Identity Integration Feature Pack (IIFP) - GalSync unleashed

Here is my Step-by-Step guide to GalSync, the permissions part was the really difficult stuff that I could not find documented anywhere. This is loosely based on the scenarios that come with the product.

Special thanks to Robert Gillies from Microsoft Consulting Services for helping dig up the permissions.

Software

Ensure that you have the installation media for the following software available before you begin:

·         Microsoft Windows Server 2003, Enterprise Edition, which contains the required Internet Information Services (IIS) service and ASP.NET components

·         Microsoft Exchange Server 2003, Standard Edition Server or Enterprise Edition

·         Microsoft SQL Server 2000 with Service Pack 3

·         Identity Integration Feature Pack

Install the following software on the server computer that you will use to host the FORESTA Active Directory forest:

·         Windows Server 2003, Enterprise Edition

·         Internet Information Services (IIS) service

·         ASP.NET

·         Active Directory

·         Exchange Server 2003

·         Identity Integration Feature Pack

o        KB825122

o        KB826944

o        KB828752

1.       From Start, click Administrative Tools, click Active Directory Users and Computers.

2.       Select View from the top drop down menu and select Advanced Features.

3.       Add a user for GAL Sync, call this user GalSync (Service Account – restricted account).

4.       Set the password; ensure that the password does not expire nor need to be changed on next logon.

5.       DO NOT add the user to any groups.

6.       Highlight FORESTA.NWTRADERS.MSFT and right-click, select Delegate Control… .

7.       On the Welcome to the Delegation of Control Wizard page click Next.

8.       On the Users or Groups page click Add.

9.       On the Select Users, Computers, or Groups dialog box type Galsync and click OK.

10.    On the Users or Groups page click Next.

11.    On the Tasks to Delegate page select Create a custom task to delegate, and click Next.

12.    On the Active Directory Object Type page except the defaults and click Next.

13.    On the Permissions page select General, Property-specific, and Creation/deletion of specific child objects, under permissions select Replicate Directory Changes and Replication Synchronization, and click Next.

14.    On the Completing to the Delegation of Control Wizard page click Finish.

15.    Create an OU name FORESTB, nest an OU under it called Contacts. This will also hold the distribution lists.

16.    Right-click the Contacts OU and select Properties.

17.    On the Contacts Properties dialog box click Security.

18.    On the Contacts Properties dialog box click Add.

19.    On the Select Users, Computers, or Groups dialog box type Galsync and click OK.

20.    On the Contacts Properties dialog box select Read, Write, Create All Child Objects, and Delete All Child Objects, and then click OK. Make sure to Apply to this child and all objects.

21.    Open ADSIEdit and navigate to the container in the domain where the users, contacts, or mail enabled distribution groups are located.

22.    Right-click to expose the context menu, and select Properties.

23.    Click on the Security tab, and click Advanced.

24.    Choose to Add an ACE.

25.    Specify Galsync to apply the permissions to. This will display the permissions dialog.

26.    Click on Properties.

27.    Drop down the Apply Onto dropdown box and select Child Objects Only.

28.    Scroll down and mark Write proxyAddresses – Allow.

29.    Choose to save the properties. This permission will be applied to every child object whose Allow inheritable permissions from the parent to propagate to this object and all child objects option is selected. This is located in the user's Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it.

Install the following software on the FORESTB forest computer:

·         Windows Server 2003, Enterprise Edition or Windows 2000

·         Active Directory

·         Exchange Server 2003

To run this GAL Synchronization and synchronize data between the two forests, you need to create two management agents for Active Directory GAL. These management agents are called FORESTA GAL MA and FORESTB GAL MA.

The attribute flow and rules required for GAL synchronization are built into the GAL MAs and do not require that you configure each page in Management Agent Designer. The following are preconfigured:

·         Select object types

·         Select attributes

·         Configure connector filters

·         Configure join an projection rules

·         Configure attribute flow

·         Configure deprovisioning

·         Configure extensions

Create the FORESTA GAL MA first and then create the FORESTB GAL MA.

To create the FORESTA GAL MA

1.       On FORESTADC02, open Identity Manager.

2.       From the Tools menu, click Management Agents.

3.       From the Actions menu, click Create.

4.       In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).

5.       In Name, type FORESTA GAL MA and click Next.

6.       On the Connect to an Active Directory forest page, type the values for forest name (FORESTA.nwtraders.msft), user name, password, and domain.

7.       Click Next.

8.       On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=FORESTA,DC=nwtraders,DC=msft).

9.       Clear the Sign and encrypt LDAP traffic check box.

10.    Click Containers.

11.    Clear the check box next to the directory partition to clear all organizational units under the directory partition.

12.    Select the FORESTB organizational unit. The organizational unit beneath it, Contacts, DLs, etc. will also be selected.

13.    Click OK, and then click Next.

14.    On the Configure GAL page, under GAL container information, click Target.

15.    In Target Container, in Select a partition, select the CN=Contacts,CN=FORESTB,DC=FORESTA,DC=nwtraders,DC=msft target organizational unit.

16.    Click Container.

17.    In Select Containers, click to expand the FORESTB container, and then select only the Contacts container beneath the FORESTB container.

18.    Click OK, and then click OK again. Click Next.

19.    On the Configure GAL page, configure the settings under Exchange configuration according to the information provided below. When done, click Next.

·         Destination container of synchronization organizational unit: Contacts OU beneath the FORESTB OU

·         DNs of authoritative contacts container: the FORESTA Contacts OU

·         SMTP mail suffixes for mailbox enabled users and mail enabled groups (For Users and Groups): '@FORESTA.nwtraders.msft'

·         SMTP mail suffixes for mail enabled users and contacts (For Contacts): '@FORESTA.nwtraders.msft'

Do not select the Route mail to contacts checkbox, and do not select the Specify an administrative group checkbox.

20.    On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken.

21.    Click Next.

22.    On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken.

23.    Click Next.

24.    On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken.

25.    Click Next.

26.    On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken.

27.    Click Next.

28.    In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken.

29.    Click Next.

30.    On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected.

31.    Click Next.

32.    On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified.

33.    Click Finish.

The FORESTB GAL MA is similar to the FORESTA GAL MA, except for the management agent name and forest information.

To create the FORESTB GAL MA

1.       On FORESTADC02, open Identity Manager.

2.       From the Tools menu, click Management Agents.

3.       From the Actions menu, click Create.

4.       In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).

5.       In Name, type FORESTB GAL MA, and then click Next.

6.       On the Connect to an Active Directory forest page, type the values for forest name (FORESTB.nwtraders..msft), user name, password and domain.

7.       Click Next.

8.       On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=FORESTB,DC=nwtraders,DC=msft).

9.       Clear the Sign and encrypt LDAP traffic check box.

10.    Click Containers.

11.    Clear the checkbox next to the directory partition to clear all organizational units under the directory partition.

12.    Under the FORESTA organizational unit, click only the FORESTA, Contacts, DLs, etc.  organizational unit.

13.    Click OK, and then click Next.

14.    On the Configure GAL page, under GAL container configuration, click Target.

15.    In Target Container, in Select a partition, select the DC=FORESTB,DC=nwtraders,DC=msft target organizational unit.

16.    Click Container.

17.    In Select Containers, expand the directory partition (DC=FORESTB,DC=nwtraders,DC=msft), expand the node with name of the FORESTB domain controller, expand FORESTA, expand FORESTA, and then click Contacts.

18.    Click OK, and then click OK again.

19.    On the Configure GAL page, configure the settings under Exchange configuration according to the information provided below. When done, click Next.

·         Destination container of synchronization organizational unit: Contacts OU beneath the FORESTA OU

·         DNs of authoritative contacts container: the FORESTB Contacts OU

·         SMTP mail suffixes for mailbox enabled users and mail enabled groups (For Users and Groups): '@FORESTB.nwtraders.msft'

·         SMTP mail suffixes for mail enabled users and contacts (For Contacts): '@FORESTB.nwtraders.msft'

20.    On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken.

21.    Click Next.

22.    On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken.

23.    Click Next.

24.    On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken.

25.    Click Next.

26.    On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken.

27.    Click Next.

28.    In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken.

29.    Click Next.

30.    On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected.

31.    Click Next.

32.    On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified.

33.    Click Finish.

Run profiles for the GAL MAs are created when you create the FORESTA GAL MA and FORESTB GAL MA. The Table below lists and describes the five run profiles that are created automatically.

Table - Run Profiles

By running the FORESTA GAL MA and FORESTB GAL MA, you populate the Identity Integration Feature Pack metaverse and create contacts in both Active Directory forests.

Enable provisioning, and then run the management agents with the run profiles in the following order:

1.       Full Import with staging to the connector space. This imports all specified Active Directory data into the connector space.

2.       Delta Synchronization. This synchronizes connector space data with the metaverse.

3.       Export. This exports connector space data to the Active Directory forests.

1.       On the domain controller for the FORESTA Active Directory domain, open Identity Manager.

2.       From the Tools menu, click Configure Extensions.

3.       In Configure Extensions, ensure that the Enable Metaverse Rules Extensions check box is selected.

4.       Ensure that the Enable Provisioning Rules Extension check box is selected.

5.       Click OK.

After you verify that provisioning is enabled, perform a full import by using the FORESTA GAL MA.

1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Full Import with staging, and then click OK.

Next, you perform the Full Import of the FORESTB GAL MA.

1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Full Import with staging, and then click OK.

Next, you perform a full synchronization for each of the management agents.

1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Delta Synchronization, and then click OK.

1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Delta Synchronization, and then click OK.

Next, you export the data to each Active Directory forest.

1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Export, and then click OK.

1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.

2.       From the Actions menu, click Run.

3.       In Run Management Agent, in Run Profiles, click Export, and then click OK.

Now that you synchronized the forest you can schedule the tasks to happen automatically.

1.       In Identity Manager, in Management Agents view, right-click the FORESTA GAL MA.

2.       From the Actions menu, click Configure Run Profiles.

3.       On the Management agent run profiles section select Delta Import, and then click Script.

4.       Save the script to C:\Batch\GalSync folder, name it FORESTA-DeltaImport.vbs

5.       Repeat steps 1-4 for Export and then ‘FORESTB GAL MA’ Delta Import and then Export.

6.       Click Start, then Control Panel, then Scheduled Tasks, and then click Add scheduled task.

7.       On the Schedule Task Wizard page click Next.

8.       Click Browse and navigate to the C:\ Batch\GalSync folder and select FORESTA_FORESTB_GalSync.cmd. Which looks like this:

cscript "FORESTA_DeltaImport.vbs"

cscript "FORESTA_Export.vbs"

cscript "FORESTB_Export.vbs"

cscript "FORESTB_DeltaImport.vbs"

cscript "FORESTB_Export.vbs"

cscript "FORESTA_Export.vbs"

cscript "FORESTA_DeltaImport.vbs"

cscript "FORESTB_DeltaImport.vbs"

9.       Keep the default name and select Daily, and then click Next.

10.    Enter the time and start date, click Next.

11.    Enter the user name (use an administrative account) and password twice, and click Next.

12.    Select Open advanced properties for this task when I click Finish, and click Finish.

13.    On the FORESTA_FORESTB_GalSync page click Advanced.

14.    On the Advanced Schedule Options page select Repeat Task and configure for the correct settings, click Ok to close Advanced Schedule Options, and then click Ok to close the Advanced Schedule Options page.