Chat now with support
Chat with Support

Identity Manager 8.0.2 - Administration Guide for Connecting to Microsoft Exchange

Managing Microsoft Exchange Environments Setting up Microsoft Exchange Synchronization Base Data for Managing Microsoft Exchange Microsoft Exchange Structure Mailboxes E-Mail Users and E-Mail Contacts Mail-enabled Distribution Groups Dynamic Distribution Group Mail-Enabled Public Folder Extensions for Supporting Exchange hybrid Troubleshooting Appendix: Configuration Parameters for Managing a Microsoft Exchange Environment Appendix: Default Project Template for Microsoft Exchange

Extensions for Creating Linked Mailboxes in a Microsoft Exchange Resource Forest

To create linked mailboxes in a Microsoft Exchange resource forest, you must declare the user account with which the linked mailboxes are going to be created as well as the Active Directory domain controller for each Active Directory client domain.

To edit master data for a domain

  1. Select the category Active Directory | Domains.
  2. Select the domain in the result list and run the task Change master data.
  3. Enter the following information on the Exchange tab.
    Table 5: Master Data of a Domain for Creating Linked Mailboxes
    Property Description
    User (linked mailbox) User account used to create linked mailboxes.
    Password

    User account password.

    Password confirmation Confirmation of the user account password.
    DC (linked mailbox) Active Directory Domain controller for create linked mailboxes.
  4. Save the changes.
Related Topics

Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and Microsoft Exchange. The following describes the steps for initial configuration of a synchronization project.

NOTE: Refer to the recommendations for setting up synchronization described in Recommendations for Synchronizing Microsoft Exchange.

IMPORTANT: Each Microsoft Exchange environment should have its own synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the Synchronization Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

IMPORTANT: It must be possible to reach Microsoft Exchange servers by DNS query for successful authentication. If the DNS cannot be resolved, the target system connection is refused.

Prerequisites for Setting Up a Synchronization Project
  • Synchronization of the Active Directory system is carried out regularly.
  • The Active Directory forest is declared in One Identity Manager.
  • Explicit Active Directory domain trusts are declared in One Identity Manager
  • Implicit two-way trusts between domains in an Active Directory forest are declared in One Identity Manager
  • User account with password and domain controller on the Active Directory client domain are entered to create linked mailboxes within a Microsoft Exchange resource forest topology

Have the following information available for setting up a synchronization project.

Table 6: Information Required for Setting up a Synchronization Project
Data Explanation
Microsoft Exchange version One Identity Manager supports synchronization with Microsoft Exchange 2010, Service Pack 3 or later, Microsoft Exchange 2013, Service Pack 1 or later and Microsoft Exchange 2016.
Server (fully qualified)

Fully qualified name (FQDN) of the Microsoft Exchange server against which the synchronization server connects to access Microsoft Exchange objects.

Example:

Server.Doku.Testlab.dd

User account and password for logging in

Fully qualified name (FQDN) of the user account and password for logging in on the Microsoft Exchange.

Example:

user@domain.com

domain.com\user

Make a user account available with sufficient permissions. For more information, see Users and Permissions for Synchronizing with Microsoft Exchange.

Synchronization server for Microsoft Exchange

The One Identity Manager Service with the Microsoft Exchange connector must be installed on the synchronization server.

Table 7: Additional Properties for the Job Server
Property Value
Server Function Microsoft Exchange connector
Machine role Server/Job Server/Active Directory/Microsoft Exchange

For more information, see Setting Up the Synchronization Server.

One Identity Manager Database Connection Data

SQL Server:

  • Database server
  • Database
  • Database user and password
  • Specifies whether Windows authentication is used.

    This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Oracle:

  • Species whether access is direct or through the Oracle client

    Which connection data is required, depends on how this option is set.

  • Database server
  • Oracle instance port
  • Service name
  • Oracle database user and password
  • Data source (TNS alias name from TNSNames.ora)
Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with target system to do this. Sometimes direct access from the workstation on which the Synchronization Editor is installed is not possible, because of the firewall configuration, for example, or because the workstation does not fulfill the necessary hardware and software requirements. If direct access to the workstation is not possible, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started
  • RemoteConnectPlugin is installed
  • Microsoft Exchange connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration (with respect to the installed software) as the synchronization server. Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The following sequence describes how you configure a synchronization project if the Synchronization Editor is both:
  • In default mode
  • Started from the launchpad

Additional settings can be made if the project wizard is run in expert mode or is started directly from the Synchronization Editor. Follow the project wizard instructions through these steps.

To set up initial synchronization project for Microsoft Exchange

  1. Start the Launchpad and log on to the One Identity Manager database.

    NOTE: If synchronization is executed by an application server, connect the database through the application server.
  2. Select the entry Microsoft Exchange target system type. Click Run.

    This starts the Synchronization Editor's project wizard.

  1. Select the connector on the Select target system page.
    • Select Microsoft Exchange 2010 connector for synchronizing with Microsoft Exchange 2010.
    • Select Microsoft Exchange 2013 connector for synchronizing with Microsoft Exchange 2013.
    • Select Microsoft Exchange 2016 connector for synchronizing with Microsoft Exchange 2016.
  1. Specify how the One Identity Manager can access the target system on the System access page.
    • If you have access from the workstation from which you started the Synchronization Editor, do not set anything.
    • If you do not have access from the workstation from which you started the Synchronization Editor, you can set up a remote connection.

      In this case, set the option Connect using remote connection server and select, under Job server, the server you want to use for the connection.

  1. Enter the information about the Microsoft Exchange server on the Select Microsoft Exchange server page against which the synchronization server connects to access Microsoft Exchange objects.
    1. Enter the fully qualified name (FQDN) in the Microsoft Exchange server in Server. To check the data, click DNS query.

      NOTE: If you only know the IP address of the server, enter the IP address in Server and click DNS query. The server's fully qualified name is found and entered.

    2. In Max. concurrent connections, enter the number of connection that can be used at the same time.

      A maximum 4 simultaneous connection are recommended. Synchronization tries to use this many connections. The number may not always be reached depending on the load. Warnings are given respectively.

      A default timeout is defined for connecting. The timeout is 5 minutes long for the first connection and 30 seconds for all following connections. The connections are closed if the connection is idle for the duration.

    3. To utilize HTTPS for establishing the connection, set Use SSL.

      NOTE: Microsoft Exchange does not support this type of connection by default. You must configure support for HTTPS in your Microsoft Exchange.

  2. Enter login data on the Enter connection credentials page to connect to Microsoft Exchange.
    Table 8: Connection data to Microsoft Exchange
    Property Description
    User name (user@domain)

    Fully qualified name (FQDN) of the user account for logging in.

    Example:

    user@domain.com

    domain.com\user

    Password User account password.
  3. Specify on the Recipient scope page whether the recipient of any domain or complete Microsoft Exchange organization should be taken into account.
    • To synchronize Microsoft Exchange organization recipients, select the option Entire organization (recommended). As prerequisite the trusted Active Directory domains must be declared in One Identity Manager.
    • Select the option Only recipients of the following domain to synchronize recipients with specific domains and select a domain. The target system domain is listed as a minimum.
  1. Verify the One Identity Manager database connection data on the One Identity Manager connection page. The data is loaded from the connected database. Reenter the password.

    NOTE: Reenter all the connection data if you are not working with an encrypted One Identity Manager database and no synchronization project has been saved yet in the database. This page is not shown if a synchronization project already exists.
  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.
  1. Specify how system access should work on the page Restrict target system access. You have the following options:
    Table 9: Specifying Target System Access
    Option Meaning

    Read-only access to target system.

    Specifies whether a synchronization workflow should be set up to initially load the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of "One Identity Manager".
    • Processing methods in the synchronization steps are only defined in synchronization direction "One Identity Manager".

    Changes are also made to the target system.

    Specifies whether a provisioning workflow should be set up in addition to the synchronization workflow to initially load the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization in the direction of the "target system"
    • Processing methods are only defined in the synchronization steps in synchronization direction "target system".
    • Synchronization steps are only created for such schema classes whose schema types have write access.
  2. Select the synchronization server to execute synchronization on the Synchronization server page.

    If the synchronization server is not declare as a job server in the One Identity Manager database yet, you can add a new job server.

    • Click to add a new job server.
    • Enter a name for the job server and the full server name conforming to DNS syntax.
    • Click OK.

      The synchronization server is declared as job server for the target system in the One Identity Manager database.

      NOTE: Ensure that this server is set up as the synchronization server after saving the synchronization project.
  1. Click Finish to complete the project wizard.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved and enabled immediately.

    NOTE: If the synchronization project is not going to be executed immediately, disable the option Activate and save the new synchronization project automatically.

    In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The target system connection data is saved in a variable set, which you can change in the Synchronization Editor under Configuration | Variables if necessary.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the category Configuration | Target system.
  2. To configure the synchronization log for the database connection, select the category Configuration | One Identity Manager connection.
  3. Select General view and click Configure....
  4. Select the Synchronization log view and set Create synchronization log.
  5. Enable the data to be logged.

    NOTE: Certain content create a lot of log data.

    The synchronization log should only contain the data necessary for error analysis and other evaluations.

  6. Click OK.

To synchronize on a regular basis

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Edit schedule....
  3. Edit the schedule properties.
  4. To enable the schedule, click Activate.
  5. Click OK.

To start initial synchronization manually

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Execute.
  3. Confirm the security prompt with Yes.
Related Topics

Show Synchronization Results

Synchronization results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. Open the synchronization project in the Synchronization Editor.
  2. Select the category Logs.
  3. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  4. Select a log by double-clicking on it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log.

  1. Open the synchronization project in the Synchronization Editor.
  2. Select the category Logs.
  3. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  4. Select a log by double-clicking on it.

    An analysis of the provisioning is show as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, set the "DPR\Journal\LifeTime" configuration parameter and enter the maximum retention time.

Recommendations for Synchronizing Microsoft Exchange

The following scenarios for synchronizing Microsoft Exchange are supported.

Scenario: Synchronizing Microsoft Exchange infrastructure including all Microsoft Exchange organization recipients

It is recommended on principal that you synchronize the Microsoft Exchange infrastructure including all Microsoft Exchange organization recipients.

The Microsoft Exchange infrastructure elements (server, address lists, policies, for example) and recipients (mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) of the entire Microsoft Exchange organization are synchronized.

  • Set up a synchronization project and use the recipient scope Complete organization.

For more information, see Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment.

Scenario: Synchronizing Microsoft Exchange infrastructure and recipients of a select Active Directory domain in the Microsoft Exchange organization.

It is possible to synchronize Microsoft Exchange infrastructure and recipients separately if synchronization of the entire Microsoft Exchange organization is not possible due to the large number of recipients.

First the Microsoft Exchange infrastructure elements (server, address lists, policies, for example) are loaded. Then recipients (mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) are synchronized from the given Active Directory domain in the Microsoft Exchange organization.

The following synchronization project configuration is recommended in this case:

NOTE: Use the Synchronization Editor expert mode for the following configurations.

  1. Set up the synchronization project for synchronizing the entire Microsoft Exchange infrastructure.
    • Select Complete organization in the recipient scope.
    • Customize the synchronization workflow.
      • Disable synchronization steps of all schema types representing recipients. These are:
        Mailbox
        MailContact
        MailUser
        DistributionList
        DynamicDistributionList
        MailPublicFolder
      • Check that all schema types, not representing recipients, are synchronized. There are:
        ActiveSyncMailboxPolicy
        DatabaseAvailabilityGroup
        MailboxDatabase
        ManagedFolderMailboxPolicy (Microsoft Exchange 2010)
        OfflineAddressBook
        Organization
        PublicFolder
        PublicFolderDatabase (Microsoft Exchange 2010)
        RetentionPolicy
        RoleAssingmentPolicy
        Server
        SharingPolicy
        AddressList
        GlobalAddressList
  2. Set up the synchronization project for synchronizing recipient of an Active Directory domain.
    • Check Only recipients of the following domain on the recipient scope page and select a Microsoft Exchange domain.
    • Customize the synchronization workflow.
      • Disable synchronization steps of all schema types that do not represent recipients. These are:
        ActiveSyncMailboxPolicy
        DatabaseAvailabilityGroup
        MailboxDatabase
        ManagedFolderMailboxPolicy (Microsoft Exchange 2010)
        OfflineAddressBook
        Organization
        PublicFolder
        PublicFolderDatabase (Microsoft Exchange 2010)
        RetentionPolicy
        RoleAssingmentPolicy
        Server
        SharingPolicy
        AddressList
        GlobalAddressList
      • Check that all schema types, not representing recipients, are synchronized. These are:
        Mailbox
        MailContact
        MailUser
        DistributionList
        DynamicDistributionList
        MailPublicFolder
  3. Specify more base objects for the remaining Active Directory domains.
    • Open the first synchronization project for synchronizing recipients in the Synchronization Editor.
    • Create a new base object for every domain. Use the wizards to attach a base object.
      • Select the Microsoft Exchange connector in the wizard and declare the connection parameter. The connection parameters are saved in a special variable set.

        NOTE: Take note of the following when setting up the connection:

        • Select a Microsoft Exchange server in the domain as server if possible.
        • Select Only recipients of the following domain again in the recipient scope.
    • Create a new start up configuration for each domain. Use the new variable sets in the start up configuration.
    • Run a consistency check.

    • Activate the synchronization project.

  4. Customize the synchronization schedule.

IMPORTANT: Set up the synchronization schedules such that the Microsoft Exchange infrastructure is synchronized before Microsoft Exchange recipients.

Several synchronization runs maybe necessary before all the data is synchronized depending on references between the Microsoft Exchange organization domains.

Related Documents