Saturday, August 12, 2006

Using Microsoft's IIFP (Identity Integration Feature Pack) to sync GALs / Active Directories

One of the common questions that shows up in the newsgroups and classes is "how do I synchronize my Global Address List" between two separate Exchange organizations?' There are a number of third party products (SimpleSync and HP's LDSU) that do this, but if you have SQL Server and Windows 2003 Enterprise Edition, you can use the Microsoft Identity Integration Feature Pack (IIFP). IIFP is a free directory synchronization tool that has a subset of the features found in it's big brother, Microsoft Identity Integration Server.

IIFP allows an administrator to synchronize data between multiple Active Directories or the ADAM (Active Directory Application Mode) directory database. Most of it is wizard driven and it is pretty simple to get working. It reads users (or mail-enabled users) from one Active Directory and creates contacts (or mail-enabled contacts) in the other Active Directory forests you specify. I have been part of IIFP and MIIS installations before, but I just did my first installation "on my own". I learned a few important lessons I wanted to share.
  • Windows Server 2003 Enterprise Edition is required
  • SQL Server is required
  • Microsoft has Global Address List Synchronization Walkthrough that takes you through the process complete with lab setup and detailed step-by-step instructions. However, the person / people that wrote this must have forgotten the original title because they use the full-blown MIIS product in their examples and they include an LDAP data source (which, of course, requires MIIS), a Sun ONE Directory Server, and a telephone directory source. You can still disseminate what you need from the article, but it is muddied by all of this additional information. Focus guys, focus!
  • Marc Grote published a much better and more concise guide called GAL Sync With The Identity Integration Feature Pack (IIFP). Very helpful.
  • The sync process on the IIFP server is a two-part process. First the sync process copies data from the directory in to the Management Agent's name space. Then the data in the Management Agent's name space is sync'ed in to the IIFP's "Metaverse", which is a combination of all directories that are being sync'ed. The Indentity Manager on IIFP console lets you browse this directory.
  • Download the IIFP from Microsoft's Windows 2003 Downloads.
  • Get the IIFP service pack (this fixed a couple of issues I was having!) See KB 884192: "How to obtain the latest Identity Integration Feature Pack (IIFP) cumulative hotfix package"
  • Create service accounts in each of the Active Directory forests in which you are going to synchronize. The documentation and walkthroughs never actually tell you which rights you need, so from what I can gather the service accounts have administrative equivalence. For the customer I was working with, this was absolutely unacceptable. Create a regular user for the service account, make sure it has "read" permissions to all of the OUs from which it will be reading user information and that it has permissions to create Contact objects in the OU in which contacts will be created from other forests. Finally, on the properties of the domain, display the Security property page and give your service account user the "Replicate Directory Changes" and "Replicating Directory Changes All" permissions. This is in KB 303972, but there is a typo in the KB article and the exact permission is unclear and I never got clarification from anyone at Microsoft, so I set both. I tried it without setting this permission on the domain and got a "Replication Access Was Denied" when I tried to run the IIFP Management Agents.
  • When creating management agents, on the Configure Directory Partitions properties, make sure you clear the "Sign and Encrypt LDAP Traffic" option.
  • When creating management agents, most of the defaults can be accepted, so don't be intimidated by all those checkboxes!
  • From the Identity Manager of IIFP console, choose Tools -> Options and make sure you click the "Enable Provisioning Rules Extension" checkbox. Otherwise objects are never created in the Active Directory forests you are synchronizing.
  • Create yourself a test organization first so that you can test all of your settings without interfering with production.
  • In a small organization (a few thousand objects), you could get away with running this even on a domain controller, but as you scale to more than a few thousand total objects, you should build a member server that handles the synchronization (initial and deltas) process. You might even consider making it a stand-alone server rather than a member of one of the Active Directory domains.
  • Schedule synchronization is accomplished by creating a "Run profile" of the sync steps and the exporting this to a script. There is a Script button on the Configure Run Profiles wizard that does this for you. Then you just run the schedule the script to run.

So, in closing, give this a try! It is pretty slick and it is FAR better than the old Microsoft MetaDirectory Server that Microsoft used to have.

The most important single ingredient in the formula of success is knowing how to get along with people. -- Theodore Roosevelt

2 Comments:

At 4:21 PM, Blogger Tony Murray said...

Some more infomation on how to set up IIFP GAL Sync using the pinciple of least privilege can be found here:

http://www.activedir.org/article.aspx?aid=113

 
At 1:45 AM, Blogger melatoca said...

Will be great if you will be able to update the above scenario for Exchange 2010

 

Post a Comment

<< Home