This article provides general guidance to enable Active Directory synchronization using the Mimecast Synchronization Engine using the default settings.
Active Directory synchronization using the Mimecast Synchronization Engine does not synchronize passwords or provide any authentication functionality. If you require authentication for Mimecast applications, use Exchange EWS or ADFS domain authentication functionality.
To enable Active Directory synchronization using the Mimecast Synchronization Engine involves the following tasks:
- Creating a user to connect with your Active Directory.
- Installing the Mimecast Synchronization Engine.
- Configuring your Mimecast Synchronization Engine site.
- Binding your Mimecast Synchronization Engine site to Mimecast.
Creating a User to Connect With Your Active Directory
A user is required to connect to your Active Directory in order to synchronize your data with Mimecast. This user must:
- Have read access to the parts of your directory that require synchronization.
- Have a password that doesn’t expire.
- Not require a password change on first log in.
- Be a member of the Exchange Organization Administrators group, if you have mail enabled public folders.
If you intend to use other services provided by the Mimecast Synchronization Engine, you may need to configure additional Exchange permissions. For more information, consult the Mimecast Synchronization Engine page.
Installing the Mimecast Synchronization Engine
Follow the installation instructions listed in the Installing / Upgrading the Mimecast Synchronization Engine page.
The Mimecast Synchronization Engine must be installed on a Windows Server:
- With Windows Server 2003 through to Windows Server 2012 R2.
- With .Net Framework version 4.
- On the same LAN and domain as your Active Directory domain controllers to ensure the best performance.
- Able to connect outbound using HTTPS (port 443) to the following URL's:
Configuring Your Mimecast Synchronization Engine Site
To configure your Mimecast Synchronization Engine site:
- Open the Site Configure utility on the server where the Synchronization Engine is installed.
- Click on the Accounts tab.
- Complete the dialog as follows:
Field / Option Description SMTP Address Enter the email address displayed in the Connect Application. This is the user that will be used to access your Active Directory. Password Enter the password of the email address displayed in the Connect Application. Use Exchange Impersonation Ensure this option is selected. Although this is not used for Active Directory synchronization, it will be used if you ever use any of the Exchange related Synchronization Engine tasks as described in the Mimecast Synchronization Engine space. Directory Option Select the default "Microsoft Active Directory" option from the drop down list.
- Click the Apply button to start the site bind process (described below).
Binding Your Mimecast Synchronization Engine Site to Mimecast
In the context of the Mimecast Synchronization Engine, a binding is a security association between the site and Mimecast. The binding is created when a user with the required permissions successfully authenticates using the Site Bind process on the server where the Mimecast Synchronization Engine in installed. This binding is required for you to:
- View the Mimecast Synchronization Engine site in the Administration Console.
- Start scheduled tasks (e.g. Active Directory Synchronization).
Any Mailbox Unreachable errors can be ignored for this task.
Before binding your Mimecast Synchronization Engine site, the following tasks must be performed:
- Ensure the server where the Mimecast Synchronization Engine is installed has outbound connectivity using HTTPS (port 443) to Mimecast.
- You have the email address and password for the "Synchronization Engine Administrator", this will be displayed in the Connect Application.
To bind the Mimecast Synchronization Engine site:
- Complete the dialog as follows:
Field / Option Description Email Address Enter the email address displayed in the Connect Application. Password Enter the password of the email address displayed in the Connect Application.
- Click the Bind button.
The Connect Application automatically performs the following steps:
- Finds the Mimeacst account associated with the domain name of the email address entered.
- Registers (binds) the site with the discovered account.
- Validates that the Microsoft mailbox can successfully query the specified Directory Type.
- Saves the binding information to local storage.
Once a binding has been created successfully, you can view your installation in the Mimecast Administration Console in the Services | Synchronization Engine Sites page.
Validating the Mimecast Synchronization Engine Installation
The Mimecast Synchronization Engine server should pickup the site and start scheduling Active Directory synchronization, inside two minutes of the site being binded. We will validate that hte connection is up and running for you.
To validate the connection yourself:
- Log in to the Mimecast Synchronization Engine server that the Active Directory Sync connection is configured to use.
- Navigate to the Service Log directory. This is by default %ProgramData% \Mimecast Synchronisation Engine\logs\.
- Open the current day's Log File.
- Search for the string "calling siteConfig."
If you see a line similar to the one below, Active Directory synchronization is being applied.
DEBUG|02062015 08:46:37,319| 4|mseservice|
AntiCorruptionScheduler|+ event taskId: 2972, name: Task Description, next occurrence: 02/06/2015
If you do not see this line, you should see an error message indicating why the Active Directory synchronization cannot be applied. This is normally caused by a networking issue preventing the Mimecast Synchronization Engine connecting to the Mimecast API.