지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.4.1 - Solutions Guide

Active Roles Solutions Overview ERFM Solution Overview Configuration Transfer Wizard overview Understanding SPML Provider Skype for Business Solution Overview
Introducing Skype for Business Server User Management Supported Active Directory topologies User Management policy Master Account Management policy Access Templates for Lync Server Deploying the Solution Managing Skype for Business Server Users
Management Pack for SCOM

Back-synchronized properties

The policy defines a list of properties to copy from the shadow account to the master account. By default, the list contains a single property, E-Mail Address (mail). When the e-mail address has changed on the shadow account (which is normally the case when Exchange Server creates a linked mailbox), the policy ensures that the e-mail address is correctly set on the master account by copying the e-mail address form the shadow account.

Policy actions

The mailbox management policy causes Active Roles to perform the following actions depending on the change request submitted to the Active Roles Administration Service.

Table 3: Policy actions

Request

Actions

Create a new user with mailbox

Active Roles creates the new user (in the accounts forest), and then performs the following actions:

  • Create a shadow account (in the Exchange forest), and populate its properties with the data found in the request
  • Create a linked mailbox using that shadow account, with the new user (from the accounts forest) specified as the linked master account
  • Create a reference to the shadow account on the master account
  • Update the master account with the e-mail address of the linked mailbox

When creating the shadow account or mailbox, Active Roles executes all policies that are applied to the container that holds the shadow account, including the mailbox auto-provisioning policies (if any). To have an effect, mailbox auto-provisioning policies must be applied to the container that holds shadow accounts (rather than master accounts).

Create a mailbox for an existing user

Active Roles retrieves the properties of the existing user (in the accounts forest), and then performs the following actions:

  • Create a shadow account (in the Exchange forest), and populate its properties with the properties of the existing user
  • Create a linked mailbox using that shadow account, with the existing user (from the accounts forest) specified as the linked master account
  • Create a reference to the shadow account on the master account
  • Update the master account with the e-mail address of the linked mailbox

When creating the shadow account or mailbox, Active Roles executes all policies that are applied to the container that holds the shadow account, including the mailbox auto-provisioning policies (if any). To have an effect, mailbox auto-provisioning policies must be applied to the container that holds shadow accounts (rather than master accounts).

Modify properties of a master account

If the change request includes any changes to substituted properties, Active Roleshe requested changes to the substituted properties of the shadow account. Next, Active Roles makes the requested changes to the properties of the master account, and then updates the synchronized properties of the shadow account with the new property values found on the master account.

Perform an Exchange task on a master account

Active Roles applies the Exchange task to the shadow account of that master account.

Deprovision a master account

Active Roles deprovisions the master account, and then deprovisions the shadow account. When deprovisioning the shadow account, Active Roles executes all deprovisioning policies that are applied to the container that holds the shadow account, including the mailbox deprovisioning policies. To have an effect, mailbox deprovisioning policies must be applied to the container that holds shadow accounts (rather than master accounts).

Undeprovision a deprovisioned master account

Active Roles undeprovisions the master account and then undeprovisions the shadow account. Once the shadow account has been undeprovisioned, the master account’s mailbox reverts to the state it was in before the master account was deprovisioned.

For undeprovisioning master accounts to have an effect on shadow accounts, the container that holds deprovisioned master accounts must be in the scope of the Built-in Policy - ERFM - Mailbox Management Policy Object (or a copy of that Policy Object).

Delete a master account

Active Roles deletes the master account, and then performs the “Disable mailbox” task on the shadow account.

Scheduled Task

Exchange Resource Forest Management includes an Active Roles scheduled task that complements the mailbox management policy to enforce synchronization of master and shadow account properties, and to capture existing linked mailboxes whose master account is put under the control of that policy. The scheduled task object is in the Configuration/Server Configuration/Scheduled Tasks/Builtin container. The name of the object is ERFM - Mailbox Management. The task is scheduled to run on a daily basis. Normally, you do not need to modify that scheduled task.

The operation of the task affects only the user accounts that are in the scope of the Built-in Policy - ERFM - Mailbox Management Policy Object (or a copy of that Policy Object). When run, the task performs the following actions on each of those user accounts:

  • If the user account does not have a linked mailbox, then skip over that user account.
  • If the user account has a linked mailbox but does not store a reference to the shadow account of that mailbox, then create the reference to the shadow account on that user account.

This action enables Exchange Resource Forest Management to administer exiting linked mailboxes, possibly created using an earlier version of Exchange Resource Forest Management or without the use of Exchange Resource Forest Management.

  • If the user account has a linked mailbox and stores a reference to the shadow account, then copy the synchronized properties from the master account to the shadow account, and copy the back-synchronized properties from the shadow account to the master account.

This action ensures that the shadow account properties are updated with the latest changes to the master account properties and vice versa.

  • If the shadow account is the manager (or a secondary owner) who can update membership list of a particular group, then the task checks that group to see if the master account can update membership list as well, and, if necessary, gives the master account the right to update membership list.

This action synchronizes the group manager rights of the master account with the group manager rights of the shadow account, thereby enabling the mailbox logon account (which is the master account) to add or remove members from distribution lists by using Outlook or Outlook Web App.

Deploying the Solution

관련 문서