Copyright © 2018 NHS Digital NHSmail Address Book Synchronisation Deployment Guide November 2018 Version 1
Copyright © 2018 NHS Digital
NHSmail Address Book Synchronisation Deployment Guide November 2018
Version 1
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 2
Contents
1 Overview 3
1.1 Document Conventions 3
1.2 Intended audience 3
2 Introduction 4
3 Pre-requisites for the TANSync Server 7
3.1 Hardware specification 7
3.2 Account Permissions 7
3.3 Ports and traffic flows 8
3.4 Pre-requisite software installation 8
4 TANSync installation 12
4.1 Installation of MIM Synchronization Service 13
4.2 Configuration of TANSync components 22
5 Post Installation of TANSync 52
5.1 Initial Synchronisation Cycle 52
5.2 Enable Provisioning 53
5.3 Configure Provisioning for Address Book Sync 54
6 Address Book Sync Operations 56
6.1 Running a Profile 56
6.2 Synchronisation of Data from NHSmail to Active Directory 57
6.3 Synchronisation of Data from Active Directory to NHSmail 57
6.4 Cleaning Old Run History 58
7 Schedule Automated Synchronisation 59
8 Appendix 63
8.1 Pre-deployment Consideration Items 63
8.2 Pre-Configuration Questionnaire 64
8.3 Advanced Rule Extensions 65
8.4 Configuration of File Connector 66
8.5 Proxy Configuration 71
8.6 Common Issues 71
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 3
1 Overview
1.1 Document Conventions
The following methods are used below to highlight important information within the document:
! Design Decision
This box highlights where we have made a decision on the design. The text above the box will explain the decision.
* Note
This box indicates information not directly related to the design.
! Important note
This box highlights critical information.
1.2 Intended audience
This document is intended for partner organisations who will be federated with the NHSmail platform and describes the configuration process for the TANSync solution, an Identity Manager Solution which enables organisations to synchronise local data with the NHSmail Application Programme Interface (API). This solution has been created based on Microsoft Identity Manager (MIM) 2016.
This document has been produced for a technical audience who have an understanding of the installation of Microsoft products and have experience working with identity products such as Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) or MIM.
This document serves as a guide on how to build and configure MIM, which will be independent of all other servers.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 4
2 Introduction
The TANSync Address Book Sync solution is available for organisations wishing to synchronise contact information with the NHSmail platform. TANSync pulls information from the NHSmail Portal into the local Active Directory as well as pushes information from the local Active Directory into the Portal which then synchronises the information into the NHSmail Exchange and Active Directory infrastructure.
The below diagram explains the high-level architectures and synchronisation flows for address book synchronisation.
Figure 1 – Address Book Synchronisation with separate SQL instance
`
Active Directory
Exchange
Service Bus
TANSync v2
Active Directory
NHSmail 2 Portal API Service
Federated Organisation
Accenture
Direction of Synchronisation
User
Contact
Shared Mailbox
SQL Serverr
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 5
Figure 2 – Address Book Synchronisation with SQL instance on the same server
* Note
Resource mailboxes are treated as shared mailboxes by TANSync.
! Important note
TANSync only communicates with an organisation’s on-premise Active Directory, hence enabling contact objects created by TANSync for Exchange or Skype For Business (or Lync) will need to be handled by the organisation’s infrastructure administrator.
The table below describes the data fields provided to the federated organisations.
Object Type Data Fields
User Id
Title
JobTitle
FirstName
LastName
DisplayName
OfficePhone
Fax
MobilePhone
`
Active Directory
Exchange
Service Bus
TANSync v2
Active Directory
NHSmail 2 Portal API Service
Federated Organisation
Accenture
Direction of Synchronisation
User
Contact
Shared Mailbox
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 6
Pager
EmailAddress
SipAddress
OrganisationName
OrganisationUnitName
SiteName
Country
Shared mailboxes (including resource mailboxes)
Id
DisplayName
EmailAddress
OrganisationName
OrganisationUnitName
Country
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 7
3 Pre-requisites for the TANSync Server
This section describes the pre-requisites and installation of the additional software ready for the deployment of TANSync.
* Note
It is not recommended to deploy TANSync on a Domain Controller.
It is recommended to install SQL Server on the same server as TANSync. However, if the organisation has got SQL cluster infrastructure, that can be used for TANSync as well.
3.1 Hardware specification
If SQL instance is installed on the same server.
Site Requirement Operating System Minimum system specification
Quantity
Partner Organisation Premises
TANSync MIM Synchronisation Server
Microsoft Windows 2012 R2
2 Core
16GB RAM
150GB disk
1Gbps network
1
If SQL instance is installed on a separate server.
Site Requirement Operating System Minimum system specification
Quantity
Partner Organisation Premises
TANSync MIM Synchronisation Server
Microsoft Windows 2012 R2
2 Core
16GB RAM
100GB disk
1Gbps network
1
3.2 Account Permissions
There are different permission levels for accounts used to install the TANSync Server.
Partner Organisation to provide
• An account which has Local Administrator privilege (for log-on and installation purposes). If external SQL instance is used the account requires Server Administrator (SA) role on the SQL instance to create Synchronization Service database during installation.
• A service account which has the following permission on Active Directory:
a. Full Control on the target container in Active Directory
(This object and all descendant objects)
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 8
b. Replicating Directory Changes on the Domain
(https://support.microsoft.com/en-gb/help/303972/)
NHSmail to provide:
• A service account which has the following roles in the NHSmail Portal (this account
will be provided by a Portal administrator):
a. EXTERNAL_CONNECTOR_USER_READ on address book sync partner
organisations within the Portal.
b. EXTERNAL_CONNECTOR_CONTACTS_READ_DEL_UPDATE on the organisation created for writing back contacts to the Portal
3.3 Ports and traffic flows
TANSync communicates with the NHSmail API over the encrypted TCP port 443 and uses outbound connections only. This is much more secure and does not require an organisation to expose their internal network to the NHSmail Service.
Source Destination Protocol Port Direction
TANSync Server NHSmail API (https://portal.nhs.net/api)
TCP and UDP 443 Outbound Initiated
TANSync Server Active Directory TCP and UDP 389 Outbound Initiated
! Important note
If the organisation requires Proxy for accessing the Internet, please refer to Appendix Section 8.4 for proxy configuration on TANSync server. The following endpoints should be configured in the Proxy whitelist:
http://portal.nhs.net – portal endpoint https://fs.nhs.net – authentication endpoint
3.4 Pre-requisite software installation
! Important note
If SQL Express is not required and a separate SQL instance is to be used, install SQL Native Client (Microsoft® SQL Server® 2012 Native Client) on the TANSync server for connectivity with that SQL instance.
Microsoft .NET 3.5, an installable windows feature, must be installed before the TANSync
server can be installed.
This section describes the TANSync package and how to install the product.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 9
Steps Description
Launch Server Manager
Navigate to Dashboard
Select Add roles and Features
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 10
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 11
Select Next
Select .Net Framework 3.5 Features
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 12
Select Install to start the installation
4 TANSync installation
The TANSync package can be obtained at the following location:
https://s3-eu-west-1.amazonaws.com/comms-mat/TANSync/TANSyncPackage_AddressBookSync.zip
TANSync is based on Microsoft Identity Manager 2016, which is included as a part of the standard Windows Server 2012 R2 licence.
! Important note
It is highly recommended to use SQL Server 2014 Standard or above instead of the included in the package SQL Express 2014.
SQL Express 2014 should only be used if the number of objects in the synchronisation scope is smaller than 20000 or testing purposes.
The Package contains the following sources:
Component Description
SQLExpress SQL Express 2014
Synchronisation Service Microsoft Identity Manager 2006 Synchronization Service
TANSync Configurations A set of preconfigured Management Agents to be imported into the synchronization service
TANSync Extensions A set of management agent extensions required for TANSync
RunScripts The scripts that runs the synchronization profiles in specific orders
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 13
Refer to Appendix Section 8.1 for the summary of the configuration items required for Address Book Synchronisation.
! Important note
Before unzipping the TANSync package, it is highly recommended to unblock it to avoid further complication during deployment due to Windows blocking the execution of the components:
1) Right click on the zip file 2) Select Properties 3) Click on Unblock button at the bottom
4.1 Installation of MIM Synchronization Service
4.1.1 Install SQL Instance
This section describes the installation process for SQL Express 2014.
! Important note
If SQL Express is not required, install the organisation approved full version of SQL Server.
Install SQL Native Client on the TANSync server and skip to the next section.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 14
Steps Description
Launch Setup.exe to start installation process
Select New installation or add features to an existing installation
Accept the license terms and select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 15
Select Next
Select Default Instance
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 16
Select Next
Add users who require Server Administrator access to the SQL instance
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 17
Select Close to complete the installation
4.1.2 Install Microsoft Identity Manager Synchronization Service
This section describes the installation process for Microsoft Identity Manager 2016 Synchronization Service.
Steps Description
Launch Setup.exe to start installation process
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 18
Accept the terms in the License Agreement and select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 19
If SQL server is not installed on the current server, select a remote machine and specify the machine name DNS name.
If SQL instance name is different from the default MSSQLServer, select a named instance and specify the name before selecting Next.
Otherwise leave everything as default.
Select Next
Enter the service account details
Note: enter the NETBIOS name instead of Domain name
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 20
Enter the Security group’s details and select Next
Note: the security groups will be created locally on the machine.
Select Enable firewall rules for inbound RPC communications
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 21
Select Install
When asked, select OK
After installation Select OK when asked to backup SQL database key
Select a location and back up the key
Select Finish
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 22
4.2 Configuration of TANSync components This section describes configuration of management agents required for the TANSync solution. The order of configuration is vital for maintaining the required precedence for attribute flow. This means that the TANSync Management Agent should be configured last.
Step Description
Copy all files from TANSync Extensions folder to C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions
4.2.1 Default Data Fields Mapping
The following table describes the default pre-configured attribute mapping between NHSmail and Active Directory:
NHSmail Object Type
NHSmail Data Field Active Directory Object
Active Directory Attribute Synchronisation Flow Direction
User Id Contact ExtensionName From NHSmail to Organisation AD
Title personalTitle From NHSmail to Organisation AD
JobTitle title From NHSmail to Organisation AD
FirstName givenName From NHSmail to Organisation AD
LastName sn From NHSmail to Organisation AD
DisplayName displayname From NHSmail to Organisation AD
OfficePhone telephoneNumber From NHSmail to Organisation AD
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 23
Fax facsimileTelephoneNumber From NHSmail to Organisation AD
MobilePhone mobile From NHSmail to Organisation AD
Pager pager From NHSmail to Organisation AD
EmailAddress otheMailbox From NHSmail to Organisation AD
SipAddress otherIpPhone From NHSmail to Organisation AD
OrganisationName company From NHSmail to Organisation AD
OrganisationUnitName Department From NHSmail to Organisation AD
SiteName l From NHSmail to Organisation AD
Country co From NHSmail to Organisation AD
Shared Mailbox (including resource mailbox)
Id Contact extensionName From NHSmail to Organisation AD
DisplayName displayName From NHSmail to Organisation AD
EmailAddress otherMailbox From NHSmail to Organisation AD
OrganisationName company From NHSmail to Organisation AD
OrganisationUnitName department From NHSmail to Organisation AD
Country co From NHSmail to Organisation AD
Contact Id User extensionName From NHSmail to Organisation AD
Title personalTitle From Organisation AD to NHSmail
FirstName givenName From Organisation AD to NHSmail
LastName sn From Organisation AD to NHSmail
OfficePhone telephoneNumber From Organisation AD to NHSmail
Fax facsimileTelephoneNumber From Organisation AD to NHSmail
MobilePhone mobile From Organisation AD to NHSmail
Pager pager From Organisation AD to NHSmail
EmailAddress mail From Organisation AD to NHSmail
SipAddress otherIpPhone From Organisation AD to NHSmail
Organisation <constant organisation code> From Organisation AD to NHSmail
4.2.2 Metaverse Schema Configuration
The steps below describe how to remove the default Metaverse schema in order to configure the correct one required for TANSync.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 24
Step Description
Launch Synchronization Service Manager
Select Tools and select Options
Select Enable metaverse rules extension
Select Browse to select Metaverse rule extension
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 25
Step Description
Select MVExtension.dll and select OK
Create an empty object type. This will allow deleting all default object types from Metaverse schema
On Metaverse Design tab, select Create Object Type from Actions list
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 26
Step Description
Enter “a” and click OK
On Metaverse Design tab, delete all default object types.
Select an object type and select Delete Object Type on the right-hand side.
When ask, select Yes to confirm.
Repeat this for all object types
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 27
Step Description
On Metaverse Design Tab
Select Action from the top
Choose Import Metaverse Schema
Find and select file MVSchema.xml from ‘TANSyncPackage/ TANSync Configurations’ and select Open
Select OK
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 28
Step Description
Delete the empty object type (“a”) created above
Select each of the object type and select Configure Object Deletion Rule and select Rule Extension
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 29
Step Description
Finish
4.2.3 Active Directory Management Agent Configuration
This section describes the steps to deploy Active Directory Management Agent to MIM Synchronization Service and is only applicable to organisations with Active Directory as the data source.
A service account with the security permission detailed below needs to be created in Active Directory to run the Management Agent. (Described in section 3.2)
• Full Control to the Organisational Unit containing the target users (This object and all descendant objects)
• Replicating Directory Changes to the Domain
* Note
TANSync will be configured to access 2 Active Directory containers in this section as an example. These will need to be configured to match the organisation’s Active Directory container structure.
• SyncContacts – the container where Portal contacts will be written to.
• OrganisationUsers – the container containing users whose details will be written to the NHSmail Portal.
! Important note
If Contact write back to Portal is not required, then do not configure the OrganisationUsers equivalent container.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 30
Step Description
Launch MIM Synchronization Service Manager
At Management Agents Tab select Actions and select Import Management Agent
Find and select ADMA.xml file from ‘TANSyncPackage/ TANSync Configurations’ and select Open
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 31
Enter Forest name (FQDN), Service Account name and password, Domain name (NETBIOS)
Select Next
Select the Domain Distinguished Name from Existing Partitions section to replace DC=partner-org,DC=local with and click on button Match
Select the remaining and click Deselect
Select OK
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 32
Click on button Containers to configure the target Container
Expand and select the target Container
Select OK
Note: The illustration is an example and this might be different depending on the Active Directory architecture of the organisation.
OrganisationUsers is the container where user details will be read from. Do not configure this if the user data is not to be shared with NHS.
SyncContacts is the container where NHSmail contacts will be written to.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 33
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 34
Select Next
Select required attributes (tick “show all” to show more)
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 35
Configure filter for user objects if required and select Next
Select Next
Note: Your rule configuration may look different to the image, this is not an issue and you can continue with your installation
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 36
Configure attribute mapping for your organisation
Verify the attributes of connector space and check that metaverse objects are mapped correctly to make sure that the values are written to the right attributes in the Active Directory
Note: change the Organisation code constant to the correct one.
You can also set up “advanced mapping” by checking “Advanced” under “Mapping Type” and clicking “Edit”
Here you can set up a constant value for an attribute
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 37
Select Next
Select OK or Finish to complete
4.2.4 TANSync Management Agent Configuration
This section details the configuration of the management agent for TANSync. TANSync Management Agent reads users and shared mailboxes in the Portal using the API service.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 38
Step Description
Launch Synchronization Service Manager
Select Management Agents
Select Action
Choose Import Management Agent
Find and select file TANSyncMA.xml and select Open
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 39
Select Next
Select Refresh interfaces
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 40
Specify Service Account (will be provided to you) for connecting to the Portal API service
https://portal.nhs.net/api
Make sure Address Book Synchronisation is selected
Specify full path of a log file location
For example: C:\TANSyncLog\ tansynclog.txt
Make sure the MIM Synchronization Service account has full permission to the directory of the file.
Verbose option gives more detailed logging, if not selected only errors will be recorded
Select Next
Leave the configuration blank
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 41
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 42
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 43
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 44
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 45
Select Finish
4.2.5 TANSyncWriteBack Management Agent Configuration
This section details the configuration of the management agent for TANSyncWriteback. TANSyncWriteback Management Agent creates contacts in the Portal using the API service.
Step Description
Launch Synchronization Service Manager
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 46
Select Management Agents
Select Action
Choose Import Management Agent
Find and select file TANSyncMAWriteBack.xml and select Open
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 47
Select Refresh interfaces
Select Next
Specify Service Account (will be provided to you) for connecting to the Portal API service
https://portal.nhs.net/api
Make sure Address Book Synchronisation is selected
Specify full path of a log file location
For example: C:\TANSyncLog\ tansyncwritebacklog.txt
Make sure the MIM Synchronization Service account has full permission to the directory of the file.
Verbose option gives more detailed logging, if not selected only errors will be recorded
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 48
Leave the configuration blank
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 49
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 50
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 51
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 52
Select Next
Select Finish
5 Post Installation of TANSync
5.1 Initial Synchronisation Cycle Run the profiles listed below in the following order, ensuring there are no errors:
Order Management Agent Run Profile
1 TANSyncMA Full Import
2 ADMA Full Import
3 TANSyncMAWriteBack (If applicable) Full Import
4 TANSyncMA Full Sync
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 53
5 ADMA Full Sync
6 TANSyncMAWriteBack (If applicable) Full Sync
5.2 Enable Provisioning
* Note
To start provisioning objects to Active Directory and the NHSmail Portal it is necessary to enable Provisioning Rule Extension in MIM.
This section describes the steps to enable provisioning of MIM Synchronization Service.
Step Description
Launch MIM Synchronization Service Manager
Select Tools and select Options
Select Enable metaverse rules extension
Select Browse to select Metaverse rule extension
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 54
Select MVExtension.dll and select OK
Select Enable Provisioning Rules Extension
Select OK
5.3 Configure Provisioning for Address Book Sync To configure the provisioning please find and edit file:
C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\TANSyncMA.cfg
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 55
The following table describes the configuration items in the file:
Item Description Default Values
LogFile: The file where the provisioning logs will be written to. Make sure the MIM Synchronization Service account has full permission to the directory of the file.
C:\TANSyncLog\TANSyncExtensionLog.txt
OperationMode: This specify the mode TANSync performs in
AddressBookSync
ProvisionTo: Specifies the names of Management Agents where objects will be provisioned to
TANSyncMAWriteBack,ADMA
OUPath: The Distinguished Name of the container where contact objects will be created in.
OU=SyncContacts,DC=partner-org,DC=local
* Note
To comment out configuration item use ‘#’ in the beginning of the line in the file
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 56
6 Address Book Sync Operations
6.1 Running a Profile To run a profile on a Management Agent, perform the following steps:
Step Description
Launch MIM Synchronization Service Manager
On Management Agents tab, right click a Management Agent and select Run
Select the run profile and press OK to run
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 57
This section describes the steps to be performed for successful synchronisation of address book data between federated organisation and NHSmail.
! Important note
TANSync downloads and writes the data to Active Directory. However, enabling contacts in Exchange or Skype For Business will be performed by the organisation infrastructure administrator.
6.2 Synchronisation of Data from NHSmail to Active Directory This section describes the step to synchronise data from NHSmail to the organisation Active Directory.
Run the profiles listed below in the following order, ensuring there are no errors:
Order Management Agent Run Profile
1 TANSyncMA Full Import
2 ADMA Delta Import
3 TANSyncMA Full Sync
4 ADMA Full Sync
5 TANSyncMA Export
6 ADMA Export
6.3 Synchronisation of Data from Active Directory to NHSmail
This section describes the step to synchronise data from the organisation Active Directory to NHSmail.
Run the profiles listed below in the following order, ensuring there are no errors:
Order Management Agent Run Profile
1 ADMA Delta Import
2 TANSyncMAWriteBack Full Import
3 ADMA Full Sync
4 TANSyncMAWriteBack Full Sync
5 ADMA Export
6 TANSyncMAWriteBack Export
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 58
6.4 Cleaning Old Run History MIM Synchronization Service stores the logs of the previous synchronization profile runs in the database. This space can gradually fill up as time passes. It is good practice to clear these logs on a regular basis to reduce the memory footprint.
Also, if no longer required, remove the old synchronization and extension logs files created by TANSync. (These are configured in section 4.2.3, 4.2.4 and 5.2)
The following table describes the steps for clearing the profile runs history:
Step Description
Navigate to Operations in Synchronization Service Manager
Select Action and select Clear Runs
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 59
Select Clear runs before and specify the date and time
Deselect Save runs before clearing them if not required
Select OK to start clearing the runs
7 Schedule Automated Synchronisation
This section describes the steps to configure automated synchronization schedules. This schedule executes a script that starts the synchronisation run profiles on the management agents in specific order and will be configured in windows Task Scheduler.
For a successful execution of the schedule, a schedule task service account will be required.
Schedule task Service Account Permissions
• A member of MIMSyncAdmins group
• Permission to log on to the TANSync server
The schedule task will be configured to run script runSyncCycle.cmd provided in the TANSync package.
Step Description
Launch windows Task Scheduler
Select Create Task in Action section
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 60
In General Tab
Enter Name: Synchronisation Schedule
Enter Description:
TANSync Synchronisation schedule
Select the schedule service account
Select Run whether user is logged on or not
Select Run with Highest privileges
In Triggers Tab
Select New to create new triggers
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 61
Select the trigger settings. For example, Weekly on Saturday at 12:00:00 AM
Select Enabled
Click OK to complete the trigger creation
In Actions Tab
Select New to create a new action
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 62
Make sure Action is Start a program
Click Browse… to select the script runSyncCycle.cmd
Click OK to complete
Click OK to complete the schedule creation
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 63
8 Appendix
8.1 Pre-deployment Consideration Items
The table below lists the configuration items that need to be clear before the deployment:
Item Description Note
Implementation Actor Account
An account which has Local Administrator privilege (for log-on and installation purposes). If external SQL instance is used the account requires SA role on the SQL instance to create Synchronization Service database during installation.
Provided by the Organisation
Portal Service Account
A service account which has following roles in NHSmail Portal (this account will be provided by a Portal administrator):
• EXTERNAL_CONNECTOR_USER_READ on address book sync partner organisations within the Portal.
• EXTERNAL_CONNECTOR_CONTACTS_READ_DEL_UPDATE on the organisation created for writing back contacts to the Portal
This is a configuration item in TANSyncMA and TANSyncMAWriteBack Management Agents.
Provided by NHS
AD Forest Name Active Directory forest FQDN. This is a configuration item in Active Directory Management Agent (ADMA).
Provided by the Organisation
Domain NETBIOS name
Domain name. This is a configuration item in Active Directory Management Agent (ADMA).
Provided by the Organisation
AD Service Account
A service account which has the following permission on Active
Directory
• Full Control on the target container in Active Directory (This
object and all descendant objects)
• Replicating Directory Changes on the Domain
This is a configuration item during installation of Microsoft Identity
Manager.
Provided by the
Organisation
AD Container for NHSmail contacts
A container in Active Directory to store NHSmail contacts read from the Portal. This is a configuration item in Active Directory Management Agent (ADMA).
Provided by the Organisation
AD Container for reading organisation user details from
A container where the data will be read from to write into the NHS Portal. This is a configuration item in Active Directory Management Agent (ADMA).
Provided by the Organisation
Configuration xml files
The configuration xml files provided for importing the configuration to Microsoft Identity Manager to set up TANSync for Address Book Synchronisation
Provided by NHS
Extension Binaries
The binaries provide to extend the Address Book Sync functionalities to Microsoft Identity Manager
Provided by NHS
Portal API Endpoint
The Portal API service connection point. https://portal.nhs.net/api.
This is a configuration item in TANSyncMA and TANSyncMAWriteBack Management Agents.
Provided by NHS
TANSyncMA log file
The log file path with the file name for storing logs form TANSyncMA. The log by default will only contain error messages. However, if verbose option is selected the log will contain more
Provided by the Organisation
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 64
details on each of the operations performed by the management agent code.
Make sure that the MIM service account has full permissions in the directory and to the children files.
This is a configuration item in TANSyncMA Management Agent.
TANSyncMAWriteBack log file
The log file path with the file name for storing logs form TANSyncMAWriteBack. The log by default will only contain error messages. However, if verbose option is selected the log will contain more details on each of the operations performed by the management agent code.
Make sure that the MIM service account has full permissions in the directory and in the children files.
This is a configuration item in TANSyncMAWriteBack Management Agent.
Provided by the Organisation
TANSyncMA.cfg configuration
This configuration file is used for configuring provisioning objects to data sources. The file contains the following configuration items:
LogFile, OperationMode, ProvisionTo, OUPath
More detail is in section 5.3.
Provided by the Organisation
Schedule Task service account
An account to run automated synchronisation schedule. Section 7. Provided by the Organisation
RunScripts The set of command line (cmd) and Visual Basic (vbs) scripts to run synchronisation profiles in specific orders. The scripts also delete the run histories that are older than 2 weeks.
This is a configuration item in task scheduler in Section 7.
Provided by the NHS
8.2 Pre-Configuration Questionnaire
The following are questions to gather important information required for the TANsync deployment:
# Question
1 Who is/are performing the deployment?
2 What is the Active Directory Forest Name?
3 What is the Active Directory Domain Name (Fully Qualified Domain Name and NETBIOS)?
4 What is TANSync server IP address?
5 What is TANSync server Fully Qualified Domain Name (FQDN)?
6 What is Remote Desktop Protocol (RDP) port to the TANSync server?
7 What is SQL IP address?
8 What is SQL FQDN?
9 What is the Deployment Actor account details (login and password)?
10 What is the MIM service account details (login and password)?
11 What is the Distinguished Name of the Container to store NHSmail contacts in AD?
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 65
12 What is the Distinguished Name of the Container(s) to read organisation user data from to upload to NHSmail?
13 What is the TANSyncMA log file details (path and file name)? (if applicable)
14 What is the TANSyncMAWriteBack log file details (path and file name)? (if applicable)
15 What is the TANSync extension log file details (path and file name)? (if applicable)
16 What are the changes to the default data fields between NHSmail and AD mappings? (if applicable)
8.3 Advanced Rule Extensions
Rule extensions can help modify the attribute values of a data source and this section describes the developed rule extensions and their uses.
* Note
To define the rule in the attribute flow, use the following format:
<Rule Extension Name>:<Datasource Attribute Name>-<Metaverse Attribute Name>
Rule Extension Description Note
nameFormat This rule extension helps changing the data format to the correct Name format. I.E. first letter is in uppercase and the following is in lowercase.
Example
Configurable in Attribute Inbound Flows
ToLowerCase This rule extension transforms data to lowercase
Example
Configurable in Attribute Inbound Flows
trimSip This rule extension removes the sip: suffix to allow NHS Portal API to process
Example
Configurable in Attribute Inbound Flows
trimWhiteSpace This rule extension removes white spaces from the data.
Example
Configurable in Attribute Inbound Flows
reduceLengthTo64 This rule extension truncate data to 64 characters.
Example
Configurable in Attribute Inbound Flows
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 66
8.4 Configuration of File Connector
In the situation where writing directly to Active Directory is not possible a FileConnector management agent is provided for writing data downloaded from NHSmail into a file for further processing.
This section describes how to setup the FileConnector management agent.
* Note
This management agent will produce file “C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Data\Export.csv” on every Export. The file contains the NHSmail contact data.
The management agent cannot be used to provide TANSync with organisation user’s data to write back to NHSmail.
Step Description
Launch Synchronization Service Manager
Select Management Agents
Select Action
Choose Import Management Agent
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 67
Find and select file TANSyncMA.xml and select Open
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 68
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 69
Select Next
Select Next
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 70
Select Next
Select Finish to complete
Configure FileConnector for provisioning
• Open file C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\TANSyncMA.cfg
• add FileConnector to ProvisionTo configuration item.
• Remove ADMA from ProvisionTo configuration item. (if provisioning to Active Directory is no longer required)
For Example:
ProvisionTo: TANSyncMAWriteBack,FileConnector
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 71
8.5 Proxy Configuration
If you are using an outbound proxy for connecting to the Internet, add the following configuration to the file:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
This text must be entered at the bottom of the file. In this code just before </configuration>
<system.net>
<defaultProxy>
<proxy
usesystemdefault="true"
proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
8.6 Common Issues
This section details the common issues which may occur when installing, configuring and running the TANSync solution.
Account permission issues Description: Installation with an account that does not have sufficient permission. Fix: The account needs to have local admin privilege on the local machine to install TANSync. The process needs to be run as Local Administrator. Description: Unable to install TANSync when using an external SQL instance. Fix: If the user wants to use an existing SQL Instance, they need to have an SA privilege on the SQL and use the existing SQL details during installation of MIM Synchronization Service. Schedule task account issues Description: The schedule task cannot run synchronization. Fix: The schedule task account needs to have the correct permissions and a member of MIMSyncAdmins group to run the synchronisation. Installation issues Description: Installation of MIM Synchronisation Service failed due to missing .Net 3.5 framework. Fix: ensure you have installed the prerequisite .Net 3.5. Synchronisation Issues Description: Connection failures during synchronisation. Fix: Ensure the service account password is correct and if expired refresh the password and reconfigure the management agent that failed.
Description: Unable to run any synchronisation run profile on TANSyncMA or TANSyncMAWriteBack.
NHSmail Address Book Synchronisation Deployment Guide
Copyright © 2018 NHS Digital 72
Fix: Ensure all files in C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions are unblocked.
Description: Exception when running synchronisation profiles on TANSyncMA or TANSyncMAWriteBack. Fix: Ensure the MIM synchronisation service account has got full permission to the log folders (specified during configuration stages) and all the files in them.