Transition from Single Forest to Cross-Forest: Configuring Identity Integration Feature Pack : Part-3

                                                Configuring Identity Integration Feature Pack

Before I could start with configuring IIFP for galysnch. Let me explain you about my lab environment  topology.

I have 2 Forests : (i) Happy.com & (ii) Smile.com
Both of the forest is connected to each other via DMZ server.

Happy.com
                 In Happy.com I have two computers
                 Computer1 Details:
                                               Host name : E2K7.happy.com
                                               Ip address : 40.40.40.1
                                               Server Role : AD, DNS and Exchange Server

                 Computer2 Details:
                                               Host name : IIFP.happy.com
                                               Ip address : 40.40.40.3
                                               Server Role : SQL & IIFP

Smile.com
             In Smile.com I have one computer
             Computer Details:
                                               Host name: E2K3.smile.com
                                               Ip address: 192.168.0.1
                                               Server role: AD, DNS & Exchange 2003 Server

DMZ Network 
 It posses of two nic card, one will connect to happy.com and other will connect to smile.com.

Both the Exchange Servers are able to send and receive email as I already configured connectors between them.

                    Scope of this article: Need to have gal synchronization between both the forests.

In Happy.com
 I have created one OU called as Galsync. Beneath Galsync I have created two more OU : Happy & Smile
  Under Happy OU I created the following OU:
                                                                       Contacts
                                                                       Groups
                                                                       Users
  Under Smile OU I have just created only one OU called as:
                                                                       Contacts

And I created users, one group called as E2K7, contacts you can see Figure 1
Figure 1:

I done the same setup on Smile.com forest as well, see the figure 2:
Figure 2:

My intention is, I am going to do transition from smile.com forest to happy.com (cross-forest) so it will take time for completing my transition but I need to have galsync between both the forest by some sort of sync connector. So at the end of this session I should see the e2k3.smile.com users as contact in happy.com and vice versa.

So inorder to have galsync we need to have MIIS or IIFP (Identity Integration Feature Pack). Here I am going to choose IIFP as mode of galsync tool.

Prerequisite:
  

• Exchange 2007 must be having service pack 1
•   Require one member server for IIFP from any one of the domain for IIFP configuration (I choosed exchange 2007 server domain for IIFP)
•   IIFP server should have asp.net , IIS, SQL application installed (I have installed SQL 2005 with sp2)
•   For downloading: click on this IIFP

Happy.com Forest:
E2K7:   windows 2003 with service pack 2 
            Active Directory (Happy.com)
            DNS Server
            Exchange 2007 with service pack1

IIFP:     Windows 2003 with service pack 2
            SQL with service pack 2
            IIFP.exe

Smile.com Forest:
E2K3:  windows 2003 with service pack 2
           Active Directory (Happy.com)
           DNS Server
           Exchange 2003 with service pack2

Configuring Galsync:
 I hope everyone is clear with current topology.
 Now inorder to have galsync between the forest, we need to meet the following requirements.

• Need to have proper DNS resolution between the forest
• Forest widetrust relationship (Optional but recommended)
• Need to have one common user account between the forest and proper rights to access the resources.
• Finally need to create a Management agents for both the forest in the IIFP server.

Configuring DNS:
  DNS plays a vital role in my scenario due to which I will have name resolution for both forests and can create a forest trust relationship.
  Inorder to have communication between both the domain, I will create a secondary forward lookup zone and secondary reverse lookup zone for smile.com in happy.com and vice versa for happy.com in smile.com.

Note: Before you could create a secondary lookup zone either forward or reverse lookup zone you need to set “allow zone transfer” for the specific server who is going to have secondary zone. Otherwise it will throw you an error message “zone not loaded by DNS server” see the below figure:
Figure 3:

So inorder to allow the zone transfer : we need to go to the properties of primary lookup zone : e.g. smile.com => Properties => Zone Transfer => select allow zone transfer
Do the same thing for reverse lookup zone of smile.com.
Then follow the above steps in the dns server of happy.com to allow the zone the transfer in the forward lookup and reverse lookup zone.
Figure4:

Now I recreated secondary zone on happy.com dns server. Now you see the difference.
Figure 5

After this we need to create a secondary reverse lookup zone for smile.com in happy.com domain.
Figure6:

I will create a secondary zone for happy.com in smile.com forest.
See the below figure 7:

Brief summary:
  Created a secondary zone for smile.com in happy forest (forward and reverse zone)
  Created a secondary zone for happy.com in smile forest (forward and reverse zone)
 Nslookup test: Figure8:
 

Now we got the dns configuration success.

2) Creating forest trust between these two forest:
 For creating forest trust we need to raise our forest function level to “window 2003” mode but before that we need to raise the domain functional level to “windows 2003” otherwise you can’t able to create forest trust relationship.
 Inorder to create a forest functional level:
 Active directory domain and trust
 Right click domain name, in my case happy.com then click on  raise domain functional level and set it to windows 2003
 Right click “active directory domain and trust and then click on  raise forest functional level and set it to windows 2003.

Followed the above the step on smile.com as well
 Now I am ready to have forest trust relationship.
 Active directory domain and trust
 Right click domain name : happy.com
 Click on Trust tab
 Click on New trust follow the wizard instruction and select the trust type as “Forest Type” and follow the instruction
If you want to seen the each and every steps please click on following link and download:
Printscreen of forest trust relationship

For smile.com :
Follow the above steps in smile.com AD server for having trust relationship

After configuring the trust relationship you should able to see like the below figure in both the domain : Figure9
 

Now we have good dns resolution and forest trust between them.

Its time to create a common account.

Need to have one common user account between the forest and proper rights to access the resources:
 I have created an account called as galma in both the forest. This account will be the one who is going have rights for synchronization of gal between the forests.
In happy.com : galma@happy.com
In smile.com : galma@smile.com

Before we are going to have synchronization we should give him certain rights:
In Happy.com:
  Open Active Directory Users and Computer (select Advance Feature)
  Right click happy.com => Delegate Control => click next
  Add users : galma@happy.com and then click next
  Under Task to delegate : select “create a custom task to delegate then click next
  Under Active directory object type of : select “this folder, existing objects in this folder, and creation of new object in this folder and click next
  Under permission select General, Property-specific & creation and delegation of child object and under permission table select “Replication Directory Changes” & Replication Synchronizaton” and then click next and then click on Finish.

Now we need to go that specific target folder when we need to create a contacts for the second forest. i.e I have a Ou called Galsync under that there is two ou’s one is happy and another one is smile, and under smile ou I have one more ou called as CONTACTS. So what I am going to do here  is I am going to give Read, Write, Create All Child Objects, and Delete All Child Objects to galma@happy.com
See the below figure 10:

After this navigate to ADSIEDIT and will go to the properties of that container where we have users, groups and contact of happy.com i.e : OU=Happy,OU=Galsync,DC=Happy,DC=com (this is the place where I have users, groups and contacts ou for happy.com)
  Right click Happy OU => Properties
  Click on Security Tab => Advance
  Under permission Tab => click on Add
  Add galma@happy.com => Now it will permission entry for happy (ACE)
  Click on properties tab => select child object only
  Under child object only => Select writeproxy address.
  Then don’t forget to select “Apply these permissions to object and/or containers within this container only.
  Then click OK
 

Now we are done with the rights configuration on happy.com. It time for doing the same activity on smile.com

Go to smile.com AD Server
 Open the Active Directory Users and Computers (Advance Feature)
 Right smile.com => delegate control
 Add galma@smile.com and give him “Replication Directory Changes” & Replication Synchronizaton”
 Then go the contacts folder which resided under happy ou of smile.com : add galma@smile.com and give him the following rights : Read, Write, Create All Child Objects, and Delete All Child Objects
 Then navigate to ADSI EDIT => Smile.com => Domain Partition => Galsync => Smile (OU) => Properties => Security => Advance => Permission Tab => Add : galma@smile.com => Properties => select child object only => Write proxy address.

Ok so far what we have done:
 Configured DNS
 Created a Forest level trustrelationship
 Create galma account on both the forest
 Assigned them appropiate rights.

Now the next step is creating a Management Agent who will sync the users account to contact on both the forest:
Creation of Management Agent:
 Go to IIFP Server where we installed IIFP management pack. 
 Click on Start => Program => Microsoft Identity Integration Server => Identity Manager.
Figure12:
 
 

Click on Management Agent : in the action pane click on Create you will see the below screen Figure13:

First we will create a Management Agent for Happy.com and then we will create for Smile.com

It will give you 3 options : select Active directory global address list (GAL) and name it as Happy GAL MA and hit next.

Now the next screen is “connecting to active directory forest, here you need to give the forest name, user id (Happy.com), password and domain. Figure14:
 

Next thing is configuring directory partions:
 Under select directory partition : select DC=happy,DC=com
 Under domain controller connection settings : click on option and uncheck “sign and Encrypt LDAP Traffic : Figure15
 

In the same page you will see option called as containers : click on that containers and select those specific OU’s who are going to part of the sync because by default it will select all the ou’s so we need to uncheck the root Ou and select only the specific Ou only and then click next, see the below figure16 

Then the next screen appear is “configuring GAL”
In this screen click on Target : and select contacts ou under smile ou container : Figure17

Then click on source : select only those ou’s which we need to sync to other forest i.e users, groups and contacts as per figure18:

Then after this in the same page you will “exchange configuration” click on edit and add suffix : @happy.com and click ok and then next as per the figure19

 

Next screen Select Object Types : let it be the default one click next (figure 20)

Select Attributes : Let it be the default one, simply click next (figure 21)

Next “configure Connector Filter : simply click next (figure 22)
 

Configure join and projection rules : don’t make any changes – click next (figure 23)
 

Configure Attribute Flow : simply click next (figure 24)

Configure Deprovisioning : Hit next (figure 25)

Configure Extensions : hit finish (figure 26)

Now we have created a Management Agent for Happy.com GAL (figure 27)

Next thing we need to do is creating Management Agent GAL for Smile.com. The steps will be almost same as like we did but the only thing is forest, user id for credential will change and here happy contacts ou will be selected as Target and Smile Ou containers will be selected as Source.

Lets take a walk how to configure Smile Galma:
Under IIFP server => Identity Manager
Click on Management Agent => create
Select Active Directory Global Address List (GAL)
Name: Smile Gal Ma and hit next (figure 28)

Connect to Active Directory Forest: (figure 29)

Configure Directory Partition: (figure 30)
 Select DC=smile,Dc=com
 Uncheck “sign and encrypt Ldap traffic (under options)
 Select Galsync Ou under (container) and hit next
 

Configure Gal : (figure 31)
 Target : ou=contacts,OU=Happy,OU=Galsynch,DC=Smile,DC=com
 Source : ou=contacts, OU=smile, OU=Galsynch,DC=Smile,DC=com
    ou=users, OU=smile, OU=Galsynch,DC=Smile,DC=com
  ou=groups, OU=smile, OU=Galsynch,DC=Smile,DC=com

 Under Exchange configuration : add the following suffix @smile.com and hit ok and then next
 

Select Object Type : let it be default setting, hit next
Select Attributes : let it be default setting, hit next
Configure Connector Filter : let it be default setting, hit next
Configure join and project rules : let it be default setting, hit next
Configure Attribute Flow : let it be default setting, hit next
Configure Deprovisioning : let it be default setting, hit next
Configure Extensions : let it be default setting, hit finish

Then click on tools => options => select “enable provisioning rules extension. And click on ok (figure 32)

After this we need to run the following profiles for both of Galma one-by one:
Full import (stage only)
Full import
Delta import (stage only)
Delta import
Export
Delta synchronization
Full Synchronization
Full Import and Synchronization

 Eg: first you run full import (stage only) on happy galma and then smile galma and see the status : it should show success then proceed with next steps and as on
Tips : once you click on export after the successful progress you can the list of contacts which will get created

How to run those profile:
 Simply right click happy galma then click on run and select Full import. Like this run it on smile galma.
 Once you complete the above profile synchronization process you can see that in happy domain under smile contact’s ou the list of contacts of those users mailbox which are there in smile.com and in smile.com vice versa. (figure 33)

Lets take look at the happy domain whether we can see the contacts of e2k3 users (figure 34)
 

Lets take look at smile.com to see e2k7 contacts (figure 35)
 

Related Articles:
Transition from Single Forest to Cross-Forest: Brief Introduction how to go with transition process : Part-1

Transition from Single Forest to Cross-Forest: Installation of Exchange 2007 Service Pack 1 : Part-2

Upcoming Article:
Transition from Single Forest to Cross-Forest:User account and mailbox movement from one forest to another forest: Part-4

Reference:
How to Transition from Single Forest to Cross-Forest

Identity Integration Feature Pack (IIFP) - GalSync unleashed

Hope this article given you the good understanding how to configure IIFP. Thank you for your time to going through this article