The following users are involved in synchronizing One Identity Manager with Microsoft Exchange.
User | Permissions | ||
---|---|---|---|
User for accessing Microsoft Exchange | You must provide a user account with the following permissions for full synchronization of Microsoft Exchange objects with the supplied One Identity Manager default configuration.
| ||
User for creating linked mailboxes | The user account is required for adding linked mailboxes. The user account requires read access in Active Directory. | ||
One Identity Manager Service user account |
The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited). The user account must belong to the group "Domain Users". The user account must have the extended access right "Log on as a service". The user account requires access rights to the internal web service.
The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager. In the default installation the One Identity Manager is installed under:
| ||
User for accessing the One Identity Manager database |
The default system user "Synchronization |
To setup synchronization with an Microsoft Exchange environment a server has to be available that has the following software installed on it:
Following versions are supported:
Microsoft .NET Framework Version 4.5.2 or later
|
NOTE: Microsoft .NET Framework version 4.6 is not supported. |
|
NOTE: Take the target system manufacturer's recommendations into account. |
Windows Management Framework 4.0
|
IMPORTANT: The Microsoft Exchange One Identity Manager connector uses Windows PowerShell to communicate with the Microsoft Exchange server. For communication, extra configuration is required on the synchronization server and the Microsoft Exchange server. For more information, see Configuring Participating Servers for Remote Access through Windows PowerShell. |
All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.
|
NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is useful to set up a job server for each target system on performance grounds. This avoids unnecessary swapping of connection to target systems because a job server only has to process tasks of the same type (re-use of existing connections). |
Use the Server Installer to install the One Identity Manager Service. This program executes the following steps.
|
NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain. |
To install and configure the One Identity Manager Service remotely on a server
- OR -
Click Add to add a new job server.
Property | Description |
---|---|
Server | Name of the Job servers. |
Queue |
Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file. |
Full server name |
Full name of the server in DNS syntax. Example: <name of server>.<fully qualified domain name> |
|
NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date. |
Select at least the following roles:
The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.
Select the following server functions:
|
NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide. |
|
NOTE: This page is only displayed when the database is encrypted. |
Data | Description |
---|---|
Computer | Server on which to install and start the service from.
To select a server
|
Service account | One Identity Manager Service user account data.
To enter a user account for the One Identity Manager Service
|
Installation account | Data for the administrative user account to install the service.
To enter an administrative user account for installation
|
Installation of the service occurs automatically and may take some time.
|
NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration. |
|
NOTE: Run the configuration steps on the Microsoft Exchange server and the synchronization server. |
To configure a server for remote access using Windows PowerShell
winrm quickconfig
This command prepares for remote access usage.
Set-ExecutionPolicy RemoteSigned
This command allows you to execute all Windows PowerShell commands (Cmdlets). The script must be signed by a trusted publishers.
Set-Item wsman:\localhost\client\trustedhosts * -Force
This command customizes the list of trusted hosts to activate authentication.
The value "*" allows all connections. One Identity Manager uses the server's fully qualified domain name for the connection. You can limit the value.
To test remote access through Windows PowerShell from the synchronization server to the Microsoft Exchange server (sync.)
$creds = New-Object System.Management.Automation.PSCredential ("<domain>\<user>", (ConvertTo-SecureString "<password>" -AsPlainText -Force))
- OR -
$creds = Get-Credential
This command finds the access data required for making the connection.
$session = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri http://<ServerName as FQDN>/powershell -Credential $creds -Authentication Kerberos
This commands creates a remote session.
|
NOTE: One Identity Manager creates a connection using the Microsoft Exchange server’s fully qualified domain name. The server name must therefore be in the list configured with trusted hosts. |
Import-PsSession $session
This command imports the remote session so that the connection can be accessed.
Get-Mailbox
To enter the parent domain
Implicit trusts are created automatically.
To test trusted domains
This shows domains which trust the selected domain.
For more detailed information, see the One Identity Manager Administration Guide for Connecting to Active Directory.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy