Extensions for Creating Linked Mailboxes in a Microsoft Exchange Resource Forest

Extensions for Creating Linked Mailboxes in a Microsoft Exchange Resource Forest

To create linked mailboxes in a Microsoft Exchange resource forest, you must declare the user account with which the linked mailboxes are going to be created as well as the Active Directory domain controller for each Active Directory client domain.

To edit master data for a domain

1. Select the category Active Directory | Domains.
2. Select the domain in the result list and run the task Change master data.
3. Enter the following information on the Exchange tab.

   Table 5: Master Data of a Domain for Creating Linked Mailboxes

   Property	Description
   User (linked mailbox)	User account used to create linked mailboxes.
   Password	User account password.
   Password confirmation	Confirmation of the user account password.
   DC (linked mailbox)	Active Directory Domain controller for create linked mailboxes.

4. Save the changes.

Related Topics

• Users and Permissions for Synchronizing with Microsoft Exchange

Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment

Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment

Use the Synchronization EditorOne Identity Manager tool for configuring target system synchronization. to configure synchronization between the One Identity Manager database and Microsoft Exchange. The following describes the steps for initial configuration of a synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Prerequisites for Setting Up a Synchronization Project

• Synchronization of the Active Directory system is carried out regularly.
• The Active Directory forest is declared in One Identity Manager.
• Explicit Active Directory domain trusts are declared in One Identity Manager
• Implicit two-way trusts between domains in an Active Directory forest are declared in One Identity Manager
• User account with password and domain controller on the Active Directory client domain are entered to create linked mailboxes within a Microsoft Exchange resource forest topology

Have the following information available for setting up a synchronization project.

Table 6: Information Required for Setting up a Synchronization Project

Data	Explanation
Microsoft Exchange version	One Identity Manager supports synchronization with Microsoft Exchange 2010, Service Pack 3 or later, Microsoft Exchange 2013, Service Pack 1 or later and Microsoft Exchange 2016.
Server (fully qualified)	Fully qualified name (FQDN) of the Microsoft Exchange server against which the synchronization server connects to access Microsoft Exchange objects. Example: Server.Doku.Testlab.dd
User account and password for logging in	Fully qualified name (FQDN) of the user account and password for logging in on the Microsoft Exchange. Example: user@domain.com domain.com\user Make a user account available with sufficient permissions. For more information, see Users and Permissions for Synchronizing with Microsoft Exchange.
Synchronization serverJob serverServer with the One Identity Manager Service installed. installed with the target system connector. All One Identity Manager actions are executed against the target system environment on the synchronization server. for Microsoft Exchange	The One Identity Manager Service with the Microsoft Exchange connector must be installed on the synchronization server. Table 7: Additional Properties for the Job Server Property Value Server Function Microsoft Exchange connector Machine role Server/Job Server/Active Directory/Microsoft Exchange For more information, see Setting Up the Synchronization Server.
One Identity Manager Database ConnectionSystem connection to the One Identity Manager database. Data	SQL Server: Database server Database Database user and password Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Oracle: Species whether access is direct or through the Oracle client Which connection data is required, depends on how this option is set. Database server Oracle instance port Service name Oracle database user and password Data source (TNS alias name from TNSNames.ora)
Remote connection serverJob server installed with the RemoteConnectPlugin and the target system connector is installed. If direct access to the target system is not possible, a remote connection can be set up. Communication between the Synchronization Editor and Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". is done through a remote connection server.	To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with target system to do this. If you do not have direct access on the workstation on which the Synchronization Editor is installed, because of the firewall configuration, for example, you can set up a remote connection. The remote connection server and the workstation must be in the same Active Directory domain. Remote connection server configuration: One Identity Manager Service is started RemoteConnectPlugin is installed Microsoft Exchange connector is installed The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required. TIP: The remote connection server requires the same configuration (with respect to the installed software) as the synchronization server. Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well. For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

To set up initial synchronization project for Microsoft Exchange

1. Start the Launchpad and log on to the One Identity Manager database.

   NOTE: If synchronization is executed by an application server, connect the database through the application server.

2. Select the entry Microsoft Exchange target system type. Click Run.

   This starts the Synchronization Editor's project wizard.

3. Select the connector on the Select target system page.
   • Select Microsoft Exchange 2010 connector for synchronizing with Microsoft Exchange 2010.
   • Select Microsoft Exchange 2013 connector for synchronizing with Microsoft Exchange 2013.
   • Select Microsoft Exchange 2016 connector for synchronizing with Microsoft Exchange 2016.

4. Specify how the One Identity Manager can access the target system on the System access page.
   • If you have access from the workstation from which you started the Synchronization Editor, do not set anything.
   • If you do not have access from the workstation from which you started the Synchronization Editor, you can set up a remote connection.

     In this case, set the option Connect using remote connection server and select, under Job server, the server you want to use for the connection.

5. Enter the information about the Microsoft Exchange server on the Select Microsoft Exchange server page against which the synchronization server connects to access Microsoft Exchange objects.
   1. Enter the fully qualified name (FQDN) in the Microsoft Exchange server in Server. To check the data, click DNS query.

      NOTE: If you only know the IP address of the server, enter the IP address in Server and click DNS query. The server's fully qualified name is found and entered.

   2. In Max. concurrent connections, enter the number of connection that can be used at the same time.

      A maximum 4 simultaneous connection are recommended. Synchronization tries to use this many connections. The number may not always be reached depending on the load. Warnings are given respectively.

      A default timeout is defined for connecting. The timeout is 5 minutes long for the first connection and 30 seconds for all following connections. The connections are closed if the connection is idle for the duration.

   3. To utilize HTTPS for establishing the connection, set Use SSL.

      NOTE: Microsoft Exchange does not support this type of connection by default. You must configure support for HTTPS in your Microsoft Exchange.

6. Enter login data on the Enter connection credentials page to connect to Microsoft Exchange.

   Table 8: Connection data to Microsoft Exchange

   Property	Description
   User name (user@domain)	Fully qualified name (FQDN) of the user account for logging in. Example: user@domain.com domain.com\user
   Password	User account password.

7. Specify on the Recipient scope page whether the recipient of any domain or complete Microsoft Exchange organization should be taken into account.
   • To synchronize Microsoft Exchange organization recipients, select the option Entire organization (recommended). As prerequisite the trusted Active Directory domains must be declared in One Identity Manager.
   • Select the option Only recipients of the following domain to synchronize recipients with specific domains and select a domain. The target system domain is listed as a minimum.

8. Verify the One Identity Manager database connection data on the One Identity Manager connection page. The data is loaded from the connected database. Reenter the password.

   NOTE: Reenter all the connection data if you are not working with an encrypted One Identity Manager database and no synchronization project has been saved yet in the database. This page is not shown if a synchronization project already exists.

9. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

10. Specify how system access should work on the page Restrict target system access. You have the following options:

    Table 9: Specifying Target System Access

    Option	Meaning
    Read-only access to target system.	Specifies whether a synchronization workflow should be set up to initially load the target system into the One Identity Manager database. The synchronization workflow has the following characteristics: Synchronization is in the direction of "One Identity Manager". Processing methods in the synchronization steps are only defined in synchronization direction "One Identity Manager".
    Changes are also made to the target system.	Specifies whether a provisioning workflow should be set up in addition to the synchronization workflow to initially load the target system. The provisioning workflow displays the following characteristics: Synchronization in the direction of the "target system" Processing methods are only defined in the synchronization steps in synchronization direction "target system". Synchronization steps are only created for such schema classes whose schema types have write access.

11. Select the synchronization server to execute synchronization on the Synchronization server page.

    If the synchronization server is not declare as a job server in the One Identity Manager database yet, you can add a new job server.

    • Click to add a new job server.
    • Enter a name for the job server and the full server name conforming to DNS syntax.
    • Click OK.

      The synchronization server is declared as job server for the target system in the One Identity Manager database.

      NOTE: Ensure that this server is set up as the synchronization server after saving the synchronization project.

12. Click Finish to complete the project wizard.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved and enabled immediately.

    NOTE: If the synchronization project is not going to be executed immediately, disable the option Activate and save the new synchronization project automatically. In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The target system connection data is saved in a variable set, which you can change in the Synchronization Editor under Configuration | Variables if necessary.

To configure the content of the synchronization log

1. To configure the synchronization log for target system connection, select the category Configuration | Target system.
2. To configure the synchronization log for the database connection, select the category Configuration | One Identity Manager connection.
3. Select General view and click Configure....
4. Select the Synchronization log view and set Create synchronization log.
5. Enable the data to be logged.

   NOTE: Certain content create a lot of log data. The synchronization log should only contain the data necessary for error analysis and other evaluations.

6. Click OK.

To synchronize on a regular basis

1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Edit schedule....
3. Edit the schedule properties.
4. To enable the schedule, click Activate.
5. Click OK.

To start initial synchronization manually

1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Execute.
3. Confirm the security prompt with Yes.

Related Topics

• Setting Up the Synchronization Server
• Users and Permissions for Synchronizing with Microsoft Exchange
• Testing Active Directory Domain Trusts
• Show Synchronization Results
• Recommendations for Synchronizing Microsoft Exchange
• Customizing Synchronization Configuration
• Default Template for Microsoft Exchange 2010
• Default Template for Microsoft Exchange 2013 and Microsoft Exchange 2016

Show Synchronization Results

Show Synchronization Results

SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

1. Open the synchronization project in the Synchronization EditorOne Identity Manager tool for configuring target system synchronization..
2. Select the category Logs.
3. Click in the navigation view toolbar.

   Logs for all completed synchronization runs are displayed in the navigation view.

4. Select a log by double-clicking on it.

   An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log.

1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click in the navigation view toolbar.

   Logs for all completed provisioning processes are displayed in the navigation view.

4. Select a log by double-clicking on it.

   An analysis of the provisioning is show as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.

Synchronization logs are stored for a fixed length of time. The retention period is set in the configuration parameter "DPR\Journal\LifeTime" and its sub parameters.

To modify the retention period for synchronization logs

• Set the configuration parameter "Common\Journal\LifeTime" in the Designer and enter the maximum retention time for entries in the database journal. Use the configuration sub parameters to specify the retention period for each warning level.
• If there is a large amount of data, you can specify the number of objects to delete per DBQueue Processor operation and run in order to improve performance. Use the configuration parameters "Common\Journal\Delete\BulkCount" and "Common\Journal\Delete\TotalCount" to do this.
• Configure and set the schedule "Delete journal" in the Designer.

Recommendations for Synchronizing Microsoft Exchange

Recommendations for Synchronizing Microsoft Exchange

The following scenarios for synchronizing Microsoft Exchange are supported.

Scenario: Synchronizing Microsoft Exchange infrastructure including all Microsoft Exchange organization recipients

It is recommended on principal that you synchronize the Microsoft Exchange infrastructure including all Microsoft Exchange organization recipients.

The Microsoft Exchange infrastructure elements (server, address lists, policies, for example) and recipients (mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) of the entire Microsoft Exchange organization are synchronized.

• Set up a synchronization project and use the recipient scope Complete organization.

For more information, see Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment.

Scenario: Synchronizing Microsoft Exchange infrastructure and recipients of a select Active Directory domain in the Microsoft Exchange organization.

It is possible to synchronize Microsoft Exchange infrastructure and recipients separately if synchronization of the entire Microsoft Exchange organization is not possible due to the large number of recipients.

First the Microsoft Exchange infrastructure elements (server, address lists, policies, for example) are loaded. Then recipients (mailboxes, mail-enabled distribution groups, e-mail users, e-mail contacts) are synchronized from the given Active Directory domain in the Microsoft Exchange organization.

The following synchronization project configuration is recommended in this case:

1. Set up the synchronization project for synchronizing the entire Microsoft Exchange infrastructure.
   • Select Complete organization in the recipient scope.
   • Customize the synchronization workflow.
     • Disable synchronization steps of all schema types representing recipients. These are:

       Mailbox

       MailContact

       MailUser

       DistributionList

       DynamicDistributionList

       MailPublicFolder

     • Check that all schema types, not representing recipients, are synchronized. There are:

       ActiveSyncMailboxPolicy

       DatabaseAvailabilityGroup

       MailboxDatabase

       ManagedFolderMailboxPolicy (Microsoft Exchange 2010)

       OfflineAddressBook

       Organization

       PublicFolder

       PublicFolderDatabase (Microsoft Exchange 2010)

       RetentionPolicy

       RoleAssingmentPolicy

       Server

       SharingPolicy

       AddressList

       GlobalAddressList

2. Set up the synchronization project for synchronizing recipient of an Active Directory domain.
   • Check Only recipients of the following domain on the recipient scope page and select a Microsoft Exchange domain.
   • Customize the synchronization workflow.
     • Disable synchronization steps of all schema types that do not represent recipients. These are:

       ActiveSyncMailboxPolicy

       DatabaseAvailabilityGroup

       MailboxDatabase

       ManagedFolderMailboxPolicy (Microsoft Exchange 2010)

       OfflineAddressBook

       Organization

       PublicFolder

       PublicFolderDatabase (Microsoft Exchange 2010)

       RetentionPolicy

       RoleAssingmentPolicy

       Server

       SharingPolicy

       AddressList

       GlobalAddressList

     • Check that all schema types, not representing recipients, are synchronized. These are:

       Mailbox

       MailContact

       MailUser

       DistributionList

       DynamicDistributionList

       MailPublicFolder

3. Specify more base objects for the remaining Active Directory domains.
   • Open the first synchronization project for synchronizing recipients in the SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Editor.
   • Create a new base object for every domain. Use the wizards to attach a base object.
     • Select the Microsoft Exchange connector in the wizard and declare the connection parameter. The connection parameters are saved in a special variable set.

       NOTE: Take note of the following when setting up the connection: Select a Microsoft Exchange server in the domain as server if possible. Select Only recipients of the following domain again in the recipient scope.

   • Create a new start up configuration for each domain. Use the new variable sets in the start up configuration.

   • Run a consistency check.

   • Activate the synchronization project.

4. Customize the synchronization schedule.