locked
Multi-forest GALsync from workgroup ? RRS feed

  • Question

  •  I have two questions that may or may not be related:

     

    1)      I’m currently running ILM07 FP1 on a Win2k3EE test server in a standalone workgroup. Can ILMFP1 run cross-forest GALsyncs from a standalone server in a Workgroup or does it need to be in its own forest? 

     

    2)      In the MA Designer\ Configure GAL  \ Specify the destination container for contacts ..\Target section I only have the options to select from the same Forest that I’m importing from. How do change this to specify other target forests ?

     

    Thank you

    Thursday, February 7, 2008 3:05 PM

Answers

  •  

    Hi Orco,

    Configuring either the Galsycn or AD MAs, you need to specify network credentials within the management agent. Those credentials are used to connect to the connected data source (in your case Active Directory). Therefore ILM can still be in a workgroup.

    Wednesday, February 13, 2008 9:52 PM

All replies

  • 1)  ILM can run in a workgroup

    2)  To configure a GAL sync between two forests, you need two management agents. In other words, management agents are configured on a per forest basis.

     

     

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Thursday, February 7, 2008 4:28 PM
    Moderator
  • Thank you Markus. I do understand the part about requiring one MA per forest. Im still unclear where the targets and destinations are setup.  Are the targets and destinations selected from the different OUs in the same forest ?
    Thursday, February 7, 2008 7:38 PM
  • Targets and destinations – now you have lost me…

     

    What you configure on your MA is

    ·         The container used to contribute data to ILM

    ·         The container used to receive data from ILM

     

    The scope of both containers is the forest an MA is associated with.

    Having two separate containers is due to security. The MA account needs to have add and delete access to the OU that receives GAL data from other forests.

    The MA account should have neither add nor delete access to the OU that contains the local GAL data.

     

    If you refer to targets in the context of provisioning targets, this information is stored in the XML file that is associated with your metaverse rules extension.

     

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

     

     

     

    Thursday, February 7, 2008 7:50 PM
    Moderator
  • Thank you Markus, very helpful and that makes sense now. Sorry for the confusion.
     
    I should have mentioned Im trying to use ILM07 to galsync with Exchange 2007. In the ILM help it says
     
  • The Microsoft Identity Lifecycle Manager 2007 FP1 service account must be a domain account
  • The server running Microsoft Identity Lifecycle Manager 2007 FP1 must be joined to a domain.
 
Does this mean ILM must be joined to the domain its provisioning to ? Or any domain ?
Friday, February 8, 2008 1:56 PM
  • Another requirement for ILM FP1 galsync according to the help file is:
    • Windows Powershell 1.0 and the Exchange 2007 SP1 Management Console must be installed.
    AFAIK, the Exchange Management Console requires AD connectivity and domain membership for the computer it is run from.
    Monday, February 11, 2008 6:39 PM
  •  

    Hi Orco,

    Configuring either the Galsycn or AD MAs, you need to specify network credentials within the management agent. Those credentials are used to connect to the connected data source (in your case Active Directory). Therefore ILM can still be in a workgroup.

    Wednesday, February 13, 2008 9:52 PM