forest needs several permissions granted to it in order for successful GAL synchronization to occur between the source forest (Fabrikam) and the target forest (Contoso).

The permissions this account must have are:

  • Replicate Directory Changes - When discovering objects in Active Directory using the Active Directory GAL synchronization management agent, the account that is specified for connecting to Active Directory must have this permission granted to it on the domain level, for example Contoso.com.

    You can assign this permission by using the ACL editor in Windows Server 2003.

    To grant Replicate Directory Changes permissions by using the ACL editor

    1. Open Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Right-click the domain object, fabrikam.com, and then click Properties.

    4. Click the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step seven.

    5. In the Select User, Computers, or Groups dialog box, select the desired account, and then click Add.

    6. Click OK to return to the Properties dialog box.

    7. Click the desired user account.

    8. Click to select the Replicate Directory Changes check box from the list.

      Ensure there is a check mark in the box under the Allow field in the box next to Replicate Directory Changes.

    9. Click Apply, and then click OK.

    10. Close the snap-in.

  • Write Permissions to the ProxyAddresses attribute in the source container - This permission is required for the account used by GAL synchronization to copy all legacyExchangeDN values for an object from its various corresponding connector space objects and write them to the proxyAddresses attribute.

    To assign this permission you must use the Adsiedit support tool in Windows Server 2003.

    To assign write permissions to the ProxyAddresses attribute in the source container

    1. Install the Windows Server 2003 support tools. For more information about how install the Windows Server 2003 support tools, see (https://go.microsoft.com/fwlink/?LinkID=100114)

    2. Run Adsiedit.msc as an administrator of the domain.

    3. Expand the domain naming context node. This is the uppermost node that contains an object with a name of DC=fabrikam,DC=com.

    4. Expand the object DC=fabrikam,DC=com.

    5. Under the object, DC=fabrikam,DC=com expand the OU=GalSynchronization object.

    6. Right click the OU=Contoso object and then select Properties.

    7. Click the Security tab.

    8. Click the Advanced button.

    9. Click the Add button and enter the name of the domain service account used for the GAL synchronization management agent.

    10. Click OK.

    11. Click the Properties tab.

    12. From the Apply onto dropdown box, select Child objects only.

    13. Scroll down the Permissions window, and click the box under Allow, next to Write proxyAddresses.

    14. Click OK.

    15. Click Apply.

    16. Click OK and then click OK again to close the OU=fabrikam Properties dialog box.

  • Full Control permission for all child objects of the target container -This permission is required on the target container because the service account used by the GAL synchronization management agent need to the ability to create, modify, and delete contacts in this container. Since this OU only contains the GAL information, it does not pose a significant security risk to allow the GAL synchronization service account Full Control to all the child objects in this container.

    You can assign this permission by using the ACL editor in Windows Server 2003.

    To assign Full Control permissions for all child objects of the target container to the GAL synchronization service account using the ACL editor in Windows Server 2003.

    1. Open Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Expand contoso.com.

    4. Expand GalSynchronization, and right click the target container, Contoso.

    5. Click Properties, click the Security tab, and then click Advanced.

    6. Click Add and type in the name of the domain service account used for the GAL synchronization management agent.

    7. Click OK.

    8. In the Apply onto dropdown box, choose Child objects only.

    9. Click the box located next to Full Control and under Allow.

    10. Click OK and then click Apply.

    11. Click OK and then click OK again.

    12. Close the snap-in

  • Add the domain service account used by the GAL synchronization management agent to the Exchange Recipient Administrator group - This allows the domain service account to modify the Exchange property on an Active Directory service user, contact, group, dynamic distribution group or public folder object.

    You can add the account by using Active Directory Users and Computers snap-in.

    To add the domain service account used by the GAL synchronization management agent to the Exchange Recipient Administrators group

    1. Open the Active Directory Users and Computers snap-in.

    2. On the View menu, click Advanced Features.

    3. Expand fabrikam.com.

    4. Expand Microsoft Exchange Security Groups.

    5. Right click the Exchange Recipient Administrators group.

    6. Click Properties.

    7. Click the Members tab.

    8. Click Add and type in the name of the domain service account used for the GAL synchronization management agent.

    9. Click OK and then click Apply.

    10. Click OK.

    11. Close the snap-in.

Configure the GAL synchronization management agent for the Contoso forest.

In the procedures below, you will create the management agent for GAL synchronization to occur between the Contoso and Fabrikam forests.

You will first create the management agent for the Contoso forest.

To create the management agent for the Contoso forest

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next.

    The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management page

On this page, you select the management agent for GAL synchronization you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory global address list (GAL).

  2. In the Name box, type ConstosoGALMA, and then click Next.

Connect to Active Directory Forest page

On this page, you enter the name of your Active Directory forest and provide the data for the domain GAL synchronization service account that this management agent uses to connect to that forest.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type contoso.com.

  2. In the User name box, type ilmgalsync.

    This is the domain service account you created and granted the necessary permissions to enable the GAL synchronization management agent to perform the task of synchronizing contacts between forests. If you named the account another name, enter it in the input box.

  3. In the Password box, type the password you assigned to this account

  4. Next to Configure Connection Options click the Options button.

  5. Click the check box next to Sign and Encrypt LDAP traffic to deselect this option.

  6. In the Domain box, type contoso, and then click Next.

Configure Directory Partitions page

On this page, you select your directory partitions and the container (organizational unit) that contains the Active Directory objects that the management agent uses for GAL synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=contoso,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only GalSynchronization is selected.

    This also selects the Fabrikam and Contoso organizational units used for GAL synchronization.

  4. To close the Select Containers dialog box, click OK.

  5. Click Next.

Configure GAL

On this page, you will configure the containers and Exchange 2007 settings for the GAL synchronization management agent.

The configuration consists of:

  • Specifying the Target container

  • Specifying the Source container

  • Specifying the SMTP mail suffix(s)

  • Enabling support for Exchange 2007

Target Container

Based on the testing environment in this walkthrough, GAL synchronization will take place between the Contoso and Fabrikam forest. Inside the Fabrikam container is another container named Contacts. This container, which is the Target container will store the contacts imported from the Fabrikam forest.

Source Container

The Source container contains the contacts that will be synchronized to the Fabrikam forest. The source container for contacts in this scenario is the Contacts container located under the Contoso container.

SMTP mail suffix(s)

The SMTP mail suffix(s) for mail enabled objects in the Contoso forest needs to be provided for the GAL synchronization management agent.

Support for Exchange 2007

You will configure the GAL synchronization management agent to support synchronizing contacts between Active Directory forests with Exchange 2007 environments. Selecting this option is critical for the scenario outlined in this document because this scenario uses an Exchange 2007 environment. If this option is not selected, GAL synchronization between the two forests will fail.

To complete the Configure GAL page

  1. Under GAL container configuration, click Target….

  2. In the drop down box next to Select a partition ensure DC=contoso,DC=com is selected.

  3. Click Containers.

  4. In the Select Containers dialog box, expand the GalSynchronization container, expand the Fabrikam container, and then select the Contacts container.

  5. Click OK, and then click OK again to exit the Target Container dialog box.

  6. Click Source….

  7. In the drop down box next to Select a partition ensure DC=contoso,DC=com is selected.

  8. Click Add Containers.

  9. Expand the GALSynchronization container, expand the Contoso container and then select the Contacts container.

  10. Click OK.

  11. Click OK to exit the Source Containers dialog box.

  12. Under Exchange configuration, next to Specify the SMTP mail suffix(s) for mailbox and mail enabled user, group and contact objects in this forest:, click Edit.

  13. In the Edit SMTP Mail Suffix dialog box under Mail Suffix, type in @contoso.com.

  14. Click Add, and then click OK to exit this dialog box.

  15. Under Exchange configuration, click the check box located next to Support cross forest delegation (Exchange 2007 only).

  16. Click Next.

Select Object Types page

On this page, you verify that the object types required for GAL synchronization are selected. By default, the correct object types are pre-selected.

To complete the Select Object Types page

  • Click Next.

Select Attributes page

On this page, you verify that the correct attributes required for GAL synchronization are selected. By default, the correct attributes are pre-selected.

To complete the Select Attributes page

  • Click Next.

Configure Connecter Filter page

On this page, rules extensions are specified to be used by the GAL Synchronization management agent to manage the connector filter properties on several objects in Active Directory. By default, the correct objects are configured to use these rules extensions.

To complete the Configure Connector Filter page

  1. Under Data Source Object Type, ensure that contact, group, msExchDynamicDistributionList, and user are configured to use Rules extension under Filter Type.

  2. Click Next.

Configure Join and Projection Rules page

On this page, join and projection rules are specified for several objects in Active Directory. By default, the correct objects are preconfigured for join and projection rules.

To complete the Configure Join and Projection Rules page

  • Click Next.

Configure Attribute Flow page

On this page, five attribute flow mappings are defined for use by GAL synchronization. By default, the attribute flows required for GAL synchronization are preconfigured.

To complete the Configure Attribute Flow page

  • Click Next.

Configure Deprovisioning page

On this page, deprovisioning is defined by using a rules extension. By default, this option is preconfigured.

To complete the Configure Deprovisioning page

  1. Under Deprovisioning Options, ensure Determine with a rules extension is selected.

  2. Click Next.

Configure Extensions page

On this page, a rules extension is defined to regulate the behavior of the GAL synchronization management agent.

To complete the Configure Extensions page

  1. Under Configure rules extension for this management agent, ensure GALSync.dll is specified.

  2. Under Configure partition display name(s), ensure Enable Exchange 2007 provisioning is selected.

  3. Click Finish.

Configure the GAL synchronization management agent for the Fabrikam forest.

In the procedures below, you will create the management agent for GAL synchronization to occur between the Contoso and Fabrikam forests.

The procedures below will you through creating the management agent for the Fabrikam forest.

To create the management agent for the Fabrikam forest

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next.

    The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management page

On this page, you select the management agent for GAL synchronization you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory global address list (GAL).

  2. In the Name box, type FabrikamGALMA, and then click Next.

Connect to Active Directory Forest page

On this page, you enter the name of your Active Directory forest and provide the data for the domain GAL synchronization service account that this management agent uses to connect to that forest.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type fabrikam.com.

  2. In the User name box, type ilmgalsync.

    This is the domain service account you created and granted the necessary permissions to enable the GAL synchronization management agent to perform the task of synchronizing contacts between forests. If you named the account another name, enter it in the input box.

  3. In the Password box, type the password you assigned to this account

  4. Next to Configure Connection Options click the Options button.

  5. Click the check box next to Sign and Encrypt LDAP traffic to deselect this option.

  6. In the Domain box, type contoso, and then click Next.

Configure Directory Partitions page

On this page, you select your directory partitions and the container (organizational unit) that contains the Active Directory objects that the management agent uses for GAL synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=fabrikam,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only GalSynchronization is selected.

    This also selects the Fabrikam and Contoso organizational units used for GAL synchronization.

  4. To close the Select Containers dialog box, click OK.

  5. Click Next.

Configure GAL

On this page, you will configure the containers and Exchange 2007 settings for the GAL synchronization management agent.

The configuration consists of:

  • Specifying the Target container

  • Specifying the Source container

  • Specifying the SMTP mail suffix(s)

  • Enabling support for Exchange 2007

Target Container

Based on the testing environment in this walkthrough, GAL synchronization will take place between the Contoso and Fabrikam forest. Inside the Contoso container is another container named Contacts. This container, which is the Target container will store the contacts imported from the Contoso forest.

Source Container

The Source container contains the contacts that will be synchronized to the Contoso forest. The source container for contacts in this scenario is the Contacts container located under the Fabrikam container.

SMTP mail suffix(s)

The SMTP mail suffix(s) for mail enabled objects in the Fabrikam forest needs to be provided for the GAL synchronization management agent.

Support for Exchange 2007

You will configure the GAL synchronization management agent to support synchronizing contacts between Active Directory forests with Exchange 2007 environments. Selecting this option is critical for the scenario outlined in this document because this scenario uses an Exchange 2007 environment. If this option is not selected, GAL synchronization between the two forests will fail.

To complete the Configure GAL page

  1. Under GAL container configuration, click Target….

  2. In the drop down box next to Select a partition ensure DC=fabrikam,DC=com is selected.

  3. Click Containers.

  4. In the Select Containers dialog box, expand the GalSynchronization container, expand the Contoso container, and then select the Contacts container.

  5. Click OK, and then click OK again to exit the Target Container dialog box.

  6. Click Source….

  7. In the drop down box next to Select a partition ensure DC=fabrikam,DC=com is selected.

  8. Click Add Containers.

  9. Expand the GALSynchronization container, expand the Fabrikam container and then select the Contacts container.

  10. Click OK.

  11. Click OK to exit the Source Containers dialog box.

  12. Under Exchange configuration, next to Specify the SMTP mail suffix(s) for mailbox and mail enabled user, group and contact objects in this forest:, click Edit.

  13. In the Edit SMTP Mail Suffix dialog box under Mail Suffix, type in @fabrikam.com.

  14. Click Add, and then click OK to exit this dialog box.

  15. Under Exchange configuration, click the check box located next to Support cross forest delegation (Exchange 2007 only).

  16. Click Next.

Select Object Types page

On this page, you verify that the object types required for GAL synchronization are selected. By default, the correct object types are pre-selected.

To complete the Select Object Types page

  • Click Next.

Select Attributes page

On this page, you verify that the correct attributes required for GAL synchronization are selected. By default, the correct attributes are pre-selected.

To complete the Select Attributes page

  • Click Next.

Configure Connecter Filter page

On this page, rules extensions are specified to be used by the GAL Synchronization management agent to manage the connector filter properties on several objects in Active Directory. By default, the correct objects are configured to use these rules extensions.

To complete the Configure Connector Filter page

  • Click Next.

Configure Join and Projection Rules page

On this page, join and projection rules are specified for several objects in Active Directory. By default, the correct objects are preconfigured for join and projection rules.

To complete the Configure Join and Projection Rules page

  • Click Next.

Configure Attribute Flow page

On this page, five attribute flow mappings are defined for use by GAL synchronization. By default, the attribute flows required for GAL synchronization are preconfigured.

To complete the Configure Attribute Flow page

  • Click Next.

Configure Deprovisioning page

On this page, deprovisioning is defined by using a rules extension. By default, this option is preconfigured.

To complete the Configure Deprovisioning page

  1. Under Deprovisioning Options, ensure Determine with a rules extension is selected.

  2. Click Next.

Configure Extensions page

On this page, a rules extension is defined to regulate the behavior of the GAL synchronization management agent.

To complete the Configure Extensions page

  1. Under Configure rules extension for this management agent, ensure GALSync.dll is specified.

  2. Under Configure partition display name(s), ensure Enable Exchange 2007 provisioning is selected.

  3. Click Finish.

Enable Provisioning

For the GAL synchronization management agent to function properly, you must enable provisioning.

To enable provisioning

  1. Open Identity Manager

  2. From the Tools menu, click Options.

  3. Under Metaverse Rules Extensions, ensure that the Enable metaverse rules extensions check box is selected.

  4. In the box located next to Rules extension name, ensure GALSync.dll is present.

  5. Select the check box next to Enable Provisioning Rules Extensions to enable provisioning rules extension to be used with the GAL synchronization management agent.

  6. Click OK.

Test the Configuration

After enabling provision on the ILM 2007 server, you are now ready to the GAL synchronization configuration. To test the configuration, you will:

  1. Execute several preconfigured management agent run profiles

  2. Verify that the contacts from the Contoso and Fabrikam forests were imported into the other's forest

Management Agent Run Profiles

Run profiles are created when you create the ConstosoGALMA and the FabrikamGALMA. The following table lists and describes the eight run profiles that are created automatically.

Run Profile Description

Delta Import

All changed data flows from the Active Directory data source to the connector space and metaverse.

Delta Import (Stage Only)

All changed data flows from the Active Directory data source to the ILM 2007 connector space and is staged for inbound synchronization with the metaverse.

Delta Synchronization

After changed data source data is staged, changed data flows from the ILM 2007 connector space to the metaverse during inbound synchronization and from the metaverse to the connector space during outbound synchronization.

Export

All data staged for export flows from the ILM 2007 connector space tot eh active Directory data source.

Full Import

All specified data flows from the Active Directory data source to the ILM 2007 connector space and metaverse.

Full Import (Stage Only)

All specified data flows from the Active Directory data source to the ILM 2007 connector space and is staged for inbound synchronization with the metaverse.

Full Import and Full Synchronization

All specified data flows form the Active Directory data source to the ILM 2007 connector space and then to the metaverse during inbound synchronization. During outbound synchronization the data flows from the metaverse to the connector space.

Full Synchronization

Any staged data flows from the ILM 2007 connector space during outbound synchronization.

Execute the Run Profiles

In the procedures below, you will execute the run profiles for the ContosoGALMA management agent and the FabrikamGALMA management agent in the following order:

  1. Full Import (Staging Only)

  2. Full Synchronization

  3. Export

  4. Delta Import

Full Import (Staging Only)

In this procedure, you will run the full import (staging only) run profile for the ContosoGALMA and FabrikamGALMA management agents. These procedures create the objects necessary for GAL synchronization in the connector space for both management agents.

To run the Full Import (Staging Only) run profile for the ContosoGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view, and then click ConstosoGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Full Import (Stage Only).

  5. Click OK.

    In the Synchronization Statistics box, you should see 18 Adds. This represents the eight OUs (forest, GalSynchronization, Contoso, Contoso Contacts, Fabrikam, Fabrikam Contacts and Contoso Contacts, Users, and Groups) and the 10 user, group and contact objects.

To run the Full Import (Staging Only) run profile for the FabrikamGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click FabrikamGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Full Import (Stage Only).

  5. Click OK.

    In the Synchronization Statistics box, you should see 18 Adds. This represents the eight OUs (forest, GalSynchronization, Fabrikam, Fabrikam Contacts, Contoso Contacts, and Fabrikam Contacts, Users, and Groups) and the 10 user, group and contact objects.

Full Synchronization

In this procedure, you will run the Full Synchronization run profile for the ContosoGALMA and FabrikmaGALMA management agents. This processes the join and projection rules. All objected will be created in the metaverse and linked do their corresponding connector space objects. Export attribute flow rules will also prepare any objects that are to be exported. The contact information for the Contoso forest will be flagged for export to the Fabrikam forest and the Fabrikam forest contact information will be flagged for export to the Contoso forest.

To run the Full Synchronization run profile for the ContosoGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click ContosoGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Full Synchronization.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Projections and 10 Connectors with Flow Updates. These are the new metaverse objects used to store the Contoso data.

To run the Full Synchronization run profile for the FabrikamGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click FabrikamGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Full Synchronization.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Projections and 10 Connectors with Flow Updates. These are the new metaverse objects used to store the Contoso data.

Export

In this procedure, you will execute the Export run profile for the ContosoGALMA and FabrikamGALMA management agents. Performing these procedures causes the Contoso contact objects staged during the Full Synchronization run to be exported to the Fabrikam forest and the staged Fabrikam contact objects will be exported to the Contoso forest.

To run the Export run profile for the ContosoGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click ContosoGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Export.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Adds. This indicates the 10 objects from Fabrikam forest have been exported to the to the Contoso forest.

To run the Export run profile for the FabrikamGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click FabrikamGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Export.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Adds. This indicates the 10 objects from Contoso forest have been exported to the to the Fabrikam forest.

Delta Import

In this procedure, you will run the Delta Import run profile for the ContosoGALMA and FabrikamGALMA management agents. Executing this run profile on both of the forests reports to ILM 2007 that the objects were successfully exported to the connected directories.

To run the Delta Import run profile for the ContosoGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click ContosoGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Delta Import.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Adds. This verifies to ILM 2007 that the export of the 10 objects to Active Directory were successful.

To run the Delta Import run profile for the FabrikamGALMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view and then click FabrikamGALMA.

  3. From the Actions menu, click Run.

  4. In Run Management Agent, in Run Profiles, click Delta Import.

  5. Click OK.

    In the Synchronization Statistics box, you should see 10 Adds. This verifies to ILM 2007 that the export of the 10 objects to Active Directory were successful.

Subsequent Management Agent Operations

Use the run profile sequence as stated above the first time you run the management agents after creating them. Running the run profiles as specified above is necessary to properly populate the metaverse and connector space, after you complete these run profile steps for both management agents once; you need to complete the urn profile steps in a different order for all subsequent management agent operations.

For all subsequent management agent operation, use the run profiles in the following order:

  1. Delta Import (Staging Only)

  2. Delta Synchronization

  3. Export

  4. Delta Import

Verify that the contacts from both the Contoso and Fabrikam forests were imported into the other's forest.

In this procedure, you will verify that the synchronized contacts from the Contoso forest were imported into the Fabrikam forest and the contacts from the Fabrikam forest were successfully imported into the Contoso forest.

To verify synchronized contacts in the Contoso forest

  1. Open Active Directory Users and Computers.

  2. Expand the GALSynchronization organizational unit, and then expand the Fabrikam organizational unit.

  3. Click Contacts.

    Verify that the 10 new contacts now exist in this organizational unit.

To verify synchronized contacts in the Fabrikam forest

  1. Open Active Directory Users and Computers.

  2. Expand the GALSynchronization organizational unit, and then expand the Contoso organizational unit.

  3. Click Contacts.

    Verify that the 10 new contacts now exist in this organizational unit

Summary

In this document, you performed the necessary steps to implement a GAL synchronization solution between two forests. This document outlined the necessary permissions for the accounts used for GAL synchronization, the proper organizational units that you need to construct, configuration of the management agents to ensure synchronization occurs, as well the necessary order to execute the run profiles to ensure that the data is synchronized across the forests. As a next step, expand this concept by adding additional forests to this scenario and having the contacts synchronized between all the participating forests.

Appendices

Appendix A: Script to Populate the Contoso Forest

#Create OU Structure
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objOU = $objDomain.Create("organizationalUnit", "ou=GalSynchronization")
$objOU.SetInfo()
$objOU1 = $objOU.Create("organizationalUnit", "ou=Contoso")
$objOU1.SetInfo()
$objOU2 = $objOU1.Create("organizationalUnit", "ou=Users")
$objOU2.SetInfo()
$objOU3 = $objOU1.Create("OrganizationalUnit", "ou=Contacts")
$objOU3.SetInfo()
$objOU4 = $objOU1.Create("organizationalUnit", "ou=Groups")
$objOU4.SetInfo()
$objOU5 = $objOU.Create("organizationalUnit", "ou=Fabrikam")
$objOU5.SetInfo()
$objOU6 = $objOU5.Create("organizationalUnit", "ou=Contacts")
$objOU6.SetInfo()

#Create users
$password = ConvertTo-SecureString "p@ssword1" -asPlainText -force
1..4| 
ForEach { 
New-mailbox -Database "First Storage Group\Mailbox Database" `
 -Name "ConUser$_" `
 -Alias "ConUser$_" `
 -org "OU=Users,OU=Contoso,OU=GalSynchronization,DC=Contoso,DC=com" `
 -Password $password `
 -UserPrincipalName "ConUsers$_@contoso.com" `
 -DisplayName "ConUser$_" `
 -SamAccountName "ConUser$_"; `


#Create contacts
new-mailcontact `
 -org "OU=Contacts,OU=Contoso,OU=GalSynchronization,DC=Contoso,DC=com" `
 -alias "ConContact$_" `
 -name "ConContact$_" `
 -externalemailaddress "ConContact$_@company.com" `
 }

# Create mail enabled universal distribution group
1..2|
ForEach {
new-distributiongroup `
-alias "ConGroup$_" `
-samaccountname "ConGroup$_" `
-name "ConGroup$_" `
-type distribution `
-org "ou=Groups,ou=Contoso,ou=GalSynchronization,dc=contoso,dc=com"
} `

#add members to distribution groups
"ConUser1","ConUser2"| `
add-distributiongroupmember -id "ConGroup1"; `
"Conuser3","ConUser4"| `
add-distributiongroupmember -id "ConGroup2"

#echo results
echo "The proper Active Directory and Exchange environment has been created."

Appendix B: Script to Populate the Fabrikam Forest

#Create OU Structure
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objOU = $objDomain.Create("organizationalUnit", "ou=GalSynchronization")
$objOU.SetInfo()
$objOU1 = $objOU.Create("organizationalUnit", "ou=Fabrikam")
$objOU1.SetInfo()
$objOU2 = $objOU1.Create("organizationalUnit", "ou=Users")
$objOU2.SetInfo()
$objOU3 = $objOU1.Create("OrganizationalUnit", "ou=Contacts")
$objOU3.SetInfo()
$objOU4 = $objOU1.Create("organizationalUnit", "ou=Groups")
$objOU4.SetInfo()
$objOU5 = $objOU.Create("organizationalUnit", "ou=Contoso")
$objOU5.SetInfo()
$objOU6 = $objOU5.Create("organizationalUnit", "ou=Contacts")
$objOU6.SetInfo()

#Create users
$password = ConvertTo-SecureString "p@ssword1" -asPlainText -force
1..4| 
ForEach { 
New-mailbox -Database "First Storage Group\Mailbox Database" `
 -Name "FabUser$_" `
 -Alias "FabUser$_" `
 -org "OU=Users,OU=Fabrikam,OU=GalSynchronization,DC=Fabrikam,DC=com" `
 -Password $password `
 -UserPrincipalName "FabUsers$_@fabrikam.com" `
 -DisplayName "FabUser$_" `
 -SamAccountName "FabUser$_"; `


#Create contacts
new-mailcontact `
 -org "OU=Contacts,OU=Fabrikam,OU=GalSynchronization,DC=Fabrikam,DC=com" `
 -alias "FabContact$_" `
 -name "FabContact$_" `
 -externalemailaddress "FabContact$_@company.com" `
 }

# Create mail enabled universal distribution group
1..2|
ForEach {
new-distributiongroup `
-alias "FabGroup$_" `
-samaccountname "FabGroup$_" `
-name "FabGroup$_" `
-type distribution `
-org "ou=Groups,ou=Fabrikam,ou=GalSynchronization,dc=Fabrikam,dc=com"
} `

#add members to distribution groups
"FabUser1","FabUser2"| `
add-distributiongroupmember -id "FabGroup1"; `
"FabUser3","FabUser4"| `
add-distributiongroupmember -id "FabGroup2"

#echo results
echo "The proper Active Directory and Exchange environment has been created."