operational assessment - microsoft · web viewclick on “target”. from here, using the...

Global Address List (GAL) Synchronization

Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field Engineering

Forefront Identity Manager 2010 Installation & Configuration


MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

iiPrepared by Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field Engineering


Global Address List (GAL) SynchronizationTo begin, navigate to the synchronization server.

On the right hand menu, click on “Create”. In the “Management agent for:” drop down, select “Active Directory global address list (GAL)”.

Prepared by Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field Engineering


Enter a name, then click “Next” to continue.



Enter the “Forest name:”, “User name:”, “Password:” and “Domain:”, then click “Next”



Select the directory partition(s) you wish to put into scope, then click “Containers”.

Select the containers you wish to use, then click “Ok”. Click “Next” to continue.



Click on “Target”. From here, using the drop-down, select the desired partition. Next, click “Container” and select the container where you wish to store your newly created contacts. In this example, the target container is called “Contacts”. Click “Ok” when finished.



Next, click on “Source”. As before, use the drop-down to select the desired partition, then click on “Add Containers” to select the container you wish to use containing the users which will be presented to the other forest as contacts. Click “Ok”.



Next, click on “Edit” and enter a mail suffix to use, then click “Add”. Click “Ok”, then click “Next” to continue.



For the “Configure Provisioning Hierarchy” tab, we will be using the defaults, so you may click “Next” to continue.



For “Select Object Types”, we will also be using defaults. Click “Next” to continue.



The attributes which are selected by default are generally sufficient, but you may choose additional ones if necessary. Click “Next” to continue.



For “Configure Connector Filter”, we will be using the default settings, so click “Next” to continue.



For “Configure Join and Projection Rules”, join/projection logic is configured by default. Click “Next” to continue.



The standard attributes as configured out-of-box are all that are needed for a typical galsync implementation. Click “Next” to continue.



For “Configure Deprovisioning”, we will be using the default option to “Determine with a rules extension”. While we may select an alternate option (such as making them disconnectors), these options should be used with caution. Click “Next” to continue.



In the final tab, use the drop-down menu for “Provision for:” to select either Exchange 2007 or Exchange 2010. Also, enter the RPS URI. The format is typically as follows:http://<Exchange server>/powershell



Also, please keep in mind that we have only created a one-way GAL synchronization at this point. For a two way GAL synchronization (i.e. users in two separate forests being created as contacts on the other side), two management agents would need to be created (one for each forest). Likewise, in a three forest environment, three MAs would be needed.

With the MA(s) created, it is now necessary to perform some minor configuration within Active Directory. To begin, open “Active Directory Users and Computers”. Navigate to the OU named “Microsoft Exchange Security Groups”.



From there, find the group named “Organization Management”.

Right click on it and select “Properties”.



Navigate to the “Members” tab and add your FIM Active Directory Management Agent service account (in this case, the account is called FIMADMA).



Next, navigate to the directory where incoming contacts will be stored. In this environment, the target directory is named “Contacts”.

Right-click on it and select “Properties”.



Navigate to the “Security” tab and enter the same account as used above. For permissions, select “Full Control”. Click “Apply” and then “OK”.



From here, with MA(s) created and configuration changes made in AD, we are ready to begin synchronizing GALs. To do so, create run profiles on the MA(s) as you would an AD MA (i.e. Full Import, Delta Import, Full Synchronization, Delta Synchronization, Export).


operational assessment - microsoft · web viewclick on “target”. from here, using the...

Documents