The Microsoft Directory Synchronization Tool (DST) is not a requirement for the FOPE solution but it’s one of those really nice things to have. The DST Tool will synchronize all Active Directory users with FOPE in the cloud while using DST your company can take advantage of the following:
- The data that will be transmitted in a secure way to the FOPE is the First name, Last Name, SMTP Address and the hash of safe senders of each user
- All accounts synchronized will show up on the FOPE Admin page under Users tab
- Enabling the Directory-Based Edge Blocking the administrator forces the organization to only receive mail from valid users and any message addressed to a non-user will be blocked at FOPE level
- Users’ safe sender will be transmitted to FOPE services as part of the synchronization process and the information helps messages being filtered
- Safe Sender from the end-users is only for addresses and it does not apply for domains or groups
- Safe Sender is per-user basis, a safe sender for my user won’t affect another user in the organization
- Safe Sender is an Exchange feature introduced in Exchange Server 2007 (manual process to update) and automated in Exchange Server 2010. It requires at least 2003 or later on the client side.
To deploy the DST tool few steps are required on both sides of the fence: such as, create an account on the FOPE side, deploy and configure the DST Tool (on-premises), and finally monitor the DST Tool.
Bear in mind that after moving to FOPE, this tool will be your key piece of software that will feed your FOPE environment. An example is that if your server where the DST runs is down for 2 (two) days, it will affect your company ability to receive e-mails for new users because the synchronization won’t be working.
Creating an FOPE User to support the synchronization…
The first main step before installing the tool is to make sure that you have an account created on the FOPE Admin console. Click the Administration tab, then click Users, and Add Users and type in the SMTP address of the account that will be used by DST (Figure 01)
The new user creation in the FOPE Admin console displays the user properties (Figure 02) and like any other user, we can configure several features. However, we will continue on this page to complete two steps required by our synchronization: First, we need to set up a password, and we can do that by clicking Change which is located in the Security section; Secondly and most importantly we need to click Grant which is located in the same Security section and assign the role of Administrator or Account Manager to this new account.
Configuring FOPE Admin Console
Now that we have the user created it is time to configure the FOPE Admin Console to support the Microsoft Directory Synchronization Tool to run properly when the time comes. The first thing is to configure a recipient to receive the notification updates when a list is uploaded to FOPE services.
In order to do that, open the FOPE Admin Console, click the Administration tab, and then click Company. In the Service settings section click Edit, add an e-mail address related to the user synchronization and click Save.The result will be similar to the one shown in the Figure 03.
The second step is to go to Domains, and select the desired domain from the list. Then, click Edit which is located in the Service Settings / User List Settings section. On the new page that is displayed, let’s change to Directory Synchronization Tool and for now let’s select Disabled on the Directory-Based Edge Blocking, and finally Save (Figure 04).
If you select Reject instead of Disabled, then all messages to our domain would be blocked because we haven’t synchronized our users to FOPE.
Installing the Microsoft Synchronization Tool
Let’s download the tool from the following site and just double click the file.
In the initial page of the tool we need to enter the user information that we created in the previous section, and the tool itself has 3 (three) main areas: Active Directory Connectivity, Admin Center Settings and Directory Synchronization Settings. They can be seen on the main page as shown in Figure 05.
In the Active Directory Connectivity section, the tool checks if the local domain is accessible and we can always click the Details button to see if the communication is working properly. We also have a button called Preview sync objects…, which allows us to search for users being synchronized with Microsoft and check the SMTP Addresses and the size of the safe aggregation list.
In the Admin Center Settings section all the information comes from the FOPE Admin page. It’s everything that we have configured in the previous section.
The last but not least section is the Directory Synchronization Settings which give us the option to change the account that is synchronizing, the frequency of the synchronization and when the last synchronization occurred. We can also force synchronization by clicking Sync Now.
Monitoring the Directory Synchronization Tool
After installing the Directory Synchronization Tool, a new service will be configured (Figure 06) as Automatic and this is the service responsible to add any new on-premises users on the FOPE environment.
You can play simple and configure the service itself to restart automatically using services properties, however if you have SCOM you can follow the steps below to get your monitoring of FOPE up and running in a few minutes.
If you have SCOM in your environment you are aware that Groups are the key component for SCOM and they define your security boundaries, Views, and they work well with overrides and so forth. Our first step is to create a group and afterwards use the new group to monitor the DST Server.
First of all the SCOM agent must be installed and then create a group as follows:
- Open Operation Manager Console
- Click Authoring
- Click Groups, and then Create a new group located in the Toolbox Actions
- On the General Properties page, label this group as FOPE – Group and create a new Management Pack to store this new group. Let’s use the name FOPE Management Pack and then click Next.
- On the Explicit Members page, click Add/Remove objects and add the Windows Server computer which is our new FOPE Server and click Next.
- On the Dynamic Inclusion Rules (Optional), leave this empty and click Next.
- On the Subgroups page, leave the default settings and click Next.
- On the Excluded Members page, click Create.
You can always double check if the group has the expected members by right clicking on the group that was just created and then click on View Members…
Now that we have the group created we can monitor the DST service following these steps:
- Open Operation Manager Console
- Click Authoring
- Expand Management Pack Templates
- Right click the Process Monitor and then the Add Monitoring Wizard
- In the Monitoring Type, select Windows Service and click Next (Figure 07)
- On the General page, name this monitoring as FOPE – Directory Synchronization Tool Service and select the FOPE Management Pack which was created during the group creation process
- On the Service Details page, click the … in the service name section, and search all services of our FOPE service on the page that is being displayed. From the list select the DirSync Tool. Also, in the Targeted Group let’s add the group that we created in the previous step, finally uncheck the option Monitor only automatic service and click Next. (Figure 08)
- Continue the wizard using default settings to the end
Now that we have the monitoring in place let’s wait for the new rules to be updated to the SCOM agent, and then we can stop the service on the FOPE server. An alert should be generated on the SCOM console, as shown in Figure 09.
If you select the alert related to the FOPE service, you can start the service by clicking Start NT Service item located on the Tasks area of the Operations Manager console.
SCOM is a great monitoring solution and we can go further in the topic and create actions to start the service, restart the server, etc. based on that monitor. Also, we can notify administrators about any issues.
Is everything working properly? Make sure that you give a couple of days and that all your users are being replicated to FOPE and do all testing you can think of before moving to production.
If all your synchronization tests worked like a charm, then you are ready to go for production! In order to do that we need to go to the FOPE Admin console, click Administration, Domains, click the desired domain, and then Edit which is located in the User List Settings section. On the new page, change to Reject and the e-mail address information should be the address that we have configured previously. Click Save (Figure 10).
Now, any message sent to an e-mail address that is non-existent to your organization will be rejected at the FOPE level and your Internet bandwidth and server horsepower will be saved from processing unnecessary messages.
In this third article of our series we went through the deployment process of Microsoft Directory Synchronization tool and how we can use SCOM to monitor this important process for the FOPE solution.
If you would like to read the other parts in this article series please go to:
- Transitioning to Forefront Online Protection for Exchange (FOPE) (Part 4)
- Transitioning to Forefront Online Protection for Exchange (FOPE) (Part 5)
- Transitioning to Forefront Online Protection for Exchange (FOPE) (Part 6)