Synchronizing a Global Address List in an Exchange 2007
Environment
Synchronizing a Global Address List in an Exchange 2007
Environment
Microsoft Corporation
Published: February 2008
Author: Davanand Bahall
Editor: Femila Anilkumar
Abstract
Microsoft® Identity Lifecycle Manager 2007 (ILM 2007)
FP1 provides a solution to synchronize the global address list
(GAL) between two Active Directory forests in a Microsoft® Exchange
Server 2007 Service Pack 1(SP1) infrastructure. The goal
of a GAL synchronization solution is to synchronize users, groups,
and contacts from one forest with contact objects to another
forest.
This document supports a preliminary release of a software
product that may be changed substantially prior to final commercial
release, and is the confidential and proprietary information of
Microsoft Corporation. It is disclosed pursuant to a non-disclosure
agreement between the recipient and Microsoft. This document is
provided for informational purposes only and Microsoft makes no
warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web
site references, is subject to change without notice. The entire
risk of the use or the results from the use of this document
remains with the user. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event
is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without
the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks,
copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and
Windows NT are trademarks of the Microsoft group of
companies.
All other trademarks are property of their respective
owners.
Contents
5Synchronizing a Global Address List in an Exchange 2007
Environment
5What This Document Covers
5Prerequisite Knowledge
6Audience
6Time Requirements
6Scenario Description
6Testing environment
7Before You Begin
7Accounts
8Scripts in this document
8Running the Scripts
9Implementing the Procedures in this Document
9Configure the Active Directory and Exchange Server 2007
environments in the Contoso forest
11Configure the Active Directory and Exchange Server 2007
environments in the Fabrikam forest.
13Assign the appropriate permissions to the domain user
account
16Assign appropriate permissions to the domain user account
18Configure the GAL synchronization management agent for the
Contoso forest.
19Create Management page
19Connect to Active Directory Forest page
19Configure Directory Partitions page
20Configure GAL
20Target Container
20Source Container
20SMTP mail suffix(s)
20Support for Exchange 2007
21Select Object Types page
21Select Attributes page
22Configure Connecter Filter page
22Configure Join and Projection Rules page
22Configure Attribute Flow page
22Configure Deprovisioning page
22Configure Extensions page
23Configure the GAL synchronization management agent for the
Fabrikam forest.
23Create Management page
23Connect to Active Directory Forest page
24Configure Directory Partitions page
24Configure GAL
24Target Container
25Source Container
25SMTP mail suffix(s)
25Support for Exchange 2007
26Select Object Types page
26Select Attributes page
26Configure Connecter Filter page
26Configure Join and Projection Rules page
26Configure Attribute Flow page
27Configure Deprovisioning page
27Configure Extensions page
27Enable Provisioning
27Test the Configuration
28Management Agent Run Profiles
29Execute the Run Profiles
29Full Import (Staging Only)
30Full Synchronization
30Export
31Delta Import
32Verify that the contacts from both the Contoso and Fabrikam
forests were imported into the other's forest.
32Summary
33Appendices
33Appendix A: Script to Populate the Contoso Forest
34Appendix B: Script to Populate the Fabrikam Forest
Synchronizing a Global Address List in an Exchange 2007
Environment
Microsoft® Identity Lifecycle Manager 2007 (ILM 2007)
FP1 provides a solution to synchronize the global address list
(GAL) between two Active Directory forests through a Microsoft®
Exchange Server 2007 Service Pack 1(SP1) infrastructure.
The goal of a GAL synchronization solution is to synchronize users,
groups, and contacts from one forest with contact objects to
another forest.
What This Document Covers
This document outlines the necessary steps to implement a simple
GAL synchronization solution between two forests in an
Exchange 2007 environment. This document guides you to:
Populate the initial Active Directory and Exchange 2007 SP1
infrastructures for both forests using scripts provided in the
Appendix.
Assign the necessary permissions to the accounts used in the
management agents for GAL synchronization,
Configure ILM 2007 FP1 to perform GAL synchronization
between the two forests.
Verify that the contacts have successfully synchronized between
the two forests.
Prerequisite Knowledge
This document assumes that you have a basic understanding of the
following information technology (IT) concepts and tasks:
Managing Active Directory
Managing Exchange Server 2007 SP1
Administering, including concepts described in t Getting Started
with MIIS 2003 Walkthrough
(http://go.microsoft.com/fwlink/?LinkId=83357).
For an introduction to essential concepts, see the following
documents:
MIIS 2003 Overview
(http://go.microsoft.com/fwlink/?LinkId=30737).
Getting Started with MIIS 2003 Walkthrough
((http://go.microsoft.com/fwlink/?LinkID=83357).
For a design overview of GAL synchronization, see Microsoft
Identity Integration Server 2003 Global Address List (GAL)
Synchronization (http://go.microsoft.com/fwlink/?LinkId=41449).
For a description of all MIIS 2003 documentation, see Microsoft
Identity Integration Server 2003 Documentation Roadmap
(http://go.microsoft.com/fwlink/?LinkID=82465).
Note
A description of how to set up, Active Directory, and Exchange
Server 2007 is out of the scope of this document.
Audience
This guide is intended for IT planners, systems architects,
technology-decision makers, consultants, infrastructure planners,
and IT personnel who plan and develop solutions to synchronize
global address lists between two forests in an Exchange 2007
environment.
Time Requirements
The procedures in this document require 60 to 90 minutes for a
new user to complete. An experienced user can complete them in 30
to 40 minutes.
Scenario Description
Fabrikam and Contoso are two fictitious organizations who have
an Exchange 2007 infrastructure, and would like to use the GAL
synchronization feature in to synchronize their global address
lists between their two Active Directory forests.
Testing environment
The testing environment for this document consists of two
forests, Contoso (contoso.com) and Fabrikam (Fabrikam.com).
The following infrastructure is required for the Contoso
forest:
One Active Directory domain controller (DC1)
To simplify the testing environment for this guide, this server
also hosts the DNS server role for this forest as well as the DNS
zone for the Fabrikam (fabrikam.com) forest.
One server hosting Exchange Server 2007 SP1 (ConExch)
One server hosting FP1 (ILMSrv1)
Important
This server requires ILM 2007 FP1 for GAL synchronization
to occur in an Exchange 2007 environment. Versions of Exchange
Server prior to the release of Exchange 2007 FP1 will not work for
implementing the scenario outlined in this document.
This server requires the following software:
The following infrastructure is required for the Fabrikam
forest:
One Active Directory domain controller (DC2)
One server hosting Exchange Server 2007 SP1 (FabExch)
Before You Begin
Before you begin the procedures required for GAL
synchronization, you will need to create three accounts. These
accounts will run the MIISServer service, GAL synchronization
management agent, and the Identity Manager user interface.
In addition, to simplify administrative tasks such as populating
your Active Directory and Exchange Server 2007 SP1 environment, you
can use the scripts provided in the Appendix.
Accounts
To implement a GAL synchronization environment between the
Contoso and Fabrikam forests, you have to create the following
accounts.
A domain service account for the MIIServer service (miisrvc) -
This service account has to be a domain account because the
Exchange Management tools, which are a requirement on the
ILM 2007 FP1 server, must run under a domain account. The
Exchange management tools also run under the ILM 2007 FP1
service account credentials.
GAL synchronization domain user accounts (ilmgalsync) - You need
to create these accounts in both forests. They are used to run the
management agents for the Contoso and Fabrikam forests.
A domain or local user account to be given MIIS administrative
privileges (testact1) - This account must reside in the MIISAdmins
group. This account allows you to launch and perform the functions
required to configure ILM 2007 FP1 to perform GAL
synchronization using the user interface.
Scripts in this document
The following table shows the scripts that are included in the
Appendix of this document.
Appendix
Description
Appendix A: Script to populate Active Directory and Exchange
Server 2007 SP1 objects
This script populates the Contoso forest with the required
Active Directory and Exchange Server 2007 SP1
objects.
Appendix B: Script to populate Active Directory and Exchange
Server 2007 SP1 objects
This script populates the Fabrikam forest with the required
Active Directory and Exchange Server 2007 SP1
objects.
Running the Scripts
The scripts in this document are designed to run locally on the
computer that is hosting Exchange Server 2007 SP1. These scripts
have to run under the credentials with a user who has rights to
create objects in Active Directory as well as Exchange Server
2007 SP1.
To run a script
1.From the Appendix, copy the script, and then paste it into a
new Notepad file.
2.Save the Notepad file on the local drive of the computer
hosting Exchange Server 2007 FP1 as a .ps1 file, for example
c:\Appendix.ps1.
Although the name of the file is irrelevant, it must have the
.ps1 file name extension.
3.Open the Exchange Management Shell, by clicking on Start, All
Programs, Microsoft Exchange Server 2007 and choosing Exchange
Management Shell from the list of options.
4.At the command prompt, change the directory to the location of
the saved .ps1 file.
5.At the command prompt type in the name of the .ps1 file in the
following format, ./filename.
6.Open the Active Directory User and Computers and Exchange
Management Console snap-ins to verify the results.
Implementing the Procedures in this Document
To implement the procedures in this document, you must complete
the following steps in the following order:
1.Configure the Active Directory and Exchange Server 2007
environments in the Contoso forest
2.Configure the Active Directory and Exchange Server 2007
environments in the Fabrikam forest
3.Assign the appropriate permissions to the domain user account
used for the GAL synchronization management agent in the Contoso
forest
4.Assign the appropriate permissions to the domain user account
used for the GAL synchronization management agent in the Contoso
forest
5.Configure the GAL synchronization management agent for the
Contoso forest
6.Configure the GAL synchronization management agent for the
Fabrikam forest
7.Enable provisioning
8.Test the Configuration
Configure the Active Directory and Exchange Server 2007
environments in the Contoso forest
GAL synchronization between Active Directory forests involves a
source forest and a target forest. Each forest uses organizational
units (OUs) created specifically for GAL synchronization. In the
source forest are organizational units for Users, Groups, and
Contacts that ILM 2007 FP1 uses to populate a specific
Contacts organizational unit in the target forest. All Active
Directory objects used to support GAL synchronization are stored in
these organizational units.
The following table lists the organizational units required by
the Contoso Forest.
Description
Contoso Forest
Synchronization organizational unit
GALSynchronization
Source Domain
Contoso
Contacts
Contacts
Groups
Groups
This OU will contain two universal mail enabled distribution
groups, ConGroup1 and ConGroup2.
Members of ConGroup1 are ConUser1 and ConUser2.
Members of Congroup2 are ConUser3 and ConUser4.
Users
Users
This OU will contain four mail enabled test users, ConUser1,
ConUser2, ConUser3, and ConUser4. Each user will have a password of
p@ssword1.
Target Domain
Fabrikam
Organizational unit for target contacts
Contacts
This organizational unit will receive the mail-enabled contacts
from the Fabrikam forest.
The following illustration shows the Contoso Active Directory
Objects for this document.
For this document, if you choose to build your scenario using a
different organizational structure, the lowest OU in the OU
structure for each forest must be named Contacts when you deploy
the ILM 2007 FP1 GAL synchronization solution.
You can use the tools provided by Active Directory to create the
Contoso Active Directory environment for this document or you can
use the script in Appendix A to create the environment.
For more information about using the supplied scripts, see
Running the Scripts.
To create the required objects using Active Directory tools
For more information about using Active Directory tools, see
Active Directory Help
(http://go.microsoft.com/fwlink/?LinkID=49764).
To create the required objects using the script
1.In Appendix A, copy and paste the script into a new Notepad
file.
2.Save the Notepad file on the local drive of the machine
hosting Exchange Server 2007 SP1 as a .ps1 file, for example,
C:\AppendixA.ps1.
3.Open the Exchange Management Shell, by clicking on Start, All
Programs, Microsoft Exchange Server 2007 and choosing Exchange
Management Shell from the list of options.
4.At the command prompt, change the directory to the location of
the saved .ps1 file.
5.At the command prompt type in the name of the .ps1 file in the
following format, ./filename.
6.Open the Active Directory User and Computers and Exchange
Management Console snap-ins to verify the results.
Configure the Active Directory and Exchange Server 2007
environments in the Fabrikam forest.
In this step, you create the Active Directory and Exchange
Server 2007 environments in the Fabrikam forest. As stated in the
'"Configure the Active Directory and Exchange Server 2007
environments in the Contoso forest" step, GAL synchronization
requires a source forest and a target forest. In this procedure,
you will configure the required Active Directory and Exchange
Server 2007 environment for the Fabrikam forest.
The following table lists the organizational units required by
the Contoso Forest.
Description
Fabrikam Forest
Synchronization organizational unit
GALSynchronization
Source Domain
Fabrikam
Contacts
Contacts
This OU will contain four contacts, FabContact1, FabContact2,
FabContact3, and FabContact4.
Groups
Groups
This OU will contain two universal mail enabled distribution
groups, FabGroup1 and FabGroup2.
Members of FabGroup1 are FabUser1 and FabUser2.
Members of FabGroup2 are FabUser3 and FabUser4.
Users
Users
This OU will contain four mail enabled test users, FabUser1,
FabUser2, FabUser3, and FabUser4. Each user will have a password of
p@ssword1.
Target Domain
Contoso
Organizational unit for target contacts
Contacts
This organizational unit will receive the mail-enabled contacts
from the Contoso forest.
The following illustration shows the Fabrikam Active Directory
Objects for this document.
If you choose to build your scenario using a different
organizational structure, the lowest OU in the OU structure for
each forest must be named Contacts when you deploy the
ILM 2007 FP1 GAL synchronization solution.
You can use the tools provided by Active Directory to create the
Contoso Active Directory environment for this document of you can
use the script in Appendix A to create the environment.
For more information about using the supplied scripts, see
Running the Scripts.
To create the required objects using Active Directory tools
For more information about using Active Directory tools, see
Active Directory Help
(http://go.microsoft.com/fwlink/?LinkID=49764).
To create the required objects using the script
1.In Appendix B, copy and paste the script into a new Notepad
file.
2.Save the Notepad file on the local drive of the machine
hosting Exchange Server 2007 SP1 as a .ps1 file, for example,
C:\AppendixB.ps1.
3.Open the Exchange Management Shell, by clicking on Start, All
Programs, Microsoft Exchange Server 2007 and choosing Exchange
Management Shell from the list of options.
4.At the command prompt, change the directory to the location of
the saved .ps1 file.
5.At the command prompt type in the name of the .ps1 file in the
following format ./filename.
6.Open the Active Directory User and Computers and Exchange
Management Console snap-ins to verify the results.
Assign the appropriate permissions to the domain user
account
The domain user account used by the GAL synchronization
management agent in the Contoso forest needs several permissions
granted to it in order for successful GAL synchronization to occur
between the source forest (Contoso) and the target forest
(Fabrikam).
The permissions this account must have are:
Replicate Directory Changes - When discovering objects in Active
Directory using the Active Directory GAL synchronization management
agent, the account that is specified for connecting to Active
Directory must have this permission granted to it on the domain
level, for example Contoso.com.
You can assign this permission by using the ACL editor in
Windows Server 2003.
To grant Replicate Directory Changes permissions by using the
ACL editor
1.Open Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Right-click the domain object, contoso.com, and then click
Properties.
4.Click the Security tab, if the desired user account is not
listed, click Add; if the desired user account is listed, proceed
to step seven.
5.In the Select User, Computers, or Groups dialog box, select
the desired account, and then click Add.
6.Click OK to return to the Properties dialog box.
7.Click the desired user account.
8.Click to select the Replicate Directory Changes check box from
the list.
Ensure there is a check mark in the box under the Allow field in
the box next to Replicate Directory Changes.
9.Click Apply, and then click OK.
10.Close the snap-in.
Write Permissions to the ProxyAddresses attribute in the source
container - This permission is required for the account used by GAL
synchronization to copy all legacyExchangeDN values for an object
from its various corresponding connector space objects and write
them to the proxyAddresses attribute.
To assign this permission you must use the Adsiedit support tool
in Windows Server 2003.
To assign write permissions to the ProxyAddresses attribute in
the source container
1.Install the Windows Server 2003 support tools. For more
information about how install the Windows Server 2003 support
tools, see (http://go.microsoft.com/fwlink/?LinkID=100114).
2.Run Adsiedit.msc as an administrator of the domain.
3.Expand the domain naming context node. This is the uppermost
node that contains an object with a name of DC=contoso,DC=com.
4.Expand the object DC=contoso,DC=com.
5.Under the object, DC=contoso,DC=com expand the
OU=GalSynchronization object.
6.Right click the OU=Contoso object and then select
Properties.
7.Click the Security tab.
8.Click the Advanced button.
9.Click the Add button and enter the name of the domain service
account used for the GAL synchronization management agent.
10.Click OK.
11.Click the Properties tab.
12.From the Apply onto dropdown box, select Child objects
only.
13.Scroll down the Permissions window, and click the box under
Allow, next to Write proxyAddresses.
14.Click OK.
15.Click Apply.
16.Click OK and then click OK again to close the OU=Contoso
Properties dialog box.
Full Control permission for all child objects of the target
container -This permission is required on the target container
because the service account used by the GAL synchronization
management agent needs the ability to create, modify, and delete
contacts in this container. Since this OU only contains the GAL
information, it does not pose a significant security risk to allow
the GAL synchronization service account Full Control to all the
child objects in this container.
You can assign this permission by using the ACL editor in
Windows Server 2003.
To assign Full Control permissions for all child objects of the
target container to the GAL synchronization service account
1.Open Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Expand contoso.com.
4.Expand GalSynchronization, and right click the target
container, Fabrikam.
5.Click Properties, click the Security tab, and then click
Advanced.
6.Click Add and type in the name of the domain service account
used for the GAL synchronization management agent.
7.Click OK.
8.In the Apply onto dropdown box, choose Child objects only.
9.Click the box located next to Full Control and under
Allow.
10.Click OK and then click Apply.
11.Click OK and then click OK again.
12.Close the snap-in.
Add the domain service account used by the GAL synchronization
management agent to the Exchange Recipient Administrator group -
This allows the domain service account to modify the Exchange
property on an Active Directory service user, contact, group,
dynamic distribution group or public folder object.
You can add the account by using Active Directory Users and
Computers snap-in.
To add the domain service account used by the GAL
synchronization management agent to the Exchange Recipient
Administrators group
1.Open Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Expand contoso.com.
4.Expand Microsoft Exchange Security Groups.
5.Right click the Exchange Recipient Administrators group.
6.Click Properties.
7.Click the Members tab.
8.Click Add and type in the name of the domain service account
used for the GAL synchronization management agent.
9.Click OK and then click Apply.
10.Click OK.
11.Close the snap-in.
Assign appropriate permissions to the domain user account
The domain user account used by the GAL synchronization
management agent in the Fabrikam forest needs several permissions
granted to it in order for successful GAL synchronization to occur
between the source forest (Fabrikam) and the target forest
(Contoso).
The permissions this account must have are:
Replicate Directory Changes - When discovering objects in Active
Directory using the Active Directory GAL synchronization management
agent, the account that is specified for connecting to Active
Directory must have this permission granted to it on the domain
level, for example Contoso.com.
You can assign this permission by using the ACL editor in
Windows Server 2003.
To grant Replicate Directory Changes permissions by using the
ACL editor
1.Open Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Right-click the domain object, fabrikam.com, and then click
Properties.
4.Click the Security tab, if the desired user account is not
listed, click Add; if the desired user account is listed, proceed
to step seven.
5.In the Select User, Computers, or Groups dialog box, select
the desired account, and then click Add.
6.Click OK to return to the Properties dialog box.
7.Click the desired user account.
8.Click to select the Replicate Directory Changes check box from
the list.
Ensure there is a check mark in the box under the Allow field in
the box next to Replicate Directory Changes.
9.Click Apply, and then click OK.
10.Close the snap-in.
Write Permissions to the ProxyAddresses attribute in the source
container - This permission is required for the account used by GAL
synchronization to copy all legacyExchangeDN values for an object
from its various corresponding connector space objects and write
them to the proxyAddresses attribute.
To assign this permission you must use the Adsiedit support tool
in Windows Server 2003.
To assign write permissions to the ProxyAddresses attribute in
the source container
1.Install the Windows Server 2003 support tools. For more
information about how install the Windows Server 2003 support
tools, see (http://go.microsoft.com/fwlink/?LinkID=100114)
2.Run Adsiedit.msc as an administrator of the domain.
3.Expand the domain naming context node. This is the uppermost
node that contains an object with a name of DC=fabrikam,DC=com.
4.Expand the object DC=fabrikam,DC=com.
5.Under the object, DC=fabrikam,DC=com expand the
OU=GalSynchronization object.
6.Right click the OU=Contoso object and then select
Properties.
7.Click the Security tab.
8.Click the Advanced button.
9.Click the Add button and enter the name of the domain service
account used for the GAL synchronization management agent.
10.Click OK.
11.Click the Properties tab.
12.From the Apply onto dropdown box, select Child objects
only.
13.Scroll down the Permissions window, and click the box under
Allow, next to Write proxyAddresses.
14.Click OK.
15.Click Apply.
16.Click OK and then click OK again to close the OU=fabrikam
Properties dialog box.
Full Control permission for all child objects of the target
container -This permission is required on the target container
because the service account used by the GAL synchronization
management agent need to the ability to create, modify, and delete
contacts in this container. Since this OU only contains the GAL
information, it does not pose a significant security risk to allow
the GAL synchronization service account Full Control to all the
child objects in this container.
You can assign this permission by using the ACL editor in
Windows Server 2003.
To assign Full Control permissions for all child objects of the
target container to the GAL synchronization service account using
the ACL editor in Windows Server 2003.
1.Open Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Expand contoso.com.
4.Expand GalSynchronization, and right click the target
container, Contoso.
5.Click Properties, click the Security tab, and then click
Advanced.
6.Click Add and type in the name of the domain service account
used for the GAL synchronization management agent.
7.Click OK.
8.In the Apply onto dropdown box, choose Child objects only.
9.Click the box located next to Full Control and under
Allow.
10.Click OK and then click Apply.
11.Click OK and then click OK again.
12.Close the snap-in
Add the domain service account used by the GAL synchronization
management agent to the Exchange Recipient Administrator group -
This allows the domain service account to modify the Exchange
property on an Active Directory service user, contact, group,
dynamic distribution group or public folder object.
You can add the account by using Active Directory Users and
Computers snap-in.
To add the domain service account used by the GAL
synchronization management agent to the Exchange Recipient
Administrators group
1.Open the Active Directory Users and Computers snap-in.
2.On the View menu, click Advanced Features.
3.Expand fabrikam.com.
4.Expand Microsoft Exchange Security Groups.
5.Right click the Exchange Recipient Administrators group.
6.Click Properties.
7.Click the Members tab.
8.Click Add and type in the name of the domain service account
used for the GAL synchronization management agent.
9.Click OK and then click Apply.
10.Click OK.
11.Close the snap-in.
Configure the GAL synchronization management agent for the
Contoso forest.
In the procedures below, you will create the management agent
for GAL synchronization to occur between the Contoso and Fabrikam
forests.
You will first create the management agent for the Contoso
forest.
To create the management agent for the Contoso forest
1.Open Identity Manager.
2.Switch to the Management Agents view.
3.On the Actions menu, click Create to start the Create
Management Agent wizard.
4.Specify the required parameters for each page, and then click
Next.
The instructions for each page are provided as separate
procedures below.
5.Click Finish to create the management agent.
Create Management page
On this page, you select the management agent for GAL
synchronization you want to create, and then name it
accordingly.
To complete the Create Management Agent page
1.In the Management agents for list, select Active Directory
global address list (GAL).
2.In the Name box, type ConstosoGALMA, and then click Next.
Connect to Active Directory Forest page
On this page, you enter the name of your Active Directory forest
and provide the data for the domain GAL synchronization service
account that this management agent uses to connect to that
forest.
To complete the Connect to Active Directory Forest page
1.In the Forest name box, type contoso.com.
2.In the User name box, type ilmgalsync.
This is the domain service account you created and granted the
necessary permissions to enable the GAL synchronization management
agent to perform the task of synchronizing contacts between
forests. If you named the account another name, enter it in the
input box.
3.In the Password box, type the password you assigned to this
account
4.Next to Configure Connection Options click the Options
button.
5.Click the check box next to Sign and Encrypt LDAP traffic to
deselect this option.
6.In the Domain box, type contoso, and then click Next.
Configure Directory Partitions page
On this page, you select your directory partitions and the
container (organizational unit) that contains the Active Directory
objects that the management agent uses for GAL synchronization.
To complete the Configure Directory Partitions page
1.In the Select directory partitions box, select the check box
next to DC=contoso,DC=com.
2.Click Containers to open the Select Containers dialog box.
3.In the Select Containers dialog box, verify that only
GalSynchronization is selected.
This also selects the Fabrikam and Contoso organizational units
used for GAL synchronization.
4.To close the Select Containers dialog box, click OK.
5.Click Next.
Configure GAL
On this page, you will configure the containers and Exchange
2007 settings for the GAL synchronization management agent.
The configuration consists of:
Specifying the Target container
Specifying the Source container
Specifying the SMTP mail suffix(s)
Enabling support for Exchange 2007
Target Container
Based on the testing environment in this walkthrough, GAL
synchronization will take place between the Contoso and Fabrikam
forest. Inside the Fabrikam container is another container named
Contacts. This container, which is the Target container will store
the contacts imported from the Fabrikam forest.
Source Container
The Source container contains the contacts that will be
synchronized to the Fabrikam forest. The source container for
contacts in this scenario is the Contacts container located under
the Contoso container.
SMTP mail suffix(s)
The SMTP mail suffix(s) for mail enabled objects in the Contoso
forest needs to be provided for the GAL synchronization management
agent.
Support for Exchange 2007
You will configure the GAL synchronization management agent to
support synchronizing contacts between Active Directory forests
with Exchange 2007 environments. Selecting this option is critical
for the scenario outlined in this document because this scenario
uses an Exchange 2007 environment. If this option is not selected,
GAL synchronization between the two forests will fail.
To complete the Configure GAL page
1.Under GAL container configuration, click Target….
2.In the drop down box next to Select a partition ensure
DC=contoso,DC=com is selected.
3.Click Containers.
4.In the Select Containers dialog box, expand the
GalSynchronization container, expand the Fabrikam container, and
then select the Contacts container.
5.Click OK, and then click OK again to exit the Target Container
dialog box.
6.Click Source….
7.In the drop down box next to Select a partition ensure
DC=contoso,DC=com is selected.
8.Click Add Containers.
9.Expand the GALSynchronization container, expand the Contoso
container and then select the Contacts container.
10.Click OK.
11.Click OK to exit the Source Containers dialog box.
12.Under Exchange configuration, next to Specify the SMTP mail
suffix(s) for mailbox and mail enabled user, group and contact
objects in this forest:, click Edit.
13.In the Edit SMTP Mail Suffix dialog box under Mail Suffix,
type in @contoso.com.
14.Click Add, and then click OK to exit this dialog box.
15.Under Exchange configuration, click the check box located
next to Support cross forest delegation (Exchange 2007 only).
16.Click Next.
Select Object Types page
On this page, you verify that the object types required for GAL
synchronization are selected. By default, the correct object types
are pre-selected.
To complete the Select Object Types page
Click Next.
Select Attributes page
On this page, you verify that the correct attributes required
for GAL synchronization are selected. By default, the correct
attributes are pre-selected.
To complete the Select Attributes page
Click Next.
Configure Connecter Filter page
On this page, rules extensions are specified to be used by the
GAL Synchronization management agent to manage the connector filter
properties on several objects in Active Directory. By default, the
correct objects are configured to use these rules extensions.
To complete the Configure Connector Filter page
1.Under Data Source Object Type, ensure that contact, group,
msExchDynamicDistributionList, and user are configured to use Rules
extension under Filter Type.
2.Click Next.
Configure Join and Projection Rules page
On this page, join and projection rules are specified for
several objects in Active Directory. By default, the correct
objects are preconfigured for join and projection rules.
To complete the Configure Join and Projection Rules page
Click Next.
Configure Attribute Flow page
On this page, five attribute flow mappings are defined for use
by GAL synchronization. By default, the attribute flows required
for GAL synchronization are preconfigured.
To complete the Configure Attribute Flow page
Click Next.
Configure Deprovisioning page
On this page, deprovisioning is defined by using a rules
extension. By default, this option is preconfigured.
To complete the Configure Deprovisioning page
1.Under Deprovisioning Options, ensure Determine with a rules
extension is selected.
2.Click Next.
Configure Extensions page
On this page, a rules extension is defined to regulate the
behavior of the GAL synchronization management agent.
To complete the Configure Extensions page
1.Under Configure rules extension for this management agent,
ensure GALSync.dll is specified.
2.Under Configure partition display name(s), ensure Enable
Exchange 2007 provisioning is selected.
3.Click Finish.
Configure the GAL synchronization management agent for the
Fabrikam forest.
In the procedures below, you will create the management agent
for GAL synchronization to occur between the Contoso and Fabrikam
forests.
The procedures below will you through creating the management
agent for the Fabrikam forest.
To create the management agent for the Fabrikam forest
1.Open Identity Manager.
2.Switch to the Management Agents view.
3.On the Actions menu, click Create to start the Create
Management Agent wizard.
4.Specify the required parameters for each page, and then click
Next.
The instructions for each page are provided as separate
procedures below.
5.Click Finish to create the management agent.
Create Management page
On this page, you select the management agent for GAL
synchronization you want to create, and then name it
accordingly.
To complete the Create Management Agent page
1.In the Management agents for list, select Active Directory
global address list (GAL).
2.In the Name box, type FabrikamGALMA, and then click Next.
Connect to Active Directory Forest page
On this page, you enter the name of your Active Directory forest
and provide the data for the domain GAL synchronization service
account that this management agent uses to connect to that
forest.
To complete the Connect to Active Directory Forest page
1.In the Forest name box, type fabrikam.com.
2.In the User name box, type ilmgalsync.
This is the domain service account you created and granted the
necessary permissions to enable the GAL synchronization management
agent to perform the task of synchronizing contacts between
forests. If you named the account another name, enter it in the
input box.
3.In the Password box, type the password you assigned to this
account
4.Next to Configure Connection Options click the Options
button.
5.Click the check box next to Sign and Encrypt LDAP traffic to
deselect this option.
6.In the Domain box, type contoso, and then click Next.
Configure Directory Partitions page
On this page, you select your directory partitions and the
container (organizational unit) that contains the Active Directory
objects that the management agent uses for GAL synchronization.
To complete the Configure Directory Partitions page
1.In the Select directory partitions box, select the check box
next to DC=fabrikam,DC=com.
2.Click Containers to open the Select Containers dialog box.
3.In the Select Containers dialog box, verify that only
GalSynchronization is selected.
This also selects the Fabrikam and Contoso organizational units
used for GAL synchronization.
4.To close the Select Containers dialog box, click OK.
5.Click Next.
Configure GAL
On this page, you will configure the containers and Exchange
2007 settings for the GAL synchronization management agent.
The configuration consists of:
Specifying the Target container
Specifying the Source container
Specifying the SMTP mail suffix(s)
Enabling support for Exchange 2007
Target Container
Based on the testing environment in this walkthrough, GAL
synchronization will take place between the Contoso and Fabrikam
forest. Inside the Contoso container is another container named
Contacts. This container, which is the Target container will store
the contacts imported from the Contoso forest.
Source Container
The Source container contains the contacts that will be
synchronized to the Contoso forest. The source container for
contacts in this scenario is the Contacts container located under
the Fabrikam container.
SMTP mail suffix(s)
The SMTP mail suffix(s) for mail enabled objects in the Fabrikam
forest needs to be provided for the GAL synchronization management
agent.
Support for Exchange 2007
You will configure the GAL synchronization management agent to
support synchronizing contacts between Active Directory forests
with Exchange 2007 environments. Selecting this option is critical
for the scenario outlined in this document because this scenario
uses an Exchange 2007 environment. If this option is not selected,
GAL synchronization between the two forests will fail.
To complete the Configure GAL page
1.Under GAL container configuration, click Target….
2.In the drop down box next to Select a partition ensure
DC=fabrikam,DC=com is selected.
3.Click Containers.
4.In the Select Containers dialog box, expand the
GalSynchronization container, expand the Contoso container, and
then select the Contacts container.
5.Click OK, and then click OK again to exit the Target Container
dialog box.
6.Click Source….
7.In the drop down box next to Select a partition ensure
DC=fabrikam,DC=com is selected.
8.Click Add Containers.
9.Expand the GALSynchronization container, expand the Fabrikam
container and then select the Contacts container.
10.Click OK.
11.Click OK to exit the Source Containers dialog box.
12.Under Exchange configuration, next to Specify the SMTP mail
suffix(s) for mailbox and mail enabled user, group and contact
objects in this forest:, click Edit.
13.In the Edit SMTP Mail Suffix dialog box under Mail Suffix,
type in @fabrikam.com.
14.Click Add, and then click OK to exit this dialog box.
15.Under Exchange configuration, click the check box located
next to Support cross forest delegation (Exchange 2007 only).
16.Click Next.
Select Object Types page
On this page, you verify that the object types required for GAL
synchronization are selected. By default, the correct object types
are pre-selected.
To complete the Select Object Types page
Click Next.
Select Attributes page
On this page, you verify that the correct attributes required
for GAL synchronization are selected. By default, the correct
attributes are pre-selected.
To complete the Select Attributes page
Click Next.
Configure Connecter Filter page
On this page, rules extensions are specified to be used by the
GAL Synchronization management agent to manage the connector filter
properties on several objects in Active Directory. By default, the
correct objects are configured to use these rules extensions.
To complete the Configure Connector Filter page
Click Next.
Configure Join and Projection Rules page
On this page, join and projection rules are specified for
several objects in Active Directory. By default, the correct
objects are preconfigured for join and projection rules.
To complete the Configure Join and Projection Rules page
Click Next.
Configure Attribute Flow page
On this page, five attribute flow mappings are defined for use
by GAL synchronization. By default, the attribute flows required
for GAL synchronization are preconfigured.
To complete the Configure Attribute Flow page
Click Next.
Configure Deprovisioning page
On this page, deprovisioning is defined by using a rules
extension. By default, this option is preconfigured.
To complete the Configure Deprovisioning page
1.Under Deprovisioning Options, ensure Determine with a rules
extension is selected.
2.Click Next.
Configure Extensions page
On this page, a rules extension is defined to regulate the
behavior of the GAL synchronization management agent.
To complete the Configure Extensions page
1.Under Configure rules extension for this management agent,
ensure GALSync.dll is specified.
2.Under Configure partition display name(s), ensure Enable
Exchange 2007 provisioning is selected.
3.Click Finish.
Enable Provisioning
For the GAL synchronization management agent to function
properly, you must enable provisioning.
To enable provisioning
1.Open Identity Manager
2.From the Tools menu, click Options.
3.Under Metaverse Rules Extensions, ensure that the Enable
metaverse rules extensions check box is selected.
4.In the box located next to Rules extension name, ensure
GALSync.dll is present.
5.Select the check box next to Enable Provisioning Rules
Extensions to enable provisioning rules extension to be used with
the GAL synchronization management agent.
6.Click OK.
Test the Configuration
After enabling provision on the ILM 2007 server, you are
now ready to the GAL synchronization configuration. To test the
configuration, you will:
1.Execute several preconfigured management agent run
profiles
2.Verify that the contacts from the Contoso and Fabrikam forests
were imported into the other's forest
Management Agent Run Profiles
Run profiles are created when you create the ConstosoGALMA and
the FabrikamGALMA. The following table lists and describes the
eight run profiles that are created automatically.
Run Profile
Description
Delta Import
All changed data flows from the Active Directory data source to
the connector space and metaverse.
Delta Import (Stage Only)
All changed data flows from the Active Directory data source to
the ILM 2007 connector space and is staged for inbound
synchronization with the metaverse.
Delta Synchronization
After changed data source data is staged, changed data flows
from the ILM 2007 connector space to the metaverse during
inbound synchronization and from the metaverse to the connector
space during outbound synchronization.
Export
All data staged for export flows from the ILM 2007
connector space tot eh active Directory data source.
Full Import
All specified data flows from the Active Directory data source
to the ILM 2007 connector space and metaverse.
Full Import (Stage Only)
All specified data flows from the Active Directory data source
to the ILM 2007 connector space and is staged for inbound
synchronization with the metaverse.
Full Import and Full Synchronization
All specified data flows form the Active Directory data source
to the ILM 2007 connector space and then to the metaverse
during inbound synchronization. During outbound synchronization the
data flows from the metaverse to the connector space.
Full Synchronization
Any staged data flows from the ILM 2007 connector space
during outbound synchronization.
Execute the Run Profiles
In the procedures below, you will execute the run profiles for
the ContosoGALMA management agent and the FabrikamGALMA management
agent in the following order:
1.Full Import (Staging Only)
2.Full Synchronization
3.Export
4.Delta Import
Full Import (Staging Only)
In this procedure, you will run the full import (staging only)
run profile for the ContosoGALMA and FabrikamGALMA management
agents. These procedures create the objects necessary for GAL
synchronization in the connector space for both management
agents.
To run the Full Import (Staging Only) run profile for the
ContosoGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view, and then click
ConstosoGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Full Import
(Stage Only).
5.Click OK.
In the Synchronization Statistics box, you should see 18 Adds.
This represents the eight OUs (forest, GalSynchronization, Contoso,
Contoso Contacts, Fabrikam, Fabrikam Contacts and Contoso Contacts,
Users, and Groups) and the 10 user, group and contact objects.
To run the Full Import (Staging Only) run profile for the
FabrikamGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
FabrikamGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Full Import
(Stage Only).
5.Click OK.
In the Synchronization Statistics box, you should see 18 Adds.
This represents the eight OUs (forest, GalSynchronization,
Fabrikam, Fabrikam Contacts, Contoso Contacts, and Fabrikam
Contacts, Users, and Groups) and the 10 user, group and contact
objects.
Full Synchronization
In this procedure, you will run the Full Synchronization run
profile for the ContosoGALMA and FabrikmaGALMA management agents.
This processes the join and projection rules. All objected will be
created in the metaverse and linked do their corresponding
connector space objects. Export attribute flow rules will also
prepare any objects that are to be exported. The contact
information for the Contoso forest will be flagged for export to
the Fabrikam forest and the Fabrikam forest contact information
will be flagged for export to the Contoso forest.
To run the Full Synchronization run profile for the
ContosoGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
ContosoGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Full
Synchronization.
5.Click OK.
In the Synchronization Statistics box, you should see 10
Projections and 10 Connectors with Flow Updates. These are the new
metaverse objects used to store the Contoso data.
To run the Full Synchronization run profile for the
FabrikamGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
FabrikamGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Full
Synchronization.
5.Click OK.
In the Synchronization Statistics box, you should see 10
Projections and 10 Connectors with Flow Updates. These are the new
metaverse objects used to store the Contoso data.
Export
In this procedure, you will execute the Export run profile for
the ContosoGALMA and FabrikamGALMA management agents. Performing
these procedures causes the Contoso contact objects staged during
the Full Synchronization run to be exported to the Fabrikam forest
and the staged Fabrikam contact objects will be exported to the
Contoso forest.
To run the Export run profile for the ContosoGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
ContosoGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Export.
5.Click OK.
In the Synchronization Statistics box, you should see 10 Adds.
This indicates the 10 objects from Fabrikam forest have been
exported to the to the Contoso forest.
To run the Export run profile for the FabrikamGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
FabrikamGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Export.
5.Click OK.
In the Synchronization Statistics box, you should see 10 Adds.
This indicates the 10 objects from Contoso forest have been
exported to the to the Fabrikam forest.
Delta Import
In this procedure, you will run the Delta Import run profile for
the ContosoGALMA and FabrikamGALMA management agents. Executing
this run profile on both of the forests reports to ILM 2007
that the objects were successfully exported to the connected
directories.
To run the Delta Import run profile for the ContosoGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
ContosoGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Delta
Import.
5.Click OK.
In the Synchronization Statistics box, you should see 10 Adds.
This verifies to ILM 2007 that the export of the 10 objects to
Active Directory were successful.
To run the Delta Import run profile for the FabrikamGALMA
1.Open Identity Manager.
2.Switch to the Management Agents view and then click
FabrikamGALMA.
3.From the Actions menu, click Run.
4.In Run Management Agent, in Run Profiles, click Delta
Import.
5.Click OK.
In the Synchronization Statistics box, you should see 10 Adds.
This verifies to ILM 2007 that the export of the 10 objects to
Active Directory were successful.
Subsequent Management Agent Operations
Use the run profile sequence as stated above the first time you
run the management agents after creating them. Running the run
profiles as specified above is necessary to properly populate the
metaverse and connector space, after you complete these run profile
steps for both management agents once; you need to complete the urn
profile steps in a different order for all subsequent management
agent operations.
For all subsequent management agent operation, use the run
profiles in the following order:
1.Delta Import (Staging Only)
2.Delta Synchronization
3.Export
4.Delta Import
Verify that the contacts from both the Contoso and Fabrikam
forests were imported into the other's forest.
In this procedure, you will verify that the synchronized
contacts from the Contoso forest were imported into the Fabrikam
forest and the contacts from the Fabrikam forest were successfully
imported into the Contoso forest.
To verify synchronized contacts in the Contoso forest
1.Open Active Directory Users and Computers.
2.Expand the GALSynchronization organizational unit, and then
expand the Fabrikam organizational unit.
3.Click Contacts.
Verify that the 10 new contacts now exist in this organizational
unit.
To verify synchronized contacts in the Fabrikam forest
1.Open Active Directory Users and Computers.
2.Expand the GALSynchronization organizational unit, and then
expand the Contoso organizational unit.
3.Click Contacts.
Verify that the 10 new contacts now exist in this organizational
unit
Summary
In this document, you performed the necessary steps to implement
a GAL synchronization solution between two forests. This document
outlined the necessary permissions for the accounts used for GAL
synchronization, the proper organizational units that you need to
construct, configuration of the management agents to ensure
synchronization occurs, as well the necessary order to execute the
run profiles to ensure that the data is synchronized across the
forests. As a next step, expand this concept by adding additional
forests to this scenario and having the contacts synchronized
between all the participating forests.
Appendices
Appendix A: Script to Populate the Contoso Forest
#Create OU Structure
$objDomain = New-Object
System.DirectoryServices.DirectoryEntry
$objOU = $objDomain.Create("organizationalUnit",
"ou=GalSynchronization")
$objOU.SetInfo()
$objOU1 = $objOU.Create("organizationalUnit", "ou=Contoso")
$objOU1.SetInfo()
$objOU2 = $objOU1.Create("organizationalUnit", "ou=Users")
$objOU2.SetInfo()
$objOU3 = $objOU1.Create("OrganizationalUnit",
"ou=Contacts")
$objOU3.SetInfo()
$objOU4 = $objOU1.Create("organizationalUnit", "ou=Groups")
$objOU4.SetInfo()
$objOU5 = $objOU.Create("organizationalUnit", "ou=Fabrikam")
$objOU5.SetInfo()
$objOU6 = $objOU5.Create("organizationalUnit",
"ou=Contacts")
$objOU6.SetInfo()
#Create users
$password = ConvertTo-SecureString "p@ssword1" -asPlainText
-force
1..4|
ForEach {
New-mailbox -Database "First Storage Group\Mailbox Database"
`
-Name "ConUser$_" `
-Alias "ConUser$_" `
-org
"OU=Users,OU=Contoso,OU=GalSynchronization,DC=Contoso,DC=com" `
-Password $password `
-UserPrincipalName "[email protected]" `
-DisplayName "ConUser$_" `
-SamAccountName "ConUser$_"; `
#Create contacts
new-mailcontact `
-org
"OU=Contacts,OU=Contoso,OU=GalSynchronization,DC=Contoso,DC=com"
`
-alias "ConContact$_" `
-name "ConContact$_" `
-externalemailaddress "[email protected]" `
}
# Create mail enabled universal distribution group
1..2|
ForEach {
new-distributiongroup `
-alias "ConGroup$_" `
-samaccountname "ConGroup$_" `
-name "ConGroup$_" `
-type distribution `
-org
"ou=Groups,ou=Contoso,ou=GalSynchronization,dc=contoso,dc=com"
} `
#add members to distribution groups
"ConUser1","ConUser2"| `
add-distributiongroupmember -id "ConGroup1"; `
"Conuser3","ConUser4"| `
add-distributiongroupmember -id "ConGroup2"
#echo results
echo "The proper Active Directory and Exchange environment has
been created."
Appendix B: Script to Populate the Fabrikam Forest
#Create OU Structure
$objDomain = New-Object
System.DirectoryServices.DirectoryEntry
$objOU = $objDomain.Create("organizationalUnit",
"ou=GalSynchronization")
$objOU.SetInfo()
$objOU1 = $objOU.Create("organizationalUnit", "ou=Fabrikam")
$objOU1.SetInfo()
$objOU2 = $objOU1.Create("organizationalUnit", "ou=Users")
$objOU2.SetInfo()
$objOU3 = $objOU1.Create("OrganizationalUnit",
"ou=Contacts")
$objOU3.SetInfo()
$objOU4 = $objOU1.Create("organizationalUnit", "ou=Groups")
$objOU4.SetInfo()
$objOU5 = $objOU.Create("organizationalUnit", "ou=Contoso")
$objOU5.SetInfo()
$objOU6 = $objOU5.Create("organizationalUnit",
"ou=Contacts")
$objOU6.SetInfo()
#Create users
$password = ConvertTo-SecureString "p@ssword1" -asPlainText
-force
1..4|
ForEach {
New-mailbox -Database "First Storage Group\Mailbox Database"
`
-Name "FabUser$_" `
-Alias "FabUser$_" `
-org
"OU=Users,OU=Fabrikam,OU=GalSynchronization,DC=Fabrikam,DC=com"
`
-Password $password `
-UserPrincipalName "[email protected]" `
-DisplayName "FabUser$_" `
-SamAccountName "FabUser$_"; `
#Create contacts
new-mailcontact `
-org
"OU=Contacts,OU=Fabrikam,OU=GalSynchronization,DC=Fabrikam,DC=com"
`
-alias "FabContact$_" `
-name "FabContact$_" `
-externalemailaddress "[email protected]" `
}
# Create mail enabled universal distribution group
1..2|
ForEach {
new-distributiongroup `
-alias "FabGroup$_" `
-samaccountname "FabGroup$_" `
-name "FabGroup$_" `
-type distribution `
-org
"ou=Groups,ou=Fabrikam,ou=GalSynchronization,dc=Fabrikam,dc=com"
} `
#add members to distribution groups
"FabUser1","FabUser2"| `
add-distributiongroupmember -id "FabGroup1"; `
"FabUser3","FabUser4"| `
add-distributiongroupmember -id "FabGroup2"
#echo results
echo "The proper Active Directory and Exchange environment has
been created."