Identity Integration Feature Pack (IIFP) – GalSync unleashed

Here is my Step-by-Step guide to GalSync, the permissions part was the really difficult stuff that I could not find documented anywhere. This is loosely based on the scenarios that come with the product.


 


Special thanks to Robert Gillies from Microsoft Consulting Services for helping dig up the permissions.


 


Software


Ensure that you have the installation media for the following software available before you begin:


·         Microsoft Windows Server 2003, Enterprise Edition, which contains the required Internet Information Services (IIS) service and ASP.NET components


·         Microsoft Exchange Server 2003, Standard Edition Server or Enterprise Edition


·         Microsoft SQL Server 2000 with Service Pack 3


·         Identity Integration Feature Pack


Set Up the FORESTA Forest Computer


Install the following software on the server computer that you will use to host the FORESTA Active Directory forest:


·         Windows Server 2003, Enterprise Edition


·         Internet Information Services (IIS) service


·         ASP.NET


·         Active Directory


·         Exchange Server 2003


·         Identity Integration Feature Pack


o        KB825122


o        KB826944


o        KB828752




1.       From Start, click Administrative Tools, click Active Directory Users and Computers.


2.       Select View from the top drop down menu and select Advanced Features.


3.       Add a user for GAL Sync, call this user GalSync (Service Account – restricted account).


4.       Set the password; ensure that the password does not expire nor need to be changed on next logon.


5.       DO NOT add the user to any groups.


6.       Highlight FORESTA.NWTRADERS.MSFT and right-click, select Delegate Control… .


7.       On the Welcome to the Delegation of Control Wizard page click Next.


8.       On the Users or Groups page click Add.


9.       On the Select Users, Computers, or Groups dialog box type Galsync and click OK.


10.    On the Users or Groups page click Next.


11.    On the Tasks to Delegate page select Create a custom task to delegate, and click Next.


12.    On the Active Directory Object Type page except the defaults and click Next.


13.    On the Permissions page select General, Property-specific, and Creation/deletion of specific child objects, under permissions select Replicate Directory Changes and Replication Synchronization, and click Next.


14.    On the Completing to the Delegation of Control Wizard page click Finish.


15.    Create an OU name FORESTB, nest an OU under it called Contacts. This will also hold the distribution lists.


16.    Right-click the Contacts OU and select Properties.


17.    On the Contacts Properties dialog box click Security.


18.    On the Contacts Properties dialog box click Add.


19.    On the Select Users, Computers, or Groups dialog box type Galsync and click OK.


20.    On the Contacts Properties dialog box select Read, Write, Create All Child Objects, and Delete All Child Objects, and then click OK. Make sure to Apply to this child and all objects.


21.    Open ADSIEdit and navigate to the container in the domain where the users, contacts, or mail enabled distribution groups are located.


22.    Right-click to expose the context menu, and select Properties.


23.    Click on the Security tab, and click Advanced.


24.    Choose to Add an ACE.


25.    Specify Galsync to apply the permissions to. This will display the permissions dialog.


26.    Click on Properties.


27.    Drop down the Apply Onto dropdown box and select Child Objects Only.


28.    Scroll down and mark Write proxyAddressesAllow.


29.    Choose to save the properties. This permission will be applied to every child object whose Allow inheritable permissions from the parent to propagate to this object and all child objects option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it.


Set Up the FORESTB Forest Computer


Install the following software on the FORESTB forest computer:


·         Windows Server 2003, Enterprise Edition or Windows 2000


·         Active Directory


·         Exchange Server 2003



1.       From Start, click Administrative Tools, click Active Directory Users and Computers.

2.       Select View from the top drop down menu and select Advanced Features.

3.       Add a user for GAL Sync, call this user GalSync (Service Account – restricted account).

4.       Set the password; ensure that the password does not expire nor need to be changed on next logon.

5.       DO NOT add the user to any groups.

6.       Highlight FORESTB.NWTRADERS.MSFT and right-click, select Delegate Control… .

7.       On the Welcome to the Delegation of Control Wizard page click Next.

8.       On the Users or Groups page click Add.

9.       On the Select Users, Computers, or Groups dialog box type Galsync and click OK.

10.    On the Users or Groups page click Next.

11.    On the Tasks to Delegate page select Create a custom task to delegate, and click Next.

12.    On the Active Directory Object Type page except the defaults and click Next.

13.    On the Permissions page select General, Property-specific, and Creation/deletion of specific child objects, under permissions select Replicate Directory Changes and Replication Synchronization, and click Next.

14.    On the Completing to the Delegation of Control Wizard page click Finish.

15.    Create an OU name FORESTB, nest an OU under it called Contacts. This will also hold the distribution lists.

16.    Right-click the Contacts OU and select Properties.

17.    On the Contacts Properties dialog box click Security.

18.    On the Contacts Properties dialog box click Add.

19.    On the Select Users, Computers, or Groups dialog box type Galsync and click OK.

20.    On the Contacts Properties dialog box select Read, Write, Create All Child Objects, and Delete All Child Objects, and then click OK. Make sure to Apply to this child and all objects.

21.    Open ADSIEdit and navigate to the container in the domain where the users, contacts, or mail enabled distribution groups are located.

22.    Right-click to expose the context menu, and select Properties.

23.    Click on the Security tab, and click Advanced.

24.    Choose to Add an ACE.

25.    Specify Galsync to apply the permissions to. This will display the permissions dialog.

26.    Click on Properties.

27.    Drop down the Apply Onto dropdown box and select Child Objects Only.

28.    Scroll down and mark Write proxyAddressesAllow.

29.    Choose to save the properties. This permission will be applied to every child object whose Allow inheritable permissions from the parent to propagate to this object and all child objects option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it.



To run this GAL Synchronization and synchronize data between the two forests, you need to create two management agents for Active Directory GAL. These management agents are called FORESTA GAL MA and FORESTB GAL MA.


The attribute flow and rules required for GAL synchronization are built into the GAL MAs and do not require that you configure each page in Management Agent Designer. The following are preconfigured:


·         Select object types


·         Select attributes


·         Configure connector filters


·         Configure join an projection rules


·         Configure attribute flow


·         Configure deprovisioning


·         Configure extensions



Create the FORESTA GAL MA first and then create the FORESTB GAL MA.



To create the FORESTA GAL MA


1.       On FORESTADC02, open Identity Manager.


2.       From the Tools menu, click Management Agents.


3.       From the Actions menu, click Create.


4.       In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).


5.       In Name, type FORESTA GAL MA and click Next.


6.       On the Connect to an Active Directory forest page, type the values for forest name (FORESTA.nwtraders.msft), user name, password, and domain.


7.       Click Next.


8.       On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=FORESTA,DC=nwtraders,DC=msft).


9.       Clear the Sign and encrypt LDAP traffic check box.


10.    Click Containers.


11.    Clear the check box next to the directory partition to clear all organizational units under the directory partition.


12.    Select the FORESTB organizational unit. The organizational unit beneath it, Contacts, DLs, etc. will also be selected.


13.    Click OK, and then click Next.


14.    On the Configure GAL page, under GAL container information, click Target.


15.    In Target Container, in Select a partition, select the CN=Contacts,CN=FORESTB,DC=FORESTA,DC=nwtraders,DC=msft target organizational unit.


16.    Click Container.


17.    In Select Containers, click to expand the FORESTB container, and then select only the Contacts container beneath the FORESTB container.


18.    Click OK, and then click OK again. Click Next.


19.    On the Configure GAL page, configure the settings under Exchange configuration according to the information provided below. When done, click Next.


·         Destination container of synchronization organizational unit: Contacts OU beneath the FORESTB OU


·         DNs of authoritative contacts container: the FORESTA Contacts OU


·         SMTP mail suffixes for mailbox enabled users and mail enabled groups (For Users and Groups): ‘@FORESTA.nwtraders.msft


·         SMTP mail suffixes for mail enabled users and contacts (For Contacts): ‘@FORESTA.nwtraders.msft’



·                     Note



Do not select the Route mail to contacts checkbox, and do not select the Specify an administrative group checkbox.


20.    On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken.


21.    Click Next.


22.    On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken.


23.    Click Next.


24.    On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken.


25.    Click Next.


26.    On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken.



·                     Note

You can expand the join and projection rules to see data source attribute, mapping type, and metaverse attribute for each rule.



27.    Click Next.


28.    In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken.



·                     Note

You can expand the attribute flows to see data source attribute, flow type, and metaverse attribute for each flow mapping.



29.    Click Next.


30.    On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected.


31.    Click Next.


32.    On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified.



·                     Note

The FORESTA GAL MA looks for this file in the following location: C:\Program Files\Microsoft Identity Integration Server\Extensions.



33.    Click Finish.



The FORESTB GAL MA is similar to the FORESTA GAL MA, except for the management agent name and forest information.



To create the FORESTB GAL MA


1.       On FORESTADC02, open Identity Manager.


2.       From the Tools menu, click Management Agents.


3.       From the Actions menu, click Create.


4.       In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).


5.       In Name, type FORESTB GAL MA, and then click Next.


6.       On the Connect to an Active Directory forest page, type the values for forest name (FORESTB.nwtraders..msft), user name, password and domain.


7.       Click Next.


8.       On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed (DC=FORESTB,DC=nwtraders,DC=msft).


9.       Clear the Sign and encrypt LDAP traffic check box.


10.    Click Containers.


11.    Clear the checkbox next to the directory partition to clear all organizational units under the directory partition.


12.    Under the FORESTA organizational unit, click only the FORESTA, Contacts, DLs, etc.  organizational unit.


13.    Click OK, and then click Next.


14.    On the Configure GAL page, under GAL container configuration, click Target.


15.    In Target Container, in Select a partition, select the DC=FORESTB,DC=nwtraders,DC=msft target organizational unit.


16.    Click Container.


17.    In Select Containers, expand the directory partition (DC=FORESTB,DC=nwtraders,DC=msft), expand the node with name of the FORESTB domain controller, expand FORESTA, expand FORESTA, and then click Contacts.


18.    Click OK, and then click OK again.


19.    On the Configure GAL page, configure the settings under Exchange configuration according to the information provided below. When done, click Next.


·         Destination container of synchronization organizational unit: Contacts OU beneath the FORESTA OU


·         DNs of authoritative contacts container: the FORESTB Contacts OU


·         SMTP mail suffixes for mailbox enabled users and mail enabled groups (For Users and Groups): ‘@FORESTB.nwtraders.msft’


·         SMTP mail suffixes for mail enabled users and contacts (For Contacts): ‘@FORESTB.nwtraders.msft’



·                     Note

Do not select the Route mail to contacts checkbox, and do not select the Specify an administrative group checkbox. You do not need to modify the remaining Management Agent Designer pages.



20.    On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken.


21.    Click Next.


22.    On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken.


23.    Click Next.


24.    On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken.


25.    Click Next.


26.    On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken.



·                     Note

You can expand the join and projection rules to see data source attribute, mapping type, and metaverse attribute for each rule.



27.    Click Next.


28.    In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken.



·                     Note

You can expand the attribute flows to see data source attribute, flow type, and metaverse attribute for each flow mapping.



29.    Click Next.


30.    On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected.


31.    Click Next.


32.    On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified.



·                     Note

The FORESTB GAL MA looks for this file in the following location: C:\Program Files\ Microsoft Identity Integration Server\Extensions.



33.    Click Finish.



Run profiles for the GAL MAs are created when you create the FORESTA GAL MA and FORESTB GAL MA. The Table below lists and describes the five run profiles that are created automatically.


Table – Run Profiles


Run Profile

Description

 Full Import

 All specified data flows from the Active Directory data source to the Identity Integration Feature Pack connector space and metaverse.

 Delta Import

 All changed data flows from the Active Directory data source to the Identity Integration Feature Pack connector space and metaverse.

 Export

All specified data flows from the Identity Integration Feature Pack metaverse and connector space to the Active Directory data source.

Full Synchronization

After all specified data source data is staged, all specified data flows from the Identity Integration Feature Pack connector space to the metaverse.

Delta Synchronization

After changed data source data is staged, changed data flows from the Identity Integration Feature Pack connector space to the metaverse.


      



By running the FORESTA GAL MA and FORESTB GAL MA, you populate the Identity Integration Feature Pack metaverse and create contacts in both Active Directory forests.



Important

Each run profile must be used to run both management agents.



Enable provisioning, and then run the management agents with the run profiles in the following order:


1.       Full Import with staging to the connector space. This imports all specified Active Directory data into the connector space.


2.       Delta Synchronization. This synchronizes connector space data with the metaverse.


3.       Export. This exports connector space data to the Active Directory forests.





1.       On the domain controller for the FORESTA Active Directory domain, open Identity Manager.


2.       From the Tools menu, click Configure Extensions.


3.       In Configure Extensions, ensure that the Enable Metaverse Rules Extensions check box is selected.


4.       Ensure that the Enable Provisioning Rules Extension check box is selected.


5.       Click OK.


After you verify that provisioning is enabled, perform a full import by using the FORESTA GAL MA.




1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Full Import with staging, and then click OK.


Next, you perform the Full Import of the FORESTB GAL MA.




1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Full Import with staging, and then click OK.


Next, you perform a full synchronization for each of the management agents.




1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Delta Synchronization, and then click OK.




1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Delta Synchronization, and then click OK.


Next, you export the data to each Active Directory forest.




1.       In Identity Manager, in Management Agents view, click the FORESTA GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Export, and then click OK.




1.       In Identity Manager, in Management Agents view, click the FORESTB GAL MA.


2.       From the Actions menu, click Run.


3.       In Run Management Agent, in Run Profiles, click Export, and then click OK.


 


 


Schedule Management Agent Full Synchronization


Now that you synchronized the forest you can schedule the tasks to happen automatically.




1.       In Identity Manager, in Management Agents view, right-click the FORESTA GAL MA.


2.       From the Actions menu, click Configure Run Profiles.


3.       On the Management agent run profiles section select Delta Import, and then click Script.


4.       Save the script to C:\Batch\GalSync folder, name it FORESTA-DeltaImport.vbs


5.       Repeat steps 1-4 for Export and then ‘FORESTB GAL MA’ Delta Import and then Export.


6.       Click Start, then Control Panel, then Scheduled Tasks, and then click Add scheduled task.


7.       On the Schedule Task Wizard page click Next.


8.       Click Browse and navigate to the C:\ Batch\GalSync folder and select FORESTA_FORESTB_GalSync.cmd. Which looks like this:


cscript “FORESTA_DeltaImport.vbs”


cscript “FORESTA_Export.vbs”


cscript “FORESTB_Export.vbs”


cscript “FORESTB_DeltaImport.vbs”


cscript “FORESTB_Export.vbs”


cscript “FORESTA_Export.vbs”


cscript “FORESTA_DeltaImport.vbs”


cscript “FORESTB_DeltaImport.vbs”


9.       Keep the default name and select Daily, and then click Next.


10.    Enter the time and start date, click Next.


11.    Enter the user name (use an administrative account) and password twice, and click Next.


12.    Select Open advanced properties for this task when I click Finish, and click Finish.


13.    On the FORESTA_FORESTB_GalSync page click Advanced.


14.    On the Advanced Schedule Options page select Repeat Task and configure for the correct settings, click Ok to close Advanced Schedule Options, and then click Ok to close the Advanced Schedule Options page.

28 thoughts on “Identity Integration Feature Pack (IIFP) – GalSync unleashed”

  1. You say that the GalSync account should be Service-restricted. I understand what you mean by a service account, but when you say restricted, other than not being allowed to login locally for the domain controller, what do you mean?

    Thanks,

    Steve Robinson.

  2. Service Restricted, means this is a normal account (without Admin rights), that you only use for this process. The account should be locked down, can’t logon through Terminal Services, restrict to the one machine for logon, etc.

  3. This document was very helpful with setting the permissions. Thank you.

    I’m a little confused about the batch file that you created though. Why would you deltaimport and export for each domain twice? Don’t you also have to run a delta synch?

    I would have thought that you would want to run:

    cscript "FORESTA_DeltaImport.vbs" – to import new data from A to the connector space and metaverse

    cscript "FORESTB_DeltaImport.vbs" – to import new data from B to the connector space and metaverse

    cscript "FORESTA_Export.vbs" – to export new data to A

    cscript "FORESTB_Export.vbs" – to export new data to B

    Thanks again.

  4. Don – remember the Delta Import is in fact a Delta Import (Stage Only) AND a Delta Sync combined.

    Having said that I am also slightly confused as to why you can’t just run this from both forests first before doing an Export each way but whatever – it seems to work!

    Thanks very much Rodney.

  5. After running GALSync, all objects are exported as contacts. I was wondering how difficult it would be to gave the groups exported as groups instead of contacts?

    Thanks,

    Travis

  6. It worked perfectly, but I have a special need.

    I’m using different smtp domains on same forest.

    I tdoesn’t work right if I add 3 agents(2 for same forest) and it won’t work with two smtp domains in same agent.

    Is there a special order for the scripts to synchronize correctly? The result is that in FORESTB, Contacts OU from FORESTA forest, I end up with contacts from FORESTA forest, from both agents, and this isn’t right. FORESTB remains unaffected.

    Thanks a lot,

    Vlad

  7. I’m running windows 2000 server, i’m not able to find security

    after creating OU contacts

    Step 17 in ‘to configure active directory’. On the Contacts Properties dialog box click Security.

    Please advice, thanks!

  8. This blog explaining the setup of GalSync for synchronizing two disparate address lists in an Exchange 2003 environment across two forests is useful.

    However, another question lies in how to synchronize free/busy traffic for calendaring functions across the same forests. Can GalSync be also used for calendaring, or is there another utility that does the same for free/busy? If such a utlity exists, how is it set up?

    Thank you in advance for your reply.

    Julio

  9. Thanks for posting this article. After struggling for weeks to understand how the IIFP works for GAL syncs, this really clarified things.

    FReady

  10. Great description!

    When you have configured 3 Mgmt. Agents for 3 diffrent Forests (for example A, B and C) and you have done the Import and Synch on all 3 MA’s – is it possible to seperate the export??? So, if you run the export Profile on Mgmt. Agent for B only the Forest C will be exported to the AD of Forest B????

    thanx
    Roman

  11. I’m trying to install IIFP on 2003 Enterprise Server. I have .NET 2.0, IIS installed locally and I’m using a remote SQL 2000 server. After typing in the service account name, password, and domain (I’m using the administrator account) it begins the install process but then suddenly gives me an error and quits:
    “Error 25082. Error installing the Identitiy Integration Feature Pack WMI Provider. This is not a valid MOF File”

    I cannot find any info on the Internet regarding this error, any suggestions?

  12. This is a great article.
    Though, in my environment the contacts are not imported into the CS of FORESTA and I suspect that I have a problem in the ForestA MA configuration, maybe in section 19. where you describe the “Configure GAL page, configure the settings under Exchange configuration”. Can you please provide me more information about this sublect?

    Thanks in advance!

  13. Dave,

    Are you trying to install MIIS on a 64b platform? MIIS is only supported on 32b and it throws error:

    “Error 25082. Error installing the Identitiy Integration Feature Pack WMI Provider. This is not a valid MOF File”

    when trying to insall on 64b.

  14. Hello

    Could you please clarify what adsiedit is ?

    21. Open ADSIEdit and navigate to the container in the domain where the users, contacts, or mail enabled distribution groups are located.

    22. Right-click to expose the context menu, and select Properties.

    23. Click on the Security tab, and click Advanced.

    24. Choose to Add an ACE.

  15. Hmm im having some odd errors occurring when i try to do this :(

    All my users are in one forest and i and im trying to get contacts to appear in the other forest.

    Everytime i run the MA agent i get extension-unexpected-attribute-value on every single ou and user??

    maybee im doing the container/target wrong.

    As far as i can work it, container is the location of all the users you want synced and target is the Ou you want the contacts for the other forest to appear in. (or am i going about this wrong somewhere)

  16. OK, I have installed the 180 day trial of ILM 2007. I have MIIS 2003 but needed to use SQL 2005 for a domain merger. Until we get our mailboxes all moved over, I need to use the GALSync. My problem is, everything seems to work fine except there are no contacts created in either domain. Any ideas? I get no errors.

  17. Notes:

    Something worth mentioning: By default if your importanting contacts the option in the Exchange Advanced Tab: Use MAPI rich text format will be checked.

    When clients using microsoft word as their default editior in outlook send email, it will send as a file attachment. To avoid this you will need to remove all references to mAPIRecipient in the following areas:

    Edit your agent:
    Under Select Attributes uncheck mAPIRecipient
    Under Configure Attribute Flow you will need to select each Data Source Attribute.

    Expand the Object type under Data Source Attribute and find mAPIRecipient and click delete. Do this for all Data Source Attributes.

    Now I’m not sure when you re-export this to your AD if it will overwirte existing settings. I completely deleted all contacts and did a fresh export. When looking at the contact properties you will find that Use MAPI rich text format has been unchecked.

  18. How to set to this for 3 domains? I have IIFP up and running, but I’m not getting anything from the thrid domain?

  19. I have two forest.

    1. forest conf: win2008 + Exchange 2007

    2. forest conf: win2003 + Exchange 2003

    i have GALSync with MIIS. i can see users in AD on other forest from both forest. Also i can see users in other forest from GAL on outlook, but i not send mail and i not shared calendar task etc…

    i get error:

    calendar sharing is not avaible with the fallowing entries because of permission settings on your network or

    A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.

  20. This guide has some mistakes. For example: ADSIedit shows the LDAP Schema, not the organizational units. It should be ADUC instead of ADSIEdit. Also, I could not find the “Write proxyAddresses” in the properties tab in this step. However, the guide is useful in many ways.

    Regards.

  21. Hey Rodney!

    This is a very nice blog – thank you so much!

    But there is one step I really don’t understand! Why is it necessary to create the GalSync User and set the permissions on the OU’s? Is is because I’m suppose to use the GAL-Sync-user in step 6 under “Creating and Running the Management Agents” – when I connect to the domain? (Because right now I just use the Admin-account and it works fine).

    Thanks again!

  22. Hey Rodney!

    This is a very nice blog – thank you so much!

    But there is one step I really don’t understand! Whay is it nessesary to create the GalSync User and set the permissions? Is is because I’m suppose to use the GAL-Sync-user in step 6 under “Creating and Running the Management Agents” – (when connecting to the domain?) Because right now I just use the Admin-account and it works just fine! But maby it’s a security risk?

  23. Hi,

    We are currently implement testing lab for MIIS feature pack SP2.

    We created ForestA and ForestB and each forest has a dc and exchange 2003, which were installed on same server.

    MIIS Feature Pack is installed on another server. So there are total three servers in our case.

    When we try to create Management Agent for the remote forest, it shows failed connection.

    Please help, it is urgent for us.

    Thanks,

    Amy

  24. I know this is old but its the most comprehensive document on this configuraton I can find.

    With that said, something seems a bit off. When Creating the FORESTA GAL MA when you select containers why do you only select the Forest B container – wouldn’t the goal be to sync things OUTSIDE the forest b container? It seems backwards

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>