Migrating from LDAP sync to Active Directory push sync

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 7Show Document
  • View in full screen mode

If your organization wants to switch from inbound LDAP Directory Sync to the outbound Active Directory push sync using the Mimecast Synchronization Engine, it is important to follow the guidance in this article to prevent interruption to mail flow and end user access to Mimecast applications.

The Active Directory push does not perform any authentication.

What You'll Need

 

  • At least version 2.8.0.6217 of the Mimecast Synchronization Engine deployed in your environment.
  • An Active Directory user with read permissions to your organization's Active Directory.
  • A Mimecast Administrator with edit permissions to the Administration | Services | Directory Synchronization, Administration | Services | Applications and Administration | Directories | Internal Directories menus.
  • If the users in your organization use their Active Directory password to authenticate with Mimecast applications, you will need an alternative domain authentication provider in place.

 

Required Steps

 

  1. Adjust Recipient Validation
  2. Configure an alternate domain authentication provider
  3. Create a user to connect to Active Directory
  4. Install and configure the Mimecast Synchronization Engine
  5. Change the Directory Connector

 

Adjust Recipient Validation

This step is very important to prevent interruption to mail flow during the migration.

If your organization is using the Accept inbounds for valid Directory users only method of recipient validation for your internal domains you should change this to remove the dependency on Directory Sync while you are migrating the connector.

 

This can be switched back after migration if required. To do this:

  1. Login to the Administration Console
  2. Navigate to the Administration | Directories | Internal Directories menu.
  3. For each of the domains using this method of recipient validation right click the domain and select Edit Domain.
  4. Change the Check Inbounds to an option other than Accept inbounds for valid Directory users only. Using Accept emails for known recipients only is the recommended setting.

 

Configure an alternate domain authentication provider

This step is very important to prevent interruption to end user access to Mimecast applications.

When migrating from LDAP Directory sync you will be removing the inbound channel that Mimecast uses to authenticate users using their Active Directory password.

Before migrating your Directory Connector you need to implement an alternative domain authentication method.

 

Mimecast offers alternate Active Directory domain authentication mechanisms using either Active Directory Federation Services (ADFS) or the Exchange Web Services (EWS).

 

Create a user to connect to Active Directory

 

As part of the configuration of Active Directory Sync you will need to supply the credentials of a user with read permissions.

 

This will be the user that connects to Active Directory to synchronize data with Mimecast.

Mail enabled Public Folders: In order to replicate the email addresses of Exchange mail enabled Public Folders this user must also be a member of the Exchange Organization Administrators group.

Install and Configure the Mimecast Synchronization Engine

 

The Mimecast Synchronization Engine installer is presented as a wizard guiding you through the installation.

 

It is important to consider these points when installing the Mimecast Synchronization Engine for Active Directory Sync:

 

 

Change the Directory Connector

 

The final step in the migration is to change the type of your existing LDAP Directory Connector to the new Active Directory Sync using the Mimecast Synchronization Engine. To do this:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Directory Synchronization menu item.
  4. Select your existing LDAP connector.
  5. From the Type dropdown choose Active Directory (using Synchronization Engine).
  6. Enter a Description for your connection.
  7. From the Synchronization Engine Sites drop down list select the Mimecast Synchronization Engine site where Active Directory Sync should run.
  8. Click Save and Exit to apply your changes.

 

Optional Settings

 

NameDescription
Acknowledge Disabled Accounts in Active DirectoryThis setting uses the userAccountControl Active Directory attribute to determine the status of a user. When enabled, users that are disabled in Active Directory will also be disabled in Mimecast.
Domains

This setting defines which of your organization's internal email domains will be included in the sync.

If left empty all email domains registered as a Mimecast Internal Domain will be considered.

 

To limit the sync to only consider specific domains, add a comma separated list without spaces to this field, for example,

 

mimecast.com,mimecast.co.uk

 

Advanced Settings

 

The Advanced Settings are designed to be used for very large and / or multi domain Active Directory Forests. These settings cannot be used in isolation, if you want to use one of them, then all settings must be configured.

 

The table below describes each of the available settings.

 

NameDescription
Hostname / IP AddressOverride the internal hostname or IP address that Active Directory Sync should connect to.
Connection PortOverride the port that Active Directory Sync should use for connections to the specified host.
User Name

Override the user name used to connect to Active Directory to synchronize data.

 

Use DOMAIN\user format, for example, MIMECAST\administrator

PasswordOverride the password for the user specified in the User Name field.
Root Distinguished NameSpecify a filter to use when synchronizing data from Active Directory, for example, OU=london,DC=mimecast,dc=local.

 

Next Steps

 

Check that the Mimecast Synchronization Engine has Applied the Configuration

 

Within 2 minutes of saving the configuration in the Administration Console your Mimecast Synchronization Engine server should pickup the new configuration and schedule Active Directory Sync. To check this:

  1. Login in to the Mimecast Synchronization Engine server that the Active Directory Sync connection is configured to use and navigate to the service log directory, by default C:\Program Files\Mimecast\SynchronizationEngine\log\service.
  2. Open the log file for the current day and search for the string, "calling siteConfig."
  3. Following this you should see a line similar to the one below showing Active Directory Sync being applied and the next time the synchronization is scheduled to start:

    DEBUG|02062015 08:46:37,319| 4|mseservice|AntiCorruptionScheduler|+ event taskId: 2972, name: Task Description, next occurrence: 02/06/2015 13:00:00  

If you do not see this line you should see an error message indicating why Active Directory Sync cannot be applied. Typically this is caused by a networking issue preventing the Mimecast Synchronization Engine connecting to the Mimecast API.

 

If you would like to run a sync before the next scheduled execution, use the Sync Directory Data button on the Administration Services | Directory Synchronization page in the Administration Console.

 

Check the Status of Active Directory Sync

By default the Mimecast Synchronization Engine will sync your Active Directory every 5 hours, starting at 8 AM local server time with the last execution of the day launching at 11 PM local server time.

 

Most of the processing for Active Directory Sync happens on the Mimecast Synchronization Engine server. Once the required data has been extracted from Active Directory it is submitted to Mimecast to be committed to your service.

 

At this stage the status of the Directory Connection is updated. The status of the last sync can be viewed in the Administration Console from the Administration Services | Directory Synchronization menu.

Attachments

    Outcomes