Many organizations have different Active Directory environments. This article will cover the supported implementation scenario's for the Active Directory Sync using the Mimecast Synchronization Engine feature.
In a single domain environment the default settings for Active Directory Sync should be used.
Only one Mimecast Synchronization Engine server with a single Directory Connector is required. The Mimecast Synchronization Engine is installed on a member server on the same LAN as the Domain Controller.
Parent child domain
In a parent child domain, one Directory Connector per domain is required. The advanced settings are used to override the:
- default connection settings,
- default user name and password,
- and root distinguished name filter.
Only domains containing users and groups that you want to be added to Mimecast need be synchronized.
Where the Domain Controllers for all domains in the forest are hosted in the same geographical location a single Mimecast Synchronization Engine server can be used to host each Directory Connector.
However, if the Domain Controllers for each domain are located in different geographical locations, it is not feasible to synchronize all domains from a single Mimecast Synchronization Engine server. This is because the connection speed from the Mimecast Synchronization Engine to a remote domain could be significantly slower and have a negative impact on performance.
Where a group contains members from the target domain and one or more remote domains only users from the target domain will be added to the AD Group in Mimecast.
Mimecast are actively seeking to improve this so that users from the target domain and remote domain(s) are added as group members in Mimecast.
In a resource forest scenario there are one or more forests with active user accounts and a resource forest where Microsoft Exchange Server is deployed containing disabled user accounts.
In this scenario it is only necessary to synchronize the resource forest because this is where all of the mail enabled objects are hosted.
Typically user accounts are disabled in the resource forest. To prevent users being disabled in Mimecast do not use the Acknowledge Disabled Accounts in Active Directory setting when synchronizing a resource forest.
If there are objects in the user forest, for example security groups containing users with a mail attribute, or additional user attributes you can additionally synchronize the forest to add these groups to Mimecast.
If a user forest is synchronized the Acknowledge Disabled Accounts in Active Directory should be used so that legitimately disabled users are also disabled in Mimecast.