State of California GAL Synchronization Configuration · PDF fileState of California GAL...

Prepared by

Darryl Kegg and Aaron Guilmette

27-Apr-17

Version 1.5 Final

State of California GAL

Synchronization

Configuration

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.

© 2017 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 State of California GAL Synchronization Configuration

Version History

Date Author Version Change Reference

1/11/17 Darryl Kegg, Aaron

Guilmette

0.1 Initial draft for review/discussion

1/13/17 Aaron Guilmette 0.2 Added information regarding extensionAttribute

filtering

1/15/17 Aaron Guilmette 0.3 Added information regarding ErrorLimit registry

settings

1/18/17 Aaron Guilmette 0.4 Updated backup and restore procedures

1/27/17 Aaron Guilmette 1.0 Marked FINAL

2/10/17 Aaron Guilmette 1.1 Updated rule 201 to remove join on

mailNickname

4/3/2017 Aaron Guilmette 1.2 Updated rule 201 to include a scoping filter for

DN NOTCONTAINS agency OU

4/17/2017 Aaron Guilmette 1.3 Updated rule 201 to change scoping filter for DN

NOTCONTAINS agency OU to mail notcontains

agencydomain.com.

4/24/2017 Aaron Guilmette 1.4 Updated sample schedule script

4/27/2017 Aaron Guilmette 1.5 Added note for AAD Connect Upgrades


Table of Contents Prepare Target Environment ........................................................................................................................ 6

Organizational Unit ................................................................................................................................... 6

Service Account ........................................................................................................................................ 6

Configure Connectivity ................................................................................................................................. 6

Tools ........................................................................................................................................................ 6

Network Port Requirements ..................................................................................................................... 6

Verification ........................................................................................................................................... 6

Sample Firewall Configuration .............................................................................................................. 7

DNS Resolution ......................................................................................................................................... 7

Verification ........................................................................................................................................... 7

Prepare 057D Environment .......................................................................................................................... 8

Attribute Selection ................................................................................................................................... 8

Available attributes ............................................................................................................................... 8

Attribute Value ......................................................................................................................................... 8

Verification ............................................................................................................................................... 8

Prepare AAD Connect Server ........................................................................................................................ 9

ErrorLimit Registry Value .......................................................................................................................... 9

Create the New GALSync Connector ........................................................................................................... 10

Create Run Profiles ................................................................................................................................. 14

Create the Legacy GAL Connector ............................................................................................................... 17

Create Run Profiles ................................................................................................................................. 22

Create Custom Metaverse Attribute ........................................................................................................... 25

Create Synchronization Rules ..................................................................................................................... 27

In from AD - Prevent Contact Target Address .......................................................................................... 27

In from AD - Flow CustomMailNickname - Group .................................................................................... 31

In from AD - Flow CustomMailNickname - User ...................................................................................... 33

In from AD - New GAL Contact ................................................................................................................ 34

In From AD - Legacy GAL Contact ............................................................................................................ 37

Out to AD - New GAL User Contact ......................................................................................................... 39

Out to AD - New GAL Group Contact ....................................................................................................... 41

Create Custom Sync Schedule ..................................................................................................................... 42


Sample Scheduled Task Script ................................................................................................................. 43

Configure the Synchronization Error Threshold........................................................................................... 43

Execute the First Sync Cycle ........................................................................................................................ 43

Backup and Recovery ................................................................................................................................. 43

Backup ................................................................................................................................................... 43

Restore ................................................................................................................................................... 44


Prepare Target Environment

Organizational Unit Each agency must have a unique OU configured in the target environment’s (CA Shared) Active Directory.

The current structure is:

OU=<department>,OU=SharedGAL,DC=cashared,DC=ca=,DC=gov

Service Account Each agency must have credentials with appropriate permissions to write their new objects to this OU.

Configure Connectivity The GAL Synchronization process requires DNS resolution to the cashared.ca.gov environment and network

access to the domain controllers in cashared.ca.gov.

Tools

• PsPing - https://technet.microsoft.com/en-us/sysinternals/psping.aspx

• Telnet (Install-WindowsFeature TelnetClient from an elevated PowerShell prompt)

Network Port Requirements Configure access on TCP/UDP ports 53, 135, 389, 445, 636, 3268 from both the AAD Connect server and the

domain controller that AAD Connect uses as its primary DNS server to the servers in cashared.ca.gov.

Verification

AAD Connect Server

1. Open an elevated PowerShell prompt.

2. Run one of the following commands in the elevated prompt:

telnet 100.124.2.132 389

or

psping 100.124.2.132:389

3. Repeat for ports 135, 445, 636, and 3268.

Domain Controller

1. Open an elevated PowerShell prompt.

2. Run one of the following commands in the elevated prompt:

telnet 100.124.2.132 53

or

psping 100.124.2.132:53

Note: Both TCP and UDP ports are required; telnet and psping can only test TCP.

https://technet.microsoft.com/en-us/sysinternals/psping.aspx


Sample Firewall Configuration

The following firewall configuration sample is similar to what can be used in a Cisco ASA firewall.

<PAT IP ADDRESS> - the IP address that Agency wants to use <AADCONNECT-SERVER-IP> - IP Address of AADConnect server <AADCONNECT-DC-IP> - IP Address of DC that AADConnect is using for primary DNS <OTECH ROUTER OR FIREWALL ADDRESS> - IP address the firewall/router on OTech’s side object network AGENCYPAT host <PAT IP ADDRESS> object network AGENCY-AZURE network-object object <AADCONNECT-SERVER-IP> network-object object <AADCONNECT-DC-IP> object network OTECH-ENDPOINT host <OTECH ROUTER OR FIREWALL ADDRESS> object-group network CASHARED-GAL network-object object 100.124.2.132 network-object object 100.124.2.132 network-object object 100.124.2.132 access-list outside_nat0_outbound extended permit ip object AGENCY-AZURE object-group CASHARED-GAL access-list outside_nat0_outbound_1 extended permit ip object-group CASHARED-GAL object AGENCY-AZURE access-list outside_cryptomap extended permit ip host OTECH-ENDPOINT object-group CASHARED-GAL nat (inside,Outside) source static AGENCYPAT OTECH-ENDPOINT destination static CASHARED-GAL CASHARED-GAL nat (inside,Outside) source dynamic AGENCY-AZURE OTECH-ENDPOINT destination static CASHARED-GAL CASHARED-GAL

DNS Resolution Configure the domain controller that AAD Connect uses as its primary DNS server with a conditional

forwarder zone.

1. Log into the domain controller.

2. Launch an elevated PowerShell prompt.

3. Run the following command in the elevated prompt:

$DnsServers = @('100.124.2.132','100.124.2.133','100.124.2.134') Add-DnsServerConditionalForwarderZone -MasterServers $DnsServers -Name cashared.ca.gov

Verification 1. From the AAD Connect server, open a command prompt.

2. Run the following commands in the prompt:

PS C:\> nslookup -q=srv _ldap._tcp.cashared.ca.gov


The expected result is similar to the following:

Server: agencydc.ca.gov Address: 10.1.1.1 _ldap._tcp.forestc.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = mcashdc1.cashared.ca.gov mcashdc1.cashared.ca.gov internet address = 100.124.2.132

Prepare 057D Environment An agency participating in the statewide GAL needs to filter out objects belonging to their own domain(s)

(since they will be contributing those objects to the SharedGAL container) as well as objects from 057D for

other agencies that are being synchronized into the SharedGAL container.

Prior to deploying GALSync, an attribute needs to be set in the on-premises Active Directory so that

MMSSPP sync can replicate the value to 057D, which will then get synchronized into the LegacyGAL OU in

the CA Shared environment.

Attribute Selection Each agency will require the selection and population on an attribute that will be used for filtering. The

following attributes have been identified as being available to use. Each agency must identify and use a

consistent attribute in their own agency.

Note: extensionAttribute13 is not available due to an existing constant mapping inside the existing

GALSync solution.

Available attributes ▪ extensionAttribute10

▪ extensionAttribute11




Attribute Value Once an attribute has been identified, populate the attribute for all objects synchronized to CES/057D via

MMSSPP with the value

MigratedFromCES

Verification To verify that the values have been synchronized, please check an in-scope object in CES either via the CES

Portal or PowerShell to the Exchange Dedicated endpoint (https://mail.ces.ca.gov/PowerShell).

Note: Once all agencies have been migrated, this attribute will no longer need to be populated.

https://mail.ces.ca.gov/PowerShell


Prepare AAD Connect Server In order to ensure the AAD Connect server can continue processing in the event of errors that occur on any

of the connectors (specifically the Legacy GAL and New GALSync connectors), it is recommended to

increase the error limit threshold for the AAD Connect Service.

Note: While the solution is supported by Premier, the inclusion of two connectors to the same AD forest

(the Legacy and New GAL connectors) will make it unable to upgrade AAD Connect. Until the Legacy GAL

is decommissioned, the Agency’s AAD Connect server will not be able to be upgraded. If the agency

requires an upgrade to AAD connect, it will need to remove the Legacy and New GAL connectors, perform

the upgrade, and then reconfigure the GAL connectors.

ErrorLimit Registry Value 1. Launch RegEdit as Administrator / elevated.

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADSync\Parameters

3. Right-Click > New > DWORD (32-bit value)

4. Name the value ErrorLimit.


5. Double-click to edit the ErrorLimit value, select Decimal, and then type in 100000 and hit OK.

6. Restart the Microsoft Azure ADSync service.

Create the New GALSync Connector 1. From inside the Synchronization service manager, create a standard AD connector for new shared

GAL.


2. Connect to the forest cashared.ca.gov using credentials supplied by OTech.

3. On the Configure Directory Partitions screen, select the DC=cashared,DC=ca,DC=gov directory

partition, and then click Containers.

4. Scope to the SharedGAL Organizational Unit by clearing all the checkboxes EXCEPT SharedGAL and

click OK.


Before

After


5. On the Configure Provisioning Hierarchy page, click Next.

6. On the Select Object Types page, select Contact and click Next.

7. On the Select Attributes page, click the Show All button, select the following attributes.

c

cn

co

company

department

description

displayName

division


extensionAttribute10





extensionAttribute15 facsimileTelephoneNumber

givenName

homePhone

info

initials

l

mail

mailNickname

middleName

mobile

msExchRecipientDisplayType

msExchRecipientTypeDetails objectGUID

otherHomePhone

otherTelephone

pager

physicalDeliveryOfficeName

postalAddress

postalCode

postOfficeBox

proxyAddresses

sn

st

street streetAddress

targetAddress

telephoneAssistant

telephoneNumber

title

8. Click OK to complete the connector creation.

Create Run Profiles

1. On the Connectors tab, right click on the New GALSync Connector, and select Configure Run

Profiles.


2. Click New Profile.


3. Enter Full Import in the name field and click Next.

4. Select the Full Import step type and click Next.


5. Click Finish.


7. Enter Full Synchronization in the name field and click Next.

8. Select the Full Synchronization step type and click Next.

9. Click Finish.


11. Enter Delta Import in the name field and click Next.

12. Select the Delta Import (Stage Only) step type and click Next.

13. Click Finish.


15. Enter Delta Synchronization in the name field and click Next.

16. Select the Delta Synchronization step type and click Next.

17. Click Finish.


19. Enter Export in the name field and click Next.

20. Select the Export step type and click Next.

21. Click Finish.

22. Click OK.

Create the Legacy GAL Connector 1. From inside the Synchronization service manager, create a standard AD connector for legacy

shared GAL.


2. Connect to the forest cashared.ca.gov using credentials supplied by OTech.

3. On the Configure Directory Partitions screen, select the DC=cashared,DC=ca,DC=gov directory

partition, and then click Containers.


4. Scope to the SharedGAL Organizational Unit by clearing all the checkboxes EXCEPT LegcacyGalSync

and click OK.

Before


After

5. On the Configure Provisioning Hierarchy page, click Next.


6. On the Select Object Types page, select Contact and click Next.

7. On the Select Attributes page, click the Show All button, select the following attributes, and then

click OK.

c

cn

co

company

department

description

displayName

division

extensionAttribute10 extensionAttribute11





facsimileTelephoneNumber

givenName

homePhone

info

initials

l

mail mailNickname

middleName

mobile

msExchRecipientDisplayType


msExchRecipientTypeDetails

objectGUID

otherHomePhone

otherTelephone

pager

physicalDeliveryOfficeName postalAddress

postalCode

postOfficeBox

proxyAddresses

sn

st

street

streetAddress

targetAddress

telephoneAssistant

telephoneNumber

title

8. Click OK to complete the connector creation.

Create Run Profiles 1. On the Connections tab, right-click on the Legacy GALSync connector and click Configure Run

Profiles.



3. Enter Full Import in the name field and click Next.


4. Select the Full Import step type and click Next.

5. Click Finish.


7. Enter Full Synchronization in the name field and click Next.

8. Select the Full Synchronization step type and click Next.

9. Click Finish.


11. Enter Delta Import in the name field and click Next.


12. Select the Delta Import (Stage Only) step type and click Next.

13. Click Finish.


15. Enter Delta Synchronization in the name field and click Next.

16. Select the Delta Synchronization step type and click Next.

17. Click Finish.


19. Enter Export in the name field and click Next.

20. Select the Export step type and click Next.

21. Click Finish.

22. Click OK.

Create Custom Metaverse Attribute 1. From inside the Synchronization Service Manager, click Metaverse Designer.

2. Click the person object type.

3. Click Add Attribute.


4. Click New attribute.

5. Type customMailNickname and click OK.

6. Click OK to close the Add Attribute to Object Type dialog box.

7. Click the group object type.

8. Click Add Attribute.


9. Select customMailNickname from the list and click OK.

Create Synchronization Rules Launch the Synchronization Rules Editor.

In from AD - Prevent Contact Target Address The purpose of this rule is to prevent the flowing of an AD user’s targetAddress into their corresponding

contact’s targetAddress when the object gets synchronized out to the GAL.

1. Select Inbound under direction, and then click Add New Rule.


2. On the Description page, enter the following values:

Name In from AD - Prevent Contact Target Address

Connected System Agency Active Directory connector

Connected System Object Type user

Metaverse Object Type person

Link Type join

Precedence 90 (or other unused value about 10 below default rules)

3. Click Next.


4. On the Scoping Filter page, click Next.

5. On the Join Rules page, click Next.


6. On the Transformations page, click Add transformation.

7. Enter the following values:

Flow Type Target Attribute Source Apply Once Merge Type Expression targetAddress AuthoritativeNull Update


8. Click Add.

In from AD - Flow CustomMailNickname - Group The purpose of this rule is to populate the CustomMailNickname attribute on the objects that will be going

to the Shared GAL. It will be used to help construct unique names in the event that multiple source objects

have the same alias value.



Name In from AD - Flow CustomMailNickname - Group


Connected System Object Type group

Metaverse Object Type group

Link Type join

Precedence 98 (or other unused value higher than Prevent Contact Target Adress)

3. Click Next.

4. On the Scoping Filter page, click Add Group.


5. Click Add Clause.

6. Enter the following values:

Attribute Operator Value mailNickname ISNOTNULL


7. Click Next.


9. On the Transformations page, enter the following values:

Flow Type Target Attribute Source Apply Once Merge Type Expression customMailNickname %Forest.Netbios% &

"." & [mailNickname]

Update

10. Click Add.

In from AD - Flow CustomMailNickname - User The purpose of this rule is to populate the CustomMailNickname attribute on the objects that will be going

to the Shared GAL. It will be used to help construct unique names in the event that multiple source objects

have the same alias value.



Name In from AD - Flow CustomMailNickname - User


Connected System Object Type user


Link Type join

Precedence 99 (or other unused value higher than Flow CustomMailNickname - Group)

3. Click Next.

4. On the Scoping Filter page, enter the following values:

Attribute Operator Value mailNickname ISNOTNULL

5. Click Next.



Flow Type Target Attribute Source Apply Once Merge Type Expression customMailNickname %Forest.Netbios% &

"." & [mailNickname]

Update

8. Click Add.


In from AD - New GAL Contact The purpose of this rule is to import objects from the new Shared GAL to the metaverse.



Name In from AD - New GAL Contact

Connected System New GALSync

Connected System Object Type contact


Link Type provision

Precedence 201 (or other unused value higher than all default values)

3. Click Next.

4. On the Scoping Filter page, enter the following values:

Attribute Operator Value dn NOTCONTAINS .group. mail NOTCONTAINS @<agencydomain>.ca.gov

5. Click Next.

6. On the Join Rules page, click Add group.


7. Click Add clause.

8. Enter the following values, clicking Add clause to add a line for each join rule:

Source Attribute Target Attribute Case Sensitive mailNickname customMailNickname


mail mail

9. Click Next.


Flow Type

Target Attribute Source Apply Once

Merge Type

Expression c Trim([c]) Update

Direct cn cn Update

Expression co Trim([co]) Update

Expression company Trim([company]) Update

Direct countryCode countryCode Update

Expression department Trim([department]) Update

Expression description IIF(IsNullOrEmpty([description]),NULL,Left(Trim(Item([description],1)),448))

Update

Expression displayName IIF(IsNullOrEmpty([displayName]),[cn],[displayName])

Update

Expression extensionAttribute1 Trim([extensionAttribute1]) Update















Expression facsimileTelephoneNumber Trim([facsimileTelephoneNumber]) Update

Expression givenName Trim([givenName]) Update

Expression homePhone Trim([homePhone]) Update

Expression info Left(Trim([info]),448) Update

Expression initials Trim([initials]) Update

Expression ipPhone Trim([ipPhone]) Update

Expression l Trim([l]) Update

Expression mail Trim([mail]) Update

Expression mailNickname IIF(IsPresent([mailNickname]), [mailNickname], [cn])

Update

Expression middleName Trim([middleName]) Update

Expression mobile Trim([mobile]) Update

Direct msExchRecipientDisplayType msExchRecipientDisplayType Update

Direct msExchRecipientTypeDetails msExchRecipientTypeDetails Update

Expression otherFacsimileTelephoneNumber Trim([otherFacsimileTelephoneNumber]) Update

Expression otherHomePhone Trim([otherHomePhone]) Update

Expression otherIpPhone Trim([otherIpPhone]) Update

Expression otherMobile Trim([otherMobile]) Update

Expression otherPager Trim([otherPager]) Update

Expression otherTelephone Trim([otherTelephone]) Update

Expression pager Trim([pager]) Update

Expression physicalDeliveryOfficeName Trim([physicalDeliveryOfficeName]) Update

Expression postalCode Trim([postalCode]) Update

Expression postOfficeBox IIF(IsNullOrEmpty([postOfficeBox]),NULL,Left(Trim(Item([postOfficeBox],1)),448))

Update

Expression proxyAddresses RemoveDuplicates(Trim(ImportedValue("proxyAddresses")))

Update

Expression sn Trim([sn]) Update


Expression sourceAnchor ConvertToBase64([objectGUID]) Update

Direct sourceAnchorBinary objectGUID Update

Constant sourceObjectType Contact Update

Expression st Trim([st]) Update

Expression streetAddress Trim([streetAddress]) Update

Direct targetAddress targetAddress Update

Expression telephoneAssistant Trim([telephoneAssistant]) Update

Expression telephoeNumber Trim([telephoneNumber]) Update

Expression title Trim([title]) Update

Expression cloudFiltered IIF(IsPresent([isCriticalSystemObject]) || ( (InStr([displayName], "(MSOL)") > 0) && (CBool([msExchHideFromAddressLists]))) || (Left([mailNickname], 4) = "CAS_" && (InStr([mailNickname], "}") > 0)) || CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0), True, NULL)

Update

Expression mailEnabled IIF(( (IsPresent([proxyAddresses]) = True) && (Contains([proxyAddresses], "SMTP:") > 0) && (InStr(Item([proxyAddresses], Contains([proxyAddresses], "SMTP:")), "@") > 0)) || (IsPresent([mail]) = True && (InStr([mail], "@") > 0)), True, False)

Update

11. Click Add.

In From AD - Legacy GAL Contact The purpose of this rule is to import objects from the Legacy GAL to the metaverse.



Name In from AD - Legacy GAL Contact

Connected System Legacy GALSync



Link Type provision

Precedence 203 (or other unused value higher than the In From AD – New GAL Contact rule)

3. Click Next.

4. On the Scoping Filter page, enter the following values for each domain for which the agency hosts

mail:

Attribute Operator Value mail NOTCONTAINS @agencydomain.ca.gov

5. On the Scoping Filter page, add a scoping filter rule to the same clause for extensionAttribute10

through extensionAttribute15:

Attribute Operator Value


extensionAttribute10 NOTCONTAINS MigratedFromCES extensionAttribute11 NOTCONTAINS MigratedFromCES extensionAttribute12 NOTCONTAINS MigratedFromCES extensionAttribute13 NOTCONTAINS MigratedFromCES extensionAttribute14 NOTCONTAINS MigratedFromCES

extensionAttribute15 NOTCONTAINS MigratedFromCES

6. Click Next.

7. On the Join Rules page, enter the following values:

Source Attribute Target Attribute Case Sensitive mailNickname customMailNickname

mail mail

8. click Next.


Flow Type


Merge Type


Direct cn cn Update






Update


Update

























Update




Direct msExchRecipientDisplayType msExchRecipientDisplayType Update

Direct msExchRecipientTypeDetails msExchRecipientTypeDetails Update











Update


Update







Direct targetAddress targetAddress Update




Expression cloudFiltered IIF(IsPresent([isCriticalSystemObject]) || ( (InStr([displayName], "(MSOL)") > 0) && (CBool([msExchHideFromAddressLists]))) || (Left([mailNickname], 4) = "CAS_" && (InStr([mailNickname], "}") > 0)) || CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0), True, NULL)

Update

Expression mailEnabled IIF(( (IsPresent([proxyAddresses]) = True) && (Contains([proxyAddresses], "SMTP:") > 0) && (InStr(Item([proxyAddresses], Contains([proxyAddresses], "SMTP:")), "@") > 0)) || (IsPresent([mail]) = True && (InStr([mail], "@") > 0)), True, False)

Update

10. Click Add.

Out to AD - New GAL User Contact The purpose of this rule is to provision a new user contact object in the agency Office 365 GAL.

1. Select Outbound under direction, and then click Add New Rule.


Name Out to AD - New GAL User Contact




Link Type provision

Precedence 300 (or other unused value higher than all other rules)

3. Click Next.



mail:

Attribute Operator Value customMailNickname ISNOTNULL

mail ISNOTNULL

5. Click Next.


Source Attribute Target Attribute Case Sensitive mail mail

7. click Next.


Flow Type


Merge Type







Update


Update

Expression dn "CN=" & [customMailNickname] & ",OU=<dept>, OU=SharedGAL,DC=cashared,DC=ca=,DC=gov"

Update

























Update




Constant msExchRecipientDisplayType 6 Update

Constant msExchRecipientTypeDetails 128 Update











Update


Update







Expression targetAddress "SMTP:" & [mail] Update




9. Click Add.

Out to AD - New GAL Group Contact The purpose of this rule is to provision a new group contact object in the agency Office 365 GAL.

1. Select Outbound under direction, and then click Add New Rule.


Name Out to AD - New GAL Group Contact



Metaverse Object Type group

Link Type provision

Precedence 301 (or other unused value higher than Out to AD – New GAL User Contact rule)

3. Click Next.


mail:

Attribute Operator Value customMailNickname ISNOTNULL

mail ISNOTNULL


5. Click Next.


Source Attribute Target Attribute Case Sensitive mail mail

7. click Next.


Flow Type


Merge Type


Update


Update

Expression dn "CN=.group." & [customMailNickname] & ",OU=<dept>, OU=SharedGAL,DC=cashared,DC=ca=,DC=gov"

Update



















Update

Constant msExchRecipientDisplayType 6 Update

Constant msExchRecipientTypeDetails 128 Update


Update

Expression targetAddress "SMTP:" & [mail] Update

9. Click Add.

Create Custom Sync Schedule 1. Disable the default AAD Connect synchronization schedule.

a. Launch an elevated PowerShell prompt.

b. Run Import-Module ADSync

c. Run Set-ADSyncScheduler -SyncCycleEnabled $False

2. Create new scheduled task to call each of the required run profiles for AD, AAD, New and Legacy

GALSync connectors. The scheduled task should be configured to execute every 30 minutes using


an account that is a member of both the AADSync Admins group and the local Administrators

group.

3. Replace the value after -ConnectorName with the connector name as it is displayed in the AAD

Connect Synchronization Service Manager. It is cAsE sENsItIvE.

4. The values for -RunProfileName must explicitly match one of the values specified in the run profile

configuration for the connector. It is cAsE sENsItIvE.

Sample Scheduled Task Script Import-Module ADSync Invoke-ADSyncRunProfile -ConnectorName "activedirectory.com" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "Legacy GALSync" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "albr.ca.gov" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "Legacy GALSync" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Export" Invoke-ADSyncRunProfile -ConnectorName “activedirectory.com” -RunProfile “Export” Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Export"

Configure the Synchronization Error Threshold Since objects with overlapping SMTP values exist in the LegacyGAL OU, it is possible that during the first

few runs after an agency has been configured for GAL that there will be a significant number of errors until

all objects have been updated in MMSSPP, the OTech GALSync, and CAShared. To work around this, please

configure the following registry value:

Path: HKLM\SYSTEM\CurrentControlSet\ADSync\Parameters

Name: ErrorLimit

Type: REG_DWORD

Value: 100000 (decimal) or 186a0 (hexadecimal)

After setting this value, restart the Microsoft Azure AD Sync Service.

Execute the First Sync Cycle 1. From the Synchronization Manager, select the Connectors tab.

2. Right-click on the New GALSync connector, select Run, click Full Import and then click OK.

3. Right click on the Legacy GALSync connector, select Run, click Full Import, and then click OK.

4. Wait for these two cycles to complete successfully.

5. Launch the Task Scheduler.

6. Execute the previously configured Scheduled Task.

Backup and Recovery Once solutions are deployed, it is recommended to back up the current configuration.

Backup 1. Launch elevated PS session. 2. Import-Module ADSync 3. Mkdir c:\backup


4. Get-ADSyncServerConfiguration -Path C:\Backup 5. Zip up and email to yourself, save to OneDrive, etc.

Restore 1. Rebuild AADConnect server, express setup, use credentials for connectivity to on-prem forest and

AAD, but clear checkbox for “Synchronize Now.” 2. Log into Office 365 portal, locate Sync service account, reset password. 3. Copy/extract AADConnect backup ZIP file to C:\Backup. 4. From inside Synchronziation Server Manager, delete AD and AAD Connectors. 5. Launch elevated PowerShell session. 6. Import-Module ADSync 7. Set-ADSyncServerConfiguration -Path C:\Backup 8. Launch synchronization engine 9. Properties > Connectivity on each connector and input appropriate credentials (cloud AADSync

service account that was reset in step 2, on-premises AD account for AD connector, credentials for GALSync connector)

State of California GAL Synchronization Configuration · PDF fileState of California GAL...

Documents

Transcript of State of California GAL Synchronization Configuration · PDF fileState of California GAL...