Create a single Exchange address book for two or more Active Directory forests
A small introduction.
The Exchange mail organization exists only within the AD forest. The address lists that the user sees are also built only within the forest in which Exchange is installed. In the event of a takeover of a company or, conversely, splitting, there are cases when people from once different organizations and forests very much want to see each other in their address lists, but not connected via scripts and requested by LDAP.
I am surprised that on Habr there is nothing about Forefront Identity Management (FIM 2010).
Here's how to build a single address list, consisting of users of two different AD forests using FIM 2010, I will try to tell below.
I think many system administrators of Windows environments in a multi-wheeled architecture know that it’s not easy to get a common address book.
There are self-written scripts that solve the same problem. There are third-party products. Well, of course, there are free tools from MS. In some cases, you can connect an external address book via LDAP, but this solution is difficult to support, because customization takes place on the user side and has a bunch of other disadvantages.
I would like to talk about an Enterprise-level solution that can do much more than just synchronize contacts between forests, but also combine different sources of user data in one place, empower users, manage group memberships and a lot of other things. Today we’ll just focus on synchronizing contacts.
First of all, a little about the product itself - Forefront Identity Management 2010 .
This product has already been renamed several times. Around 2003, there was a Microsoft Identity Integration Server (MIIS) product. Then it was renamed Identity Lifecycle Manager (ILM), it seems, in 2007, and now it all degenerated into Forefront Identity Management. The functionality of the product has increased and improved.
As mentioned above, in our case there are two AD forests, each of which has its own mail organization Exchange 2010.
I will be ordinary and I will name my companies fabrikam.com and everyone’s favorite contoso.com.
The product itself will be put on a separate server in the forest fabrikam.com. To install, you need a distribution from the official site, MS SQL Server 2008 and higher, installed on the same machine or on another server. I installed SQL 2008 R2 on the same machine. A standard requirement is to install the .NET Framework 3.5.
I will create cross Conditional Forwarding records in the settings of the DNS server of both forests. And immediately check that the addresses of both forests are resolved from the server on which FIM is installed. You can, of course, do without it and simply register in the hosts file of the server on which FIM the necessary entries are installed.
I will create a service account in both fimacc forests, as in the figure: In
addition to the existing rights, we will give the Replicating Directory Changes privilege to the command
Create an OU hierarchy in the Active Directory of both domains. Under the root of each domain will be OU - GAL, and under it Contacts.
At this, we will minimize the preparatory measures and proceed to configure the Management Agent in the FIM interface.
This is what the main window looks like, where we will work: We
open the Synchronization Service Manager snap-in and in the Management Agents section we proceed to create the Management Agent.
Specify the name - Contoso GAL and select the type of synchronization - Active Directory global address list (GAL)
In the next step, enter the user credentials of the domain to which we plan to connect, i.e. fimacc from contoso.com.
If the connection did not occur at the last step, then you need to make sure that the domain address is resolved correctly, the account has been created and all necessary rights have been delegated to it.
Next, we select our domain at the top of the window, at the bottom of the window through the Containers button we call the dialog for selecting the desired GAL container. You must remove the selection from the root of the domain and select the GAL without removing the selection from the child OUs.
The next step will be to select the container where future contacts will be placed (Target OU). I chose contoso.com \ GAL \ AnotherOrg.
In the same step, add the SMTP address of the domain to which we are connecting, i.e. contoso.com
And now the easiest part - click Next, Next, Next to the Configure Extensions step. Here you must specify the name of the Exchange server with the CAS role. I have it - W2012T3.contoso.com/PowerShell .
You should test it and run Run-Full Import (Stage Only) immediately after creating the Management Agent.
The result of connecting to the server should be success. The number of objects in the Adds line is not zero.
To do the same for the second organization, fabrikam.com
. This time I will indicate the fimacc account from the fabrikam.com domain, the fabrikam.com domain. I will choose all the same OUs only in another domain. There are two more differences from the previous organization: the name of the server on which PowerShell is available, and the email addresses are @ fabrikam.com.
Make Run-Full Import (Stage Only) and get a non-zero result.
After successfully completing the previous step, each Management Agent must run Run-Full Synchronization.
And again, get a non-zero result.
Well, the final step will be to export contacts to the target forests. Run-Export.
Well, the best part is checking the result.
This note illustrates the simplicity and functionality of this product.
PS My first post, there may be formatting errors.
The Exchange mail organization exists only within the AD forest. The address lists that the user sees are also built only within the forest in which Exchange is installed. In the event of a takeover of a company or, conversely, splitting, there are cases when people from once different organizations and forests very much want to see each other in their address lists, but not connected via scripts and requested by LDAP.
I am surprised that on Habr there is nothing about Forefront Identity Management (FIM 2010).
Here's how to build a single address list, consisting of users of two different AD forests using FIM 2010, I will try to tell below.
I think many system administrators of Windows environments in a multi-wheeled architecture know that it’s not easy to get a common address book.
There are self-written scripts that solve the same problem. There are third-party products. Well, of course, there are free tools from MS. In some cases, you can connect an external address book via LDAP, but this solution is difficult to support, because customization takes place on the user side and has a bunch of other disadvantages.
I would like to talk about an Enterprise-level solution that can do much more than just synchronize contacts between forests, but also combine different sources of user data in one place, empower users, manage group memberships and a lot of other things. Today we’ll just focus on synchronizing contacts.
First of all, a little about the product itself - Forefront Identity Management 2010 .
This product has already been renamed several times. Around 2003, there was a Microsoft Identity Integration Server (MIIS) product. Then it was renamed Identity Lifecycle Manager (ILM), it seems, in 2007, and now it all degenerated into Forefront Identity Management. The functionality of the product has increased and improved.
As mentioned above, in our case there are two AD forests, each of which has its own mail organization Exchange 2010.
I will be ordinary and I will name my companies fabrikam.com and everyone’s favorite contoso.com.
The product itself will be put on a separate server in the forest fabrikam.com. To install, you need a distribution from the official site, MS SQL Server 2008 and higher, installed on the same machine or on another server. I installed SQL 2008 R2 on the same machine. A standard requirement is to install the .NET Framework 3.5.
I will create cross Conditional Forwarding records in the settings of the DNS server of both forests. And immediately check that the addresses of both forests are resolved from the server on which FIM is installed. You can, of course, do without it and simply register in the hosts file of the server on which FIM the necessary entries are installed.
I will create a service account in both fimacc forests, as in the figure: In
addition to the existing rights, we will give the Replicating Directory Changes privilege to the command
dsacls dc=contoso,dc=com" /G contoso\fimacc:CA;"Replicating Directory Changes"
. The same action can be done through adsiedit, but will take much longer. Create an OU hierarchy in the Active Directory of both domains. Under the root of each domain will be OU - GAL, and under it Contacts.
At this, we will minimize the preparatory measures and proceed to configure the Management Agent in the FIM interface.
This is what the main window looks like, where we will work: We
open the Synchronization Service Manager snap-in and in the Management Agents section we proceed to create the Management Agent.
Specify the name - Contoso GAL and select the type of synchronization - Active Directory global address list (GAL)
In the next step, enter the user credentials of the domain to which we plan to connect, i.e. fimacc from contoso.com.
If the connection did not occur at the last step, then you need to make sure that the domain address is resolved correctly, the account has been created and all necessary rights have been delegated to it.
Next, we select our domain at the top of the window, at the bottom of the window through the Containers button we call the dialog for selecting the desired GAL container. You must remove the selection from the root of the domain and select the GAL without removing the selection from the child OUs.
The next step will be to select the container where future contacts will be placed (Target OU). I chose contoso.com \ GAL \ AnotherOrg.
In the same step, add the SMTP address of the domain to which we are connecting, i.e. contoso.com
And now the easiest part - click Next, Next, Next to the Configure Extensions step. Here you must specify the name of the Exchange server with the CAS role. I have it - W2012T3.contoso.com/PowerShell .
You should test it and run Run-Full Import (Stage Only) immediately after creating the Management Agent.
The result of connecting to the server should be success. The number of objects in the Adds line is not zero.
To do the same for the second organization, fabrikam.com
. This time I will indicate the fimacc account from the fabrikam.com domain, the fabrikam.com domain. I will choose all the same OUs only in another domain. There are two more differences from the previous organization: the name of the server on which PowerShell is available, and the email addresses are @ fabrikam.com.
Make Run-Full Import (Stage Only) and get a non-zero result.
After successfully completing the previous step, each Management Agent must run Run-Full Synchronization.
And again, get a non-zero result.
Well, the final step will be to export contacts to the target forests. Run-Export.
Well, the best part is checking the result.
This note illustrates the simplicity and functionality of this product.
PS My first post, there may be formatting errors.