Creating a single Exchange Address Book for two or more Active Directory forests
Little preface.
The Exchange Mail Organization exists only within the AD forest. Address lists that the user sees are also built only within the forest in which Exchange is installed. In the case of a takeover of a company or, conversely, splitting, there are cases when people from once-different organizations and forests very much want to see each other in their address lists, but not connected via scripts and requested via LDAP.
Surprised that there is nothing on Habré about Forefront Identity Management (FIM 2010).
Here's how to build a single address list consisting of users of two different AD forests using FIM 2010, I will try to tell you below.
I think that many system administrators of the Windows environment in a multi-architecture architecture know that it’s not easy to get a shared address book easily.
There are handwritten scripts that solve the same problem. There are third-party products. And, of course, there are free tools from MS. In some cases, you can connect an external address book via LDAP, but this solution is difficult to maintain, because the setting is on the user side and has a bunch of other flaws.
I would like to tell you about an Enterprise-level solution that can do much more than just synchronize contacts between forests, but also combine different sources of user data in one place, empower users, manage group membership, and a whole bunch of others. Today we’ll just stop syncing contacts.
First of all, a little about the product itself - Forefront Identity Management 2010 .
This product has been repeatedly renamed. In the area of 2003 was the product of Microsoft Identity Integration Server (MIIS). Then it was renamed Identity Lifecycle Manager (ILM), it seems, in 2007, and now it all degenerated into Forefront Identity Management. The functionality of the product has increased and improved.
')
As mentioned above, in our case there are two AD forests, each of which has its own postal organization Exchange 2010.
I will be mediocre and call my companies fabrikam.com and everyone's favorite contoso.com.
The product itself will put on a separate server in the forest fabrikam.com. To install, you will need a distribution from the official site, MS SQL Server 2008 and higher, installed on the same machine or on another server. I put SQL 2008 R2 on the same machine. The standard requirement is to install the .NET Framework 3.5.
Create in the DNS server settings of both forests cross Conditional Forwarding entries. And we will immediately verify that the addresses of both forests are resolved from the server on which FIM is installed. You can, of course, do without this and simply register in the hosts file of the server on which the necessary entries are installed.
I will create a service account in both fimacc forests, as shown:
In addition to the existing rights, we will give the right Replicating Directory Changes with the command
Create a hierarchy for the OU in the Active Directory of both domains. Under the root of each domain will be OU - GAL, and under it Contacts.
We’ll roll up the preparatory activities and start setting up the Management Agent in the FIM interface.
Here is the main window, where we will work:
Open the Synchronization Service Manager snap-in and go to the Management Agents section to create the Management Agent.
Specify the name - Contoso GAL and select the type of synchronization - Active Directory global address list (GAL)
In the next step, we enter the credentials of the user of the domain to which we plan to connect, i.e. fimacc from contoso.com.
If at the last step the connection did not happen, then you need to make sure that the domain address is resolved correctly, the account is created and all necessary rights are delegated to it.
Next, we will select our domain in the upper part of the window, in the lower part of the window, via the Containers button, we will call the dialog for selecting the required GAL container. It is necessary to remove the selection from the domain root and select the GAL, without removing the selection from the child OUs.
The next step is to select a container where future contacts will be placed (Target OU). I chose contoso.com \ GAL \ AnotherOrg
In the same step, add the SMTP address of the domain to which you are connecting, i.e. contoso.com
And now the simplest part - click Next, Next, Next to the Configure Extensions step. Here you must specify the name of the Exchange server with the CAS role. I have this - W2012T3.contoso.com/PowerShell .
It should be immediately after the creation of the Management Agent to test it and run Run-Full Import (Stage Only)
The result of connecting to the server must be success. The number of objects in the Adds line is not zero.
Do the same for the second organization fabrikam.com
This time I will specify the account fimacc from the domain fabrikam.com, domain fabrikam.com. I will select all the same OU only in another domain. There are two more differences from the previous organization: the name of the server on which PowerShell is available, and the email addresses are @ fabrikam.com.
Make Run-Full Import (Stage Only) and get a non-zero result.
After successfully completing the previous step, each Management Agent must run Run-Full Synchronization.
And once again get a non-zero result
Well, the final step will be the export of contacts in the target forest. Run-Export.
And the best part is the result check.
This note illustrates the simplicity and functionality of this product.
PS My first post, there may be formatting errors.
The Exchange Mail Organization exists only within the AD forest. Address lists that the user sees are also built only within the forest in which Exchange is installed. In the case of a takeover of a company or, conversely, splitting, there are cases when people from once-different organizations and forests very much want to see each other in their address lists, but not connected via scripts and requested via LDAP.
Surprised that there is nothing on Habré about Forefront Identity Management (FIM 2010).
Here's how to build a single address list consisting of users of two different AD forests using FIM 2010, I will try to tell you below.
I think that many system administrators of the Windows environment in a multi-architecture architecture know that it’s not easy to get a shared address book easily.
There are handwritten scripts that solve the same problem. There are third-party products. And, of course, there are free tools from MS. In some cases, you can connect an external address book via LDAP, but this solution is difficult to maintain, because the setting is on the user side and has a bunch of other flaws.
I would like to tell you about an Enterprise-level solution that can do much more than just synchronize contacts between forests, but also combine different sources of user data in one place, empower users, manage group membership, and a whole bunch of others. Today we’ll just stop syncing contacts.
First of all, a little about the product itself - Forefront Identity Management 2010 .
This product has been repeatedly renamed. In the area of 2003 was the product of Microsoft Identity Integration Server (MIIS). Then it was renamed Identity Lifecycle Manager (ILM), it seems, in 2007, and now it all degenerated into Forefront Identity Management. The functionality of the product has increased and improved.
')
As mentioned above, in our case there are two AD forests, each of which has its own postal organization Exchange 2010.
I will be mediocre and call my companies fabrikam.com and everyone's favorite contoso.com.
The product itself will put on a separate server in the forest fabrikam.com. To install, you will need a distribution from the official site, MS SQL Server 2008 and higher, installed on the same machine or on another server. I put SQL 2008 R2 on the same machine. The standard requirement is to install the .NET Framework 3.5.
Create in the DNS server settings of both forests cross Conditional Forwarding entries. And we will immediately verify that the addresses of both forests are resolved from the server on which FIM is installed. You can, of course, do without this and simply register in the hosts file of the server on which the necessary entries are installed.
I will create a service account in both fimacc forests, as shown:
In addition to the existing rights, we will give the right Replicating Directory Changes with the command
dsacls dc=contoso,dc=com" /G contoso\fimacc:CA;"Replicating Directory Changes" . The same action can be done through adsiedit, but it takes much longer.Create a hierarchy for the OU in the Active Directory of both domains. Under the root of each domain will be OU - GAL, and under it Contacts.
We’ll roll up the preparatory activities and start setting up the Management Agent in the FIM interface.
Here is the main window, where we will work:
Open the Synchronization Service Manager snap-in and go to the Management Agents section to create the Management Agent.
Specify the name - Contoso GAL and select the type of synchronization - Active Directory global address list (GAL)
In the next step, we enter the credentials of the user of the domain to which we plan to connect, i.e. fimacc from contoso.com.
If at the last step the connection did not happen, then you need to make sure that the domain address is resolved correctly, the account is created and all necessary rights are delegated to it.
Next, we will select our domain in the upper part of the window, in the lower part of the window, via the Containers button, we will call the dialog for selecting the required GAL container. It is necessary to remove the selection from the domain root and select the GAL, without removing the selection from the child OUs.
The next step is to select a container where future contacts will be placed (Target OU). I chose contoso.com \ GAL \ AnotherOrg
In the same step, add the SMTP address of the domain to which you are connecting, i.e. contoso.com
And now the simplest part - click Next, Next, Next to the Configure Extensions step. Here you must specify the name of the Exchange server with the CAS role. I have this - W2012T3.contoso.com/PowerShell .
It should be immediately after the creation of the Management Agent to test it and run Run-Full Import (Stage Only)
The result of connecting to the server must be success. The number of objects in the Adds line is not zero.
Do the same for the second organization fabrikam.com
This time I will specify the account fimacc from the domain fabrikam.com, domain fabrikam.com. I will select all the same OU only in another domain. There are two more differences from the previous organization: the name of the server on which PowerShell is available, and the email addresses are @ fabrikam.com.
Make Run-Full Import (Stage Only) and get a non-zero result.
After successfully completing the previous step, each Management Agent must run Run-Full Synchronization.
And once again get a non-zero result
Well, the final step will be the export of contacts in the target forest. Run-Export.
And the best part is the result check.
This note illustrates the simplicity and functionality of this product.
PS My first post, there may be formatting errors.
Source: https://habr.com/ru/post/173437/
All Articles