ILM 2007 and GALsync

1 Jul

The Need
There are some companies – small or large, most working on international level – which have to handle multiple Active Directories and multiple Exchange organizations.
Outlook users inside one of each organization can list all mail addresses and some more information like phone numbers and departments in the so called Global address list.
Open Outlook, click New message, click To . . . and you will get all addresses of your companies employees. But: what about your colleagues in the other companies organization?


Example
A well known US health company has more than 30 subsidiaries/affiliates. They all have – historically based – an own Active Directory with Exchange.
They know about each other, but they do not have a centralized repository of data they would need for a consistent mail communication.
What people do?
One of the disadvantages of this topology is that Outlook users can only list the mail addresses of their own Active Directory in Outlooks Global Address List (GAL).
What do people do missing the addresses in the centralized repository?
The add addresses into their personal address book. Well done, but . . . !
If something changes – i.e. phone number – the personal address book does not recognize this, and next phone call will mismatch!
What Microsoft offers
With Microsoft Identity Integration Server a first step was done at Microsoft to offer a new developed software product to synchronize identity information between different data sources. MIIS 2003 offered a lot of agents for multiple data sources like database servers, flat files and Active Directory. As a very complex and powerful identity management system it offered all features for a synchronization of user’s metadata data. This is needed in companies where users’ attributes are administrated in different sources.
Example: Phone number is administrated in Oracle database used by the phone system, user’s name is administrated in Active Directory, department is administrated in an ERP-system).
As part of this Microsoft offered a cost-free solution called Identity Integration Feature Pack 2003 (IIFP), which was limited to Active Directory and ADAM as data source.
Customers could realize a synchronization of Global Address Lists between different forests using IIFP without requiring licenses.
But recommended was to have a dedicated SQL Server for hosting Delta data. Administrators needed round about a week to understand, implement and configure the product, which had a quite new terminology, deriving from Identity Management systems. Often this work was done by external consultants specialized on MIIS. Support for MIIS/IIFP finished in 2008.
Identity Lifecycle Manager 2007 (ILM) is MIIS’ successor. ILM “2” also provides self-service capabilities for end users like self-service tasks such as group and credential management via Microsoft Office and Windows.
Unfortunately a cost-free solution like IIFP is not intended by MS.
Microsoft decreased pricing for ILM 2007 (up from 10.000 $), but complexity of software is the same. For E-mail and messaging there are Management Agents available for Microsoft Exchange 2007, 2003, 2000 and 5.5, Lotus Notes 7.0, 6.x, 5.0, and 4.6.
GALsync
GALsync is focused only on synchronization of Global Address Lists and free/busy information between multiple Exchange Organizations; it is not intended to be general identity management software.
Basically the sync is done by an export of data from source Active Directory and a independent import at target side.
Data might be exchanged using ftp-server or a common Windows share, but the most powerful feature is using SMTP as protocol. This enables all companies with restricted firewall policies to exchange GAL data over the internet. Data can be secured additionally by a built-in encryption method.
Installation and customization of software require 1 or 2 hours. Administrators use a easy to use wizard based graphical user interface. Scheduled jobs are run by an own service.
At export side selection of objects is customizable (OUs, groups and so on) as well as properties included for sync. At import side attributes values might be customized (i.e. suffix appended to display name) and some extended features for multi-organizations sync.
No additional soft- or hardware is needed; GALsync can be installed on any domain computer and works with Microsoft Exchange organizations based on 2010, 2007, 2003 and 2000. Pricing depends on number of forests and objects to sync (up from 750 $).
GALsync is developed by the German company NETsec specialized in Active Directory and Exchange.
Further Information
GALsync: http://galsync.netsec.de
ILM 2007: http://www.microsoft.com/windowsserver/ilm2007/overview.mspx

Leave a Reply

Your email address will not be published. Required fields are marked *