Tools for Exchange & Active Directory

GALsync v5 announced for Exchange 2013 and Office 365

2013-03-18T17:14:13Z

NETsec announced version 5 of its favorite software GALsync to synchronize Global Address Lists between Exchange organizations.

With version 5.0 of GALsync, support for Exchange Web Services and PowerShell 2.0 was added.
GALsync now can synchronize with Exchange Online (Microsoft Office 365).
GALsync version 5 is able to synchronize the Global Address Lists between Exchange 2007 SP1, Exchange 2010 SP1, Exchange 2013 and Exchange Online.
The former built-In Free/Busy solution (Synchronizing Public Folder contents using MAPI) has been deprecated, thus version 5.0 of GALsync enables customers to set up an live Free/Busy using Online Free/Busy or MS Federation.
Extended performance improvements and less bandwidth needs
GUI of GALsync is updated to the new Windows8-Style

more information at NETsec Website

Troubleshooting Cross Forest Delegation

2013-03-03T12:44:53Z

Setting up a untrusted cross-forest environment supports a simple Free/Busy query between two the forests using „galsynced“ contacts. This feature I described in article Cross-Forest Free/Busy without Federation and its corresponding troubleshooting guide.

In this article I want to share some experiences with troubleshooting the Cross-Forest Delegation feature. Cross-Forest Delegation allows completly to manage a delegated calendar even if people are placed in different mail-organizations. But there must be a domain-trust in place.

To synchronize objects I prefer NETsec's GALsync, which is much easier to use than Microsofts FIM etc.

]]> Topology

Summary

Basically the following prerequisites must be met…

Network and Messaging availability
Forest Trust between Forests
Cross-Forest Availability Configured
Outlook 2007 SP1+
Exchange Server 2007 SP1+
GALsync configured with option CROSS-FOREST-DELEGATION

NOTE: WE STRONGLY RECOMMEND TO TROUBLESHOOT WITH OUTLOOK FIRST SET TO ONLINE-MODE.

Troubleshooting Level 1

At this level you check the ability to set up a simple mail communication between two forests. The „galsynced“ contacts of your partner are available in your Global Address Book.

Network

Ensure that you can communicate over the network by using DNS. Assumed you have a DNS Forwarder at FORESTA.COM side to FORESTX.COM and vice versa:
Can you nslookup / ping the Domain Controller and the Exchange Server at the other site?

Simple Mail-Communication

Assumed you have mailbox-enabled user JANE at FORESTA.COM and JOHN at FORESTX.COM:

Is JANE able to send an email to JOHN by inserting JOHN@FORESTX.COM into her TO-Line of the message?
Is JOHN able to send an email to JANE by inserting JANE@FORESTA.COM into his TO-Line of the message?

GALsync

Synchronize all mailbox-enabled users with GALSYNC from your domain to the other domain. They are created as mail-enabled contacts. Export JANE from FORESTA TO FORESTX and import her at FORESTX: Export JOHN from FORESTX TO FORESTA and import him at FORESTA.
If you do not want to configure Cross-Forest Delegation you can use the default configurations setting of GALsync. A synchronized object should have these attribute values (check with Attribute-Editor):

		Source Mailbox Attributes	Cross-forest mail contact attributes in the target forest
1	legacyExchangeDN	Must be set	Must be set
2	proxyAddresses	The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain	Not significant
3	targetAddress	Not Set	The primary SMTP-Address from the source object should be the value of attribute targetaddress

Are the values of the attributes as expected?

If you want to configure Cross-Forest Delegation you must tick a box in the appropriate export policy and appropriate import policy

Is there any warning or error by running the export policy?
Is there any warning or error by running the import policy?

The synchronized objects should have these attribute values (check with Attribute-Editor):

		Source Mailbox Attributes	Cross-forest mail contact attributes (target forest)
1	legacyExchangeDN	Not significant	Must be set
2	mailNickname	Not significant	Must be set
3	objectSid	(i.e) S-1-5-21-3511955210-643191710-2064615621-5187	Not significant
4	mAPIRecipient	Not significant	Not Set
5	msExchMasterAccountSid	Not significant	Must have the same value like the objectSid of the source object
6	msExchOriginatingForest	Not significant	Must have the same value like the Forest FQDN of the source object
7	msExchRecipientDisplayType	Not significant	Must have the value -1073741818
8	msExchRecipientTypeDetails	Not significant	Must have the value 32768
9	proxyAddresses	The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain	Not significant
10	targetAddress	Not Set	The primary SMTP-Address from the source object should be the value of attribute targetaddress

Are the values of the attributes as expected?
Is the RECIPIENT TYPE of JOHN in Exchange Management Console displayed as CROSS-FOREST MAIL CONTACT?

Mail-Communication supported by GALsync

After objects are synchronized endusers can pick the names from the Global Address List.

Is JANE able to send an email to JOHN by picking the contact of JOHN from the GLOBAL ADDRESS BOOK?
Is JOHN able to send an email to JANE by picking the contact of JANE from the GLOBAL ADDRESS BOOK?

Troubleshooting Level 2

At this level you check the ability to setup a cross-forest environment with a simple Free/Busy query between two untrusted forests using „galsynced“ contacts of your partner. To configure this have a look at the note below.
NOTE: FOR SETTING UP AN TEST-LAB FOR CROSS-FOREST FREE/BUSY WITHOUT FEDERATION SEE HTTP://WWW.TOOLS4EXCHANGE.COM/2012/11/CROSS-FOREST-FREEBUSY-WITHOUT-FEDERATION.HTML

Trust

To configure a Cross-Forest Delegation a trust is required. Check if the trusts are in place and if they are working.

NOTE: TO CHECK TRUST FOLLOW THIS ARTICLE: HOW TO DETERMINE TRUST RELATIONSHIP CONFIGURATIONS AT HTTP://SUPPORT.MICROSOFT.COM/KB/228477/EN-US OR DOMAIN AND FOREST TRUST TOOLS AND SETTINGS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/CC756944(V=WS.10).ASPX

Certificates

In FORESTA.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JANE without any certificate error indicated?
In FORESTX.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JOHN without any certificate error indicated?

NOTE: IF YOU EXPERIENCE ANY ERROR, PLEASE LOOK AT TROUBLESHOOTING CERTIFICATE VALIDATION ERRORS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/BB331963(V=EXCHG.141).ASPX

Autodiscover

Cross-forest free/busy queries and cross-forest delegation requires a working autodiscover.

If FORESTA and FORESTX are internetfacing use MICROSOFT REMOTE CONNECTIVITY ANALYZER at https://www.testexchangeconnectivity.com/.
If FORESTA and FORESTX are intranet-based then use MICROSOFT CONNECTIVITY ANALYZER TOOL at http://technet.microsoft.com/library/feba32b0-b7eb-4b1b-ba3d-99e20ba82a8c

If you experience issues with autodiscover, reset the virtual directory for autodiscover in Exchange Management Console. This was often the solution for me!

Availability Adressspace

We assume that you have configured Availability Adressspace similar as shown below

Add-AvailabilityAddressSpace -ForestName "TargetSMTPnamespace.com" -AccessMethod PerUserFB -UseServiceAccount $true
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Remote Forest\Exchange Servers"
$a = Get-Credential
Export-AutoDiscoverConfig -DomainController -TargetForestDomainController -TargetForestCredential $a -MultipleExchangeDeployments $true

Check GET-AVAILABILITYADDRESSSPACE and GET-AVAILABILITYCONFIG and GET-AUTODISCOVERCONFIG.
NOTE: SEE ALSO FREE/BUSY INFORMATION WITHOUT FEDERATION - TROUBLESHOOTING GUIDE AT HTTP://WWW.TOOLS4EXCHANGE.COM/2012/12/FREEBUSY-INFORMATION-WITHOUT-FEDERATION---TROUBLESHOOTING-GUIDE.HTML

A simple cross-forest Free/Busy Query

Is JANE able to create an new meeting request by inviting JOHN (by picking the contact of JOHN from the GLOBAL ADDRESS BOOK) and have a lookup to his F/B information?

The best place to collect logging data is in the Outlook client. Enable this in Outlook’s OPTIONS (either via the Tools menu in Outlook 2007 or backstage in Outlook 2010) -> ADVANCED. Tick the ENABLE TROUBLESHOOTING LOGGING box and restart Outlook. Logfiles are stored in %TEMP%\... (note: this folder is by default not visible)

Troubleshooting Level 3

At this level you check the ability to setup a cross-forest delegation. This enables you to configure a so called delegate access. So JOHN from FORESTX grants JANE from FORESTA access to his calendar.

Delegation

Is JOHN able to delegate access to JANE?

Is JANE able to open the delegated calendar of JOHN BY PICKING JOHN FROM GAL?

Is JANE able to insert a new appointment directly to JOHNS calendar?

Federated GAL sharing between Office 365 and Exchange On-Premise

2013-03-01T15:32:25Z

With GALsysnc v5 we introduce a software for synchronizing Global Address List between independent Office 365 and Exchange On-Premise organizations. Some people call it Federated GAL sharing.

The only thing you need, is GALsync. In this article I provide you with a Quickstep installation (i.e. for testing environment).

]]> Topology

With GALsync v5 you can share your GAL between Exchange 2007, Exchange 2010, Exchange 2013 and Exchange Online organizations.

Here you test the basic steps for a successful first unidirectional synchronization. In this example the source and/or the target may be On-Premise or Exchange Online (only).

Prerequisites

Your environment must be based on Exchange 2007 SP1 and higher or Exchange Online (only).
The computer you want to install GALsync on

Must be a member of the domain if your side is On-Premise. It should have a good bandwidth to the next DC/GC and an Exchange Server with CAS role.
May be a standalone machine if your side is Exchange-Online.
Should have a dual-core processor and 2GB RAM.
Can be a client OS, i.e. Windows 7 Professional (64-Bit), for testing or a server OS, i.e. Windows 2008 R2 SP1 (64-Bit).
Must be configured with .NET Framework 3.5. Even if .NET Framework 4 is installed you have to add .NET Framework 3 .5 (SERVER MANAGER -> ADD ROLES AND FEATURES -> FEATURES -> .NET FRAMEWORK 3.5 (includes .NET 2.0 and 3.0)
Must be configured with PowerShell 2.0 Engine note. Even if PowerShell 3.0 is installed you have to add PowerShell 2.0 Engine (SERVER MANAGER -> ADD ROLES AND FEATURES -> FEATURES -> WINDOWS POWERSHELL -> POWERSHELL 2.0 ENGINE)

Create a mailbox in source and in target forest. Ensure that messages can be send between these mailboxes.

On-Premise: Provide the user of the mailbox with administrative permissions on the machine you want to install GALsync on. Provide the user of the mailbox in the target forest with administrative permissions on the machine you want to install GALsync on.
Exchange-Online: The user of the mailbox must be member of the EXCHANGE ORGANIZATION MANAGEMENT role.
Ensure that the mailbox is accessible (i.e. by Outlook Web Access), that the mailbox can send to and receive mails from the other organization and that incoming mails from the other organization do not get caught by your spam filter or firewall.

If your target side is On-Premise then create an Organizational Unit where you want to import the source objects. The GALsync Service Account needs write permissions in the Active Directory for the import OU. To grant this see chapter PERMISSIONS in section ACTIVE DIRECTORY PERMISSION FOR THE IMPORT OU.
If your side is On-Premise, make sure that you can logon with the configured SA. Also it is required that the setup of GALsync can grant this account with local security permissions to LOG ON AS SERVICE. Also you may add the SA account to the local group REMOTE DESKTOP USERS.
For testing purposes create some mailboxes and a group. Add the mailboxes as member to the group.

Install the software in the source forest

Login with the user you created before. Run setup.
Run GALsync the first time and configure a Service Account (SA) by taking the same account as you are logged in (On-Premise).

If the setup detects that GALsync was installed on a standalone machine, the SA will be added automatically as LOCALSYSTEM.

Running GALsync you can check the SA configuration and your log-in account at bottom left corner.
In menu HELP select ABOUT and add your license. See also chapter LICENSING.
On-Premise only: In menu OPTIONS select EXCHANGE. Configure the access to your Exchange Server. Click MANUAL SETTING and the SEARCH icon. Now GALsync tries to use autodiscover and displays the URI it discovers. If you get an error message please insert the correct URI for your environment.
Leave the other options unclicked.
Confirm the first configuration by pressing the SAVE button.

Create and run an export policy

Create a first Export policy lead by the wizard

Choose to EXPORT DIRECTORY INFORMATION if you are On-Premise or choose EXPORT EXCHANGE ONLINE if you use Office 365. Click NEXT.
If you are Exchange Online then insert the user-ID and password of an appropriate account in the cloud. Click NEXT. GALsync tries to connect to Exchange Online. This may take a certain time.

Choose VIA EMAIL as data transfer mode. Insert the SMTP address of the mailbox in the target forest which will receive the data. Click NEXT.
Exchange On-Premise: As directory information SEARCH for the group which you created for test purposes with some test-mailboxes and groups as member. APPLY and click NEXT. Choose GROUP + MEMBERSHIP. Choose INCLUDE NESTED GROUPS. Choose SETTINGS FOR ALL GROUPS. Click OK. Click NEXT.
Exchange On-Premise: As
As directory information SEARCH for the group which you created for test purposes with some test-mailboxes and groups as member. APPLY and click NEXT. Choose GROUP + MEMBERSHIP. Choose INCLUDE NESTED GROUPS. Choose SETTINGS FOR ALL GROUPS. Click OK. Click NEXT.
Leave STATUS NOTIFICATION EMAILS unclicked and click NEXT.
Leave SCHEDULE SERVICE unclicked and click NEXT.
In the GENERAL SECTION insert a name for the policy and click NEXT.
After in SUMMARY SECTION all your configuration is validated click FINISH.
Execute the policy by clicking RUN while mouse focus is set to the policy name in the hierarchy tree on the left hand side. The OPERATION STATUS displays the progress. After execution click CLOSE.

GALsync sends the result to the target forest

This procedure is done by the GALsync software. It sends the data of your source forest through the configured mailbox (i.e. service account if On-Premise). The message is routed with the attached data to the recipient mailbox in the target forest.

Install the software in the target forest

Login with the user you created before. Run setup.
Run GALsync the first time and configure a Service Account (SA) by taking the same account as you are logged in (On-Premise).
If the setup detects that GALsync was installed on a standalone machine, the SA will be added automatically as LOCALSYSTEM.
Running GALsync you can check the SA configuration and your log-in account at bottom left corner.
In menu HELP select ABOUT and add your license. See also chapter LICENSING.
On-Premise only: In menu OPTIONS select EXCHANGE.
Configure the access to your Exchange Server. Click “Manual setting” and the SEARCH icon. Now GALsync tries to use autodiscover and displays the URI it discovers. If you get an error message please insert the correct URI for your environment.
Leave the other option unclicked.
Confirm the first configuration by pressing the SAVE button.

GALsync receives the result from the source forest

This procedure is done by the GALsync software. It receives the data of the source forest through the configured mailbox (i.e. service account if On-Premise).

Create and run an import policy

Create a first Import policy lead by the wizard.

Choose to IMPORT DIRECTORY INFORMATION if you are On-Premise or IMPORT EXCHANGE ONLINE if you use Exchange Online. Click NEXT.
If you are Exchange Online then insert the user-ID and password of an appropriate account in the cloud. Click NEXT. GALsync tries to connect to Exchange Online. This may take a certain time.
Choose VIA EMAIL as data transfer mode. Leave the FILTER: SUBJECT blank. Click NEXT.
If you are Exchange Online skip the Directory step with NEXT. If you are On-Premise choose (step DIRECTORY INFORMATION) the Organizational Unit where to store the new objects. Click NEXT.
If you are On-Premise choose (step DIRECTORY INFORMATION) the Organizational Unit where to store the new objects. Click NEXT.
Note: The SA must have suffient permissions to create and modify objects in this OU.
Leave STATUS NOTIFICATION emails unclicked and click NEXT.
Leave SCHEDULE SERVICE unclicked and click NEXT.
In the GENERAL SECTION insert a name for the policy and click NEXT.
After in SUMMARY section all your configuration is validated click FINISH.
Execute the policy by clicking RUN while mouse focus is set to the policy name in the hierarchy tree lefthander.
The OPERATION STATUS displays the progress. After execution click CLOSE.

Now you should see the synchronized group and the group member as contacts in the GAL of the target forest. Please note that Exchange On-Premise sometimes requires a certain time to update the address lists.

We had a great time developing our products and we hope you have an equally great time working with them. If you experience any problems we are more than happy to support you. support@netsec.de

Free/Busy between two Exchange Online / Office365 Organizations

2013-02-05T11:50:00Z

In this blog I will describe how you can provide Free/Busy information between different Exchange Online / Office 365 organizations.
Usually people are able to send requests to share calendar individually, but we want to implement an enterprise-wide configuration.
If you want that all the mailobjects of your partners organization are present in your own Global Address List (GAL) then you can use a tool like NETsec's GALsync.

Between 2 Exchange Online Partners you do not need to establish a Federation Trust or configure autodiscover records because this is already present (by default).

]]> In this example we have two Exchange Online organizations named A and B.

Regarding organization a.onmicrosoft.com execute in Windows Powershell the set of commands described below using the credential of an admin in a (i.e. admin@a.onmicrosoft.com)

Set-ExecutionPolicy RemoteSigned

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session

Enable-OrganizationCustomization (has an error as result in mz experiences but it does not impact the total result)

Get-FederationInformation –DomainName b.onmicrosoft.com | New-OrganizationRelationship –Name b -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

After that users from organization B can take users from A throug picking the object from GAL (done by GALsync) and send a meeting invitation with a prior free/busy lookup.

Regarding organization b.onmicrosoft.com execute in Windows Powershell the set of commands described below using the credential of an admin in a (i.e. admin@b.onmicrosoft.com)

Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Enable-OrganizationCustomization (has an error as result in mz experiences but it does not impact the total result)
Get-FederationInformation –DomainName a.onmicrosoft.com | New-OrganizationRelationship –Name a -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

After that users from organization A can take users from B throug picking the object from GAL (done by GALsync) and send a meeting invitation with a prior free/busy lookup.

Links:

http://maso.dk/2011/07/26/federation-in-the-cloud-enable-freebusy/

http://help.outlook.com/en-us/140/ff383252.aspx

Free/Busy information without Federation - Troubleshooting Guide

2012-12-26T10:50:42Z

In a previous article I described how to share free/busy information in an untrusted cross-forest environment. The procedures are published not very often and you sometimes get some "nice errors". I use the follwoing steps to troubleshoot these issues.

]]>

Checklist

1. Basic Tests

Does dcdiag on your DCs or does exbpa on your Exchange server indicate any errors, which could be related to your issue?
Are the clients in both forests able to get free/busy information of other clients in the same domain?

2. Connectors

Are clients able to send/receive mails (between the 2 forests) by sending mail using the SMTP address of the recipient
Are clients able to send/receive/accept/decline meeting invitations (between the 2 forests) by sending mail using the SMTP address of the recipient

3. GALsync

Are the mailboxes from source created as contacts in the target by using GALsync?
Are clients able to send/receive mails (between the 2 forests) by sending mail using the GAL to address the recipient
Are clients able to send/receive/accept/decline meeting invitations (between the 2 forests) by sending mail using the GAL to address the recipient

4. Proxy Account

Are the proxy accounts on both sides present? (if you want only a uni-directional f/b query the proxy account must be present in the target domain which will be queried).

5. Certificates

Is the certificate of the source domains CAS servers present in the target domains CAS servers certificate store?
Is the certificate of the target domains CAS servers present in the source domains CAS servers certificate store?
Is the certificate of the CAS server assigned to IIS?
Are the correct alternate names configured in the certificates?

6. Virtual Directories

Are you able to connect to the target mailbox by using OWA Client (i.e. without getting certificate errors)?
Are the internal and external URLs for autodiscover configured?
Get-autodiscoverVirtualDirectory| fl name,server,InternalURL,ExternalURL
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –InternalURL https://adc.foresta.com/autodiscover/autodiscover.xml –ExternalURL https://adc.foresta.com/autodiscover/autodiscover.xml
Please wait 15 MS-Minutes after configuring the value
connection test
- Exchange 2010: test-outlookwebservice -targetaddress user@forestB.com | fl
- Exchange 2013: $cred=get-credentials
  test-outlookwebservice -id:juser@forestC.com -mailboxcredential $cred| fl
- Get-WebServicesVirtualDirectory | fl name,server,InternalURL,ExternalURL
- Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory –ExternalURL https://mobile.forestC.com/EWS/Exchange.asmx
Are the CAS Servers ot the source able to perform nslookup/ping to autodiscover.targetdomain.xx?
Can you query the autodiscover URL with Internet Explorer and check if you get an certificate issue?
If you get an authentication request then insert a valid user name and password. Getting error 600 then this is the expected result and means: everything ok.

7. Availability Address Space

Did you configure the AddressSpace in the source domain correctly?
Get-AvailabilityAddressSpace
Add-AvailabilityAddressSpace –Forestname "ForestB.com" -AccessMethod OrgWideFB –Credential (get-Credential)
please use the credentiasl of the proxyaccount, which was configured in the target forest
Did you configure –OrgWideAccount in the target forest?
Get-AvailabilityConfig
Set-AvailabilityConfig –OrgWideAccount freebusy

TROUBLESHOOTING

Increase the eventlog level:
Get-EventLogLevel | Set-EventLogLevel -Level expert

If you do not want to get a lot of results you should reduce the services to the following:
Set-EventLogLevel "MSExchange Autodiscover\Core" -Level expert
Set-EventLogLevel "MSExchange Autodiscover\Web" -Level expert
Set-EventLogLevel "MSExchange Autodiscover\Provider" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service General" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service Authentication" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service Authorization" -Level expert
Open Outlook in protocol mode
http://support.microsoft.com/kb/300479?wa=wsignin1.0
Note: Outlook 2013 seems not to use the fblog*.log as in earlier versions like in Outlook 2010, so troubleshooting with OLK13 is much more difficult. Use 2010!
Run your Outlook clients in online mode, not in cached mode to keep your testing results "clean".
Re-assign the password of the proxy account.
Run Get-AvailabilityAddressSpace | remove-AvailabilityAddressSpace in the source forest and re-create the addresspace. Please keep an eye on the correct password.
Re-create the virtual services for EWS and autodiscover. You can perform this in the EMC (Exchange 2007/2010) – please wait 15 minutes after that.

LINKS

Experiences

If you want to set internalurl or externalurl parameters inside Set-AutodiscoverVirtualDirectory, this will not work. Even if TECHNET says that it would work. i.e. Set-AutodiscoverVirtualDirectory -identity "CASserver\Autodiscover (Default Web Site)" –InternalUrl will produce an error saying that the arguments do not exist.
Solution: Use adsiedit in configuration partition. Look for msExchInternalHostName and msExchExternalHostName in:

CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=B,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=,DC=com

Migration Tools: CopyOUStructure and user objects

2012-12-06T11:18:42Z

CopyOUStructure is a command-line solution to aid cross-forest migration scenarios.

Most cross-forest migration projects happen under heavy time pressure. The structure of organizational units within the common target forest is in most cases no subject to change, as the current structure shall be kept from the source. The redesign of the OU structure is in most cases part of a later project, as it should not have any impact with the migration itself, and would only increase the budget and lenght in time of the migration project.

The effect will carry out the most when using ADMT: It is only able to migrate all user-objects in one target OU or to clone source OUs with users direct to the target root. But in most cases you will want to replicate the source OU-structure into on sub-OU on the target. There is a possibility to copy a whole OU-structure, but only at top-level, which is desaterous when planning a company-merge.

We also need to replicate the source OU-structure to be able to migrate the GPOs of the source and link them corresponding to the source domain. Groups on the other hand are not in the scope of this tool, as for a membership it does not matter where the group physically exists.

As our consulting is involved in many migration projects, we developed this tool to aid the projects.

We also decided that we want to provide this tool without any cost:

Download free full-version

]]> Just replicating the OU-Structure will not do the whole job. If you would only like that (so not moving the migrated users to the corresponding OU) you might find these links helpful:

Starting Point

In the following example we have two Companys (CompanyA and CompanyB) sharing the same forestname. For different reasons they want to merge CompanyB into CompanyA.

The Structure of CompanyA will stay untouched. The OU-Structure of CompanyB will be replicated into one top-level OU in CompanyA. Using ADMT, the Active Directory Objects of CompanyB will be migrating into this OU. Once all objects are successfully migrated, they shall be moved into the OU corresponding to their Parent-OU of their source domain. To aid understanding of this structure, please see the picture at the end of this article.

The Tool

To prevent the administrators from manually moving the user objects into their new OU (Corresponing to their source-OU), we developed the tool CopyOUStructure:

Syntax:
CopyOUStructure ,
Example:
CopyOUStructure "OU=Top One,DC=companyB,DC=com", "ou=FromcompanyB,DC=CompanyA,DC=com"

Please Note: Both DN-Parameters are case sensitive. When you enter the DNs mismatching the case the tool will correct that automatically.

You can also run the tool multiple times, e.g. while testing or migrating only some users at a time.

Prerequisities

The account executing the tool will need read-permissions on the source domain and modify permissions on the targeted OU. Also the domains need to have a fully functioning trust between them.

Also the migrated users need all to be placed in the OU of the target-ou parameter.

Process

The Tool will start with searching all users in and under the given source-ou parameter. Next it will create all needed OUs in the target-ous. Please note that empty OUs will not be replicated.

In the next step, the tool will move all objects that are found both in source and target to their corresponding OU in ther target structure.

The tool will give you logging via console output, so you might want to pipe the output into a text file using „>> %pathoftextfile%“.

Download free full-version

Cross-Forest Free/Busy without Federation

2012-11-30T13:27:15Z

We want to supply GAL between 2 untrusted Active Directory forests with Exchange organizations. This we will perform with NETsec's GALsync software.
Additionally we want to share Free/Busy information without configuring a Microsoft Federation (using the MS Federation Gateway). We do not want to use the Free/Busy feature of GALsync.

In this article I will demonstrate the procedure to supply Free/Busy in this way.

]]> High-Level-Steps

Exchange Web Service (EWS) is published in Internet (SAN-Certificates and autodiscover work properly)
Create a proxy-account without mailbox in each forest
Perform Add-AvailabilityAddressSpace and Set-AvailabilityConfig
Synchronize the objects with GALsync
With Outlook / OWA invite people in the other forest using the Free/Busy information

In the test environment I use for this procedure I do not have Internet access. Therefor I use self-signed certificates.

**Used machines and accounts**
name	function	ip
ADC.foresta.com	DC/DNS/Exchange 2010 SP2	172.20.25.100
AGS.foresta.com	GALsync Server	172.20.25.101
ClientForestA.foresta.com	Outlook 2010 Client	172.20.25.104

BDC.forestb.com	DC/DNS/Exchange 2010 SP2	172.20.25.102
BGS.forestb.com	GALsync Server	172.20.25.103
ClientForestB.forestb.com	Outlook 2010 Client	172.20.25.105

--------

name	function	permissions
foresta.com\freebusy\freebusy	proxy account	domain user
foresta.com\users\GALsync	service account	look in GALsync manual
foresta.com\freebusy\freebusytest1foresta	Testuser	domain user
foresta.com\freebusy\freebusytest2foresta	Testuser	domain user
forestb.com\freebusy\freebusy	proxy account	domain user
forestb.com\users\GALsync	service account	look in GALsync manual
forestb.com\freebusy\freebusytest1forestb	Testuser	domain user
forestb.com\freebusy\freebusytest2forestb	Testuser	domain user

Trust: There is no trust between the domains. If there is a trust, it doesn't matter.

Configure send connectors and receive connectors

Send connectors and receive connectors are present and you can email between both organizations

Configure SAN-Certificates

I create self-signed SAN-Certificates for my non-public test environment

Link: http://blog.exchange-addict.com/2012/11/cross-forest-freebusy-simple-version_13.html

selfssl7.exe /N cn=autodiscover.foresta.com;cn=adc.foresta.com;cn=adc /K 1024 /V 18250 /X /F c:\exchangeForesta.pfx /W passwort /Q
selfssl7.exe /N cn=autodiscover.forestb.com;cn=bdc.forestb.com;cn=bdc /K 1024 /V 18250 /X /F c:\exchangeForestb.pfx /W passwort /Q

Import certificates
ForestA-certificate:
ADC: computer account Trusted root CA container
BDC: computer account Trusted root CA container
ClientForestA: current user
Trusted root CA container
ForestB-Zertifikat:
ADC: computer account Trusted root CA container
BDC: computer account Trusted root CA container
ClientForestB: current user
Trusted root CA container

Tests

do https://adc/owa works? https://adc.foresta.com/owa as well?
Does Outlook start without certificate-warning?
Test with Outlook Email-Autoconfiguration

Exchange (über EMC)

Import certificates
Apply certificate to service IIS

Configure HOSTS file

BDC: 172.20.25.100 AUTODISCOVER.foresta.com
ADC: 172.20.25.102 AUTODISCOVER.forestb.com

Configure Exchange

On CAS Server in forestA (ADC)

Add-AvailabilityAddressSpace –Forestname "ForestB.com" -AccessMethod OrgWideFB –Credential (get-Credential)
use credentials of forestb\freebusy
Set-AvailabilityConfig –OrgWideAccount freebusy

On CAS Server in forestA (ADC)

Add-AvailabilityAddressSpace –Forestname "ForestA.com" -AccessMethod OrgWideFB –Credential (get-Credential)
use credentials of foresta\freebusy
Set-AvailabilityConfig –OrgWideAccount freebusy

Configure GALsync

Synchronize with GALsync the objects FreeBusyTest1Foresta to ForestB and FreeBusyTest1ForestB to ForestA;
do not configure the GALsync Free/Busy option;
update the addresslists for contacts and the OAB in Exchange (EMC).

Configure Testdata

Create some appointments in all calenders of the 4 users

Expected results

FreeBusyTest1ForestA and FreeBusyTest2ForestA can see the Free/Busy inforemation of FreeBusyTest1ForestB,
but not of FreeBusyTest2ForestB;
Note: in OWA the contact is to add by using "add from addressbook". never insert the name by yourself.

Tip: if you modify the permissions of DEFAULT in a calendar folder of a user you can define more granuarly the data people can see.

Links

EPR Setup

2012-07-16T11:35:18Z

After downloading the installation file, open the *msi-Installer. If you make an update, the directory \program files\NETsec\epr will be checked.The existing data are transferred, so you can continue to work with your pre-defined reports. If the directory does not exist, it will be created.

]]> Furthermore, the directory \Users\\AppData\Local\NETsec is checked by existence. Here are the personalized configuration configuration settings. If no data are available, the directory is created.

With the installation of EPR a new Windows service is provided and immediately started in the context of local user.

1. The service account

EPR signals at the first boot after installation with a notice that the service account must be configured:

In the initial runs, the EPR service account logs on in the name of local system. This account has but (hopefully) in your AD do not have rights to the reports you want to define more soon. we recommend that you create a special service account (eg EPRSRV) in AD. Enter the account in the EPR configuration.

On the machine running on the GUI, the service account must be a member of the local Administrators group.

In the Information bar, you get the information about who is currently logged on whether the EPR service is started and the service account.

2. Entering the License

The trial version is in the title bar indicated that the performance of file system reports, and included more than 100 reports of Active Directory objects. The Watcher Membership runs for 10 days.

The license file can be activated by Options -> About -> Add License.

3.The basic settings

So you do not report back on any need to define the connection data to the database or the new mail subscription data, you can configure in the top node of the TAB program, storage, and notification settings as a template. Each report definition, you can accept or change the settings.

Program:

Specify here, to delete after how many days the log files EPR. These lie in the installation directory under epr \logger.
Because the internal modules of the Software communicate about a TCP/IP Port, you can change the standart port in another parameter , if you use another tools which needs the configurated port.

ATTENTION: Please remember to save the settings with SAVE!

Storage:

Configure the Storage tab, where the user data to be stored. We strongly recommend the use of a database. Use the File option to quickly test the software. Each report definition, you can accept or change the settings.

After the address of the SQL Server instance specified (in this case Samsung PC \ SQLExpress) test

availability to access the SQL server by clicking Test Connection
the existence of a database with the name EPR by clicking on Test Database

If the Database does not exist, she will be created automatically by clicking Create Database.

By default, access to the SQL Server is made in name of local service account. However, you can also access a SQL Server logging on SQL Authenticate.

In the current version of the data on the SQL Server are stored securely. In the next release, an additional option “Maintanance” will be available, which allows you to configure the storage times.

ATTENTION: Please remember to save the settings with SAVE!

Notification

Configure in the tab Notification, whether and to whom you want to send the resulting data and who should receive information about the execution of a report. The latter is likely to be an employee of

IT, the former (department) responsible for data accuracy. Each report definition, you can accept or change the settings.

The SMTP server must be able to accept your data package. For internal mail servers please ask if the server accepts anonymous logins counter. Otherwise, select External SMTP - this option allows you to authenticate data transferred.

Since the Data attached Security reports (not the summary) may be very large and this can not be allowed on all mail servers, you can determine the maximum size of messages. If these are exceeded, the recipient receives a message that it is not for this reason the data can be delivered. The default value is 5 MB.

By clicking the Test button to the addressees are sent test mails, you should check that they are receiving.

ATTENTION: Please remember to save the settings with SAVE!

4. Upgrades

Users of versions prior to v3.5 EPR must uninstall the previous version completely. Since the data structures have been redefined, previous reports can not be accepted. If you this is not possible, the new version can also be installed on another computer and other SQL Server.

Take an uninstall of software to make the Control Panel. The report data is all still present, only the necessary program files will be replaced.

5. Complete Uninstall

In the "normal" uninstall the service and the registry entries will be removed. Remove to uninstall the software, the directory \ windows \ NETsec \ epr and \ Users \ \ AppData \ Local \ NETsec \ <* epr *> if you want to remove all report data and configurations from the computer.

6.Informations to the Architecture of EPR

The file system reports and the delta reports can be automated via a scheduler or the GUI on the RUN button triggered.
The Active Directory Reports, and the delta reports can be automated via a scheduler or the GUI on the RUN button triggered.
The Watcher Membership runs automatically in the configured time interval.

In the example image you can see that the service runs under the appropriate account, the GUI is started by someone else.

Note: If you test the software, then let the software enough time to query the data. For example, you should expect from a new report on the Definition Membership Watcher with a "First-time-schedule" about 10 minutes. Only after the configuration values are taken into account.

For Questions, please contact our Sales-oriented or technical support team at your disposal.

ENow Releases ForeSite - A New SharePoint Management Solution

2012-07-11T14:04:09Z

Corona, CA – July 10, 2012

ENow, a Microsoft Independent Software Vendor specializing in the development of software to simplify Microsoft system management, announced the release of ForeSite, a SharePoint management solution.

]]> ENow's ForeSite is designed to help organizations proactively monitor their SharePoint infrastructure, including all of the core underlying technologies such as Microsoft Active Directory, Internet Information Server and SQL. It also includes monitoring SharePoint’s key components including site availability, timer jobs and content databases alerting. ForeSite also includes a suite of reports that help administrators better understand how SharePoint is being

ForeSite is built on top of the award winning ENow Management System platform which is used in over 35 countries by enterprise companies, including Facebook, NYSE, DirecTV, Blue Cross Blue Shield, and CB Richard Ellis. The product features a customizable dashboard with red, yellow, and green lights indicating the health of each monitored server. The One Look solution enables IT support staff to proactively monitor servers in real time. In addition, ENow’s Management System platform is also popular for its customizable reporting, which gives administrators complete flexibility in not only how they create reports, but also how they disseminate the information. "Traditional reporting products only allow you to email a report, resulting in static data," explains Jay Gundotra, CEO of ENow. "But with ForeSite Personalized Dashboards, each key role in your organization can have access to a customized dashboard that meets their needs and automatically updates." This unique feature empowers help desk personnel to better service their users and improve response time.

"After the success of Mailscape, our Exchange Monitoring and Reporting product, we have an international customer base spanning 35 countries. These companies expressed a strong interest in having us replicate our approach for SharePoint," states Mr. Gundotra. "ForeSite was created with the same core ingredients, comprehensive monitoring and reporting features combined with our personalized dashboards. This approach provides Help Desk operators with the ability to quickly diagnose a problem and deliver critical information needed to proactively manage SharePoint farms and avoid costly downtime."

About ENow

ENow is a Microsoft Silver Independent Software Vendor focused on helping companies implement the latest Microsoft technologies and developing software tools to simplify the job of an IT administrator.
The company’s flagship product, ENow Management System (EMS), is an award winning monitoring and reporting tool that provides a dashboard view of Exchange, BlackBerry, SharePoint and Active Directory servers. For more information, call 1-877-TRY-ENOW, email us at info@enowinc.com, or visit us at www.enowinc.com.

Active Directory Object Permission Reporter - Delta reports show what changed

2012-07-10T11:45:34Z

The new version 3.5 of Enterprise Permission Reporter now includes

File Security Reporting
who has access to folders and files? What's new - which modifications are made between 2 scans
Active Directory Object Permission Reporting
who has access to AD objects like OUs, users groups? What's new - which modifications are made between 2 scans?
Active Directory Group Membership Watcher
who is added or removed from a certain important group? Real-time reports.

EPR v3.5 combines basic reports which scan and document all found entries and DELTA reports which contain only the difference made.

The security administrator, the department or the group which is responsible for auditing gets only the information it needs. The IT administrators setup the software, define the policies and send the reports to the responsibles. That's all for the IT!

In this blog I describe shortly how the Active Directory Object Permission Reporting works.

]]>

The configuration of a Report Definition is devided in 5 steps.

1. General
Configure name and description.

2. Analyze
Choose an Organizational Unit or select other Active Directory objects like users, contacts, groups, mail-enabled Public Folders.

3. Storage
Running the trial you might want to store the results in your file system. In production we recommend to use a database.

4. Notification
A summary and the result of the report can be set to any recipient you want.

5. Scheduling
Schedule when the report should be executed.

Active Directory Group Membership Watcher

2012-07-02T07:08:03Z

Welcome to our new version of Enterprise Permissions Reporting. EPR will assist you to meet all challenges you may face regarding regulatory compliances such as HIPAA, FDA, PCI or SOX. EPR can generate continuous reports for SOX/PCI audits.

One of the new features is called Active Directory Group Membership Watcher and monitors all changes which are made against a selected Active Directory group.

If someone adds or removes a member to a group then a delta report is created. So you get only the modifications. You can monitor these changes at the grafical user interface or send an automatical report to an independent manager.
A Windows service is executed as often as you want to check modifications.

In more detail I'll show you how to create a membership Watch Report Definition. Here is the trial!

]]>
You can track membership modifications through the entire forest. (No special license is needed for multiple domains or sites or number of installations).

The configuration of this Active Directory Group membership Change tracker tool is divided into 4 sections

1. General
Here you configure the name of the definition and how often the watcher should run.

2. Anaylze
Choose a group from your entire forest list. If you click "Show Current List" all members of the selected group are enumerated.

3. Storage
For testing purposes you might stored the results file based. We recommend to use a database.

4. Notification
The result or a summary can be sent to the security manager or an independent quality monitoring.

That's it - take a trial and have a look . . .

Note: if you configure a membership wathc report the first time you have to make 2 changes to the group. The first change will not be reportet because it is "point zero".

ENow Management System 4.7 Provides Updated Exchange Monitoring and Reporting Features

2012-06-28T08:19:59Z

Corona, CA – June 28, 2012

ENow, a Microsoft Independent Software Vendor specializing in the development of software to simplify Microsoft system management, announced the release of ENow Management System 4.7, the award-winning product suite for Exchange, Active Directory, and SharePoint management.

]]> ENow's Mailscape Exchange Server product is used in over 35 countries by enterprise companies, including Facebook, NYSE, DirecTV, Blue Cross Blue Shield, and CB Richard Ellis. The product features a dashboard with red, yellow, and green lights indicating the health of each monitored server. The Mailscape solution enables IT support staff to proactively monitor servers in real time. It also provides mobile device reporting for iPads, iPhones, Androids, Blackberries, and other mobile devices.

The ENow Management system is comprised of Exchange, Active Directory and SharePoint modules. The Exchange module, Mailscape, is an innovative tool that combines all the key elements for Exchange reporting and monitoring in a single solution. ENow’s Compass product is a Microsoft Active Directory management solution, and ForeSite is designed to help organizations proactively monitor their SharePoint infrastructure.

ENow Management System 4.7 includes new enhancements to help IT administrators. Some of the highlights in this release include enhanced Exchange DAG monitoring features that will make it easier for administrators to ensure their high availability Exchange 2010 servers are functional. Several new Active Directory reports were added that will give Active Directory administrators the ability to track down potential security issues and to better understand their topology. In addition, this new release includes a brand new SharePoint module that automatically tests critical SharePoint services, such as Site Availability, Timer Jobs, Search & Index service and content databases. All of SharePoint’s underlying core technologies including IIS, Active Directory and SQL are also monitored with ForeSite.

About ENow

ENow is a Microsoft Silver Independent Software Vendor focused on helping companies implement the latest Microsoft technologies and developing software tools to simplify the job of an IT administrator. The company’s flagship product, ENow Management System (EMS), is an award winning monitoring and reporting tool that provides a dashboard view of Exchange, BlackBerry, SharePoint and Active Directory servers.

For more information:

Achim Cremer
NETsec GmbH & Co. KG
Schillingsstrasse 117, Germany - 52335 Düren
+49 (2421) 998 78 20

GALsync recommended by MVP Peter Bruzzese

2012-06-12T10:22:12Z

"GALsync is one of those products that does exactly what it advertises. In fact, with the ability to handle free/busy information, combined with so many necessary features (everything from method of export/import to encryption options to specific attribute export selection) it goes above and beyond what I expected based on first glance."

says J. Peter Bruzzese at msexchange.org, taking a look at NETsec's GALsync.

]]> Peter Bruzzese (Triple-MCSE, MCT, MCITP) an Exchange MVP, is the co-founder of ClipTraining, an Exchange and SharePoint Instructor for Train Signal, a well-known technical author for Que/Sams and others, a technical speaker for Techmentor, Connections and, at times, TechEd… and the Enterprise Windows columnist for InfoWorld.

Link:

http://www.msexchange.org/articles_tutorials/product-reviews/product-review-netsecs-galsync.html

Creating a shared address space for two different forests.

2012-06-04T06:21:38Z

This Tutorial describes all steps to create a new shared E-Mail address for two different domains.

We use GALsync for sychronizing objects, a script to modify the SMTP-addresses and built-in Exchange 2010 features.

]]> Test enviroment

4 server machines Windows 2008 R2 Standard Edition English (most recent updates)

FQDN-Server	Funktion	IP-Nummer	Local Firewall
ADC.ForestA.com	DC/GC/DNS/ Exchange 2010 SP2	172.20.25.100	deactivated
AGS.ForestA.com	GALsync Application	172.20.25.101	deactivated
ACL.ForestA.com	Outlook 2010 Client	172.20.25.104	deactivated
BDC.ForestB.com	DC/GC/DNS/ Exchange 2010 SP2	172.20.25.102	deactivated
BGS.ForestB.com	GALsync Application	172.20.25.103	deactivated
BCL.ForestB.com	Outlook 2010 Client	172.20.25.105	deactivated

Setup

In the first step we will setup two different mail organizations. In each mail organization we

create some mailbox-enabled user objects, mail-enabled contacts and groups. As well the mail flow is configured between the two organizations.

Configurations

1.Configure Exchange 2010 in forestA a Send-Connector to the other mail organization.

2.Configure Exchange 2010 in forestB a Send-Connector to the other mail organization.

3.Create an OU Called "GALsyncInternalAccountsA" in forestA, here you create all new objects.

4.Create an OU called §forestBImport" in forestA, here you will place all objects from forest.

5. Create a mailbox-enabled GALsyncA account in forestA

6.Make the GALsyncA Account member of the local admin group on AGS server.

7.Create 10 mailbox-activated users in forestA (i.e. UserA01, UserA02...)

8.Create 1 mail-activated universal security group: groupA01 in forestA (members: UserA01, UserA02)

9.Create 1 mail-activated universal distribution group: groupA02 in forestA (members: UserA03, UserA04)

10.Create 1 mail-activated contact: ContactA01 in forestA with an external SMTP address

11.Create 1 mail-activated mailbox: Info in forestA (and the SAME name in forestB)

12.Confugure Exchange 2010 to Route Messages between ForestA and ForestB; a Send-Connector to the Internet (if wanted) and a Send-Connector to ForestB (required).

Checks

1. GALsyncA Login with OWA and send mail to the account itself

2. GALsyncA Login with OWA and send mail to UserA01 (and response)

3.GALsyncA Login with Outlook and send mail to ContactA01

4.GALsyncA Login with Outlook and send mail to GALsyncB (and response)

5.Check if the recipient addresses are stored in MailTo cache of Outlook

6.Check if the recipient address is stored in MailTo cache of OWA

Do the same with forestB

GALsync

In the second step we setup GALsync and synchronize the directories between both organizations.

Configurations

1. Install GALsync on AGS/BGS (following vendors setup instructions)

2. Configure an export of all USERA-objects to the partner forest (using mail as transport)

3. Configure an import of all USERB-objects to the partner forest (using mail as transport)

4. Perform an export/import

Checks

1. UserA10 sends a mail with Outlook to contactB10 and UserA09 -check results

2. UserA08 sends a mail with Outlook to groupB01 and groupA01 - check results

3. Check nickname cache in Outlook-UserA10 and OLK-UserA08

Do the same with forestB

Adding new common SMTP as secondary proxyaddress

The new shared address will be @new.com

1. Configure Exchange 2010 in forestA an accepted domain for @new.com as internal relay domain

2.Configure Exchange 2010 in forestA to Route Messages fot the Shared Address Space to forestB (add @new.com to the Send-Connector)

3. Configure Exchange

4. Add @new.com as secondary address to all mail-enabled objects in forestA (if you use Address Policies, you will NOT modify contacts which have been synched by GALsync!

This is because GALsync deactivates the option "automatically update email addresses based on Email address policy")#

5. Add @new.com as secondary address to all mail-enabled objects in forestB (if you use Address Policies, you will NOT modify contacts which have been synched by GALsync!

This ist becuase GALsync deactivates the option "automatically update email addresses based on Email address policy")

6.With a new GALsync sync the secondary addresses are also transferred (in default configuration)

Checks

1.UserA01 sends a mail to Internet address - expected result: should have primary address as senders address

2.UserB01 sends a mail to Internet address - expected result: should have primary address as senders address

Comments

You are able with this confuguration to send mail to a mailbox@new.com existing in forestA or in forestB. You are NOT able to send a mail from forest to a mailbox@new.com which is placed in forestA.

If you configure in forestB @new.com as internal relay domain as well pointing to mailserver in forestA, you will produce a loop if someone sends a mail to @new.com-SMTP Address which does neither exist in forestA nor in forestB

Upcoming Question: How can a user in forestB send mail to a user in forestA?

Answer: As long as on both sides the primary address is forestA or forestB, GALsync uses this address as targetaddress.

After the secondary new.com address was made on both sides to the primary SMTP address, the following happens:

When performing from source to destination GALsync without changing the configuration, then the objects deleted in the target (as the primary address was [old SMTP] and the objects are completely regerated with their new primary SMTP address.

Similarly, the Target Address is set tp the new SMTP address, but should ne the old address as the destination is not able to send back to new.com

Attention:

It has to be sure, that the Target address is foresta.com or forestb.com and NOT new.com.

Rule for the Export from ForestA to ForestB: The Option "Modify target address with domain" (Import-Policy [ForestB], Directory Setting, EmailAddresses) has to be changed in ForestA.com

This means: The object having the target address xy@new.com is sychronized from ForestA to ForestB, but then it gets through the Import Policy in ForestB a target address domain, for which Exchange creates a SendConnector to ForestA.

Script

Write a script that exchanges in the import OU primary against secondary address. You can download a script which does this job here : smtpreplace.ps1.txt.

After the script was created, it is VERY important that you deactivate GALsync. This has to happen because if auto-sync is activated GALsync will replace User@foresta.com with user@new.com

This would be the worst case and should not happen.

Then you can start the Script on ForestA and ForestB. The script will change the secondary smtp address (new.com) with the primary SMTP-Address.

NOTE: This method does not work if you have users with the same local part in ForestA and ForestB. You have to check this before running the script because it will fail for this object.

After changing the secondary smtp-address and the primary SMTP-address of all GALsync-objects in a defined OU, the Import-Policy of GALsync has to be modified.

The Import-Policy has a feature called “Modify Target Address”, and you have to check this feature and enter the external Domain Part.

If you did all this steps, you are able to run GALsync without deleting the external SMTP-address of the objects.

Lessons learned

We have learned what we need to create a shared address space for two different forests and which problems exist.

Very important is to note, that it is not possible to do this that users in both forest can not have the same user name.

Enterprise Permission Reporter controls, documents and reviews all your file system permissions

2012-04-30T09:50:26Z

EPR (Enterprise Permission Reporter) is our NTFS permissions reporting solution.
EPR will assist you to meet all challenges you may face regarding regulatory compliances such as HIPAA, FDA, PCI or SOX.
EPR lets your control, document and review all your file system permissions with ease.

]]> The new version of EPR has several enhanced features compared to the old version and has been completely redesigned.

Generate Just-In-Time or Scheduled based Reports for your File system

Includes EVERY Permission set to the folders
Breaks down every access to user level, including nested Groups

Generate Just-In-Time or schedule based reports on the changes between two certain reports

Scheduled delta reports enables you to report permission changes within a week, month, or any other timespan

Store your Reports in

XML - Data will be stored in Excel-Friendly XML Files on your File system
SQL - Data will be stored in any SQL Server in your Network

EPR Structure

The Main Element in EPR is the Report Definition. This element describes what should be reported, where it should be stored, and what should be send. A Report Definition may also contain several Reports (One Report equals one Run of the Definition) and many Delta Definitions.

Download manual

Some references

Some screenshots