Product Review: UnitySync
Product Homepage: click here
Free Trial: click here
UnitySync aims to make it straightforward to synchronize multiple directory sources and succeeds in its goal. It’s a fairly compact, easy to install and easy to configure package that’s self-contained with very few external dependencies and it works properly. This perhaps shouldn’t come as a surprise as although this is the first time UnitySync has been reviewed, it’s a very mature product. As a consultant I’ve seen a number of customers use this product and it works well for them; however I’ve never had a chance to get my hands dirty with it. In this review I’m going to try it out with a few scenarios that I see in the real world and see if it can solve some problems that are generally a pain.
When dealing with customers who have many different versions of Exchange, and some other email systems, the most common request from management is to be able to provide a single Global Address List across the organization. These environments are usually those that have grown either out of regional divisions, or mergers and acquisitions. In both cases multiple IT departments have built out infrastructure over many years following their own strategy. As the organization aims for greater efficiency a global directory of people, often followed by a consolidation of infrastructure is a key aim.
The difference between UnitySync and the alternatives I’ve seen and used is that it makes the task of building a global directory very simple and straightforward. This can either be between a couple of forests, or even with many forests using a hub / spoke implementation. It’s fair to say that many organizations could implement a GAL across the org in one day and then use UnitySync to help prepare the org, in combination with other tools like ADMT, Azure AD Sync Services or even on its own.
Installation and Configuration
The installation process for UnitySync is a no-frills affair and doesn’t require much input, apart from agreeing to the licence agreement and choosing a location to copy the files.
If you are expecting .Net pre-requisites, Java installation or Windows roles and features to be installed you will be disappointed. Literally everything UnitySync needs is included within the package and copied straight into the install directory.
Figure 1: Installation
After installation you have two options; perform some post-installation configuration if you would prefer to use IIS for management, or run the built-in web service, Dirweb. Directory Wizards recommended that the easiest way is to use the latter so I used this approach.
On first launch the web interface launches and automatically launches a web browser pointing to the correct URL.
The default page provides information about the installed server and is used to enter the licence key. Main options are shown along the top of the browser window:
- Connection list, which will display the list of configured directory connectors.
- The new connection button, used to create a new directory connection.
- Global SMTP settings, used to configure email notifications.
- The Sync Monitor, a separate window used to monitor in-progress sync jobs.
- Links to the documentation
Figure 2: First launch
The first step after installation is to decide which directories to sync. These are created using the New button which presents the opportunity to name the new connection and provide basic details for the source type and destination type of directories.
As you’ll see below the list is very comprehensive, covering all versions of AD and Active Directory Application Mode, all versions of Exchange Server, Office 365, GroupWise, Notes, SQL-based, file based and many more:
Figure 3: The vast array of source and target engines
Before just diving in and create connections, some thinking is required first. As common to any solution like this it is just the tool, so we need to ensure the steps we take ensure we meet the business requirements. Additionally, because the tool is quite flexible I had a quick call with Directory Wizard’s support team to get a bit of an overview of how it is usually configured for other customers, who were very helpful.
There were two use cases in particular I wanted to try out which represent one very common scenario and another I’ve not seen a great, simple solution for:
- Multi-forest global address list, configured so whichever environment a mailbox is located within the user will see a complete Global Address List. This kind of setup may be the first step towards a consolidation of Office 365 migration.
- Multi-tenant Office 365 synchronization. Two companies that use Office 365 merge and would like to, on day one have a single Global Address List.
Let’s dive straight into each scenario and walk through the setup required.
Multi-Forest Global Address List Example
In this scenario we have three Active Directory forests, all configured with Exchange and one Office 365 tenant currently in Pilot with no Directory Sync configured, yet.
|Domain Name||Directory Type|
|Goodmanindustries.com (GMI)||Active Directory with Exchange 2013|
|Goodmanindustries.co.uk (GMIUK)||Active Directory with Exchange 2010|
|Lisajanedesigns.co.uk (LJD)||Active Directory with Exchange 2013|
|GoodmanUK.com (stevegoodman.onmicrosoft.com)||Office 365 Tenant|
The topology used to perform a sync is known as a hub and spoke model. This means for the purposes of the sync we will synchronize users and groups to one forest with two sync jobs from each source system to the central forest; one to pull information in and another to push information out.
Figure 4: Multi Forest example
To make things simple for this example, each AD forest uses a People organization unit to store users and relevant groups. In each forest we’ll create a UnitySync organization unit to store contacts that are managed by the product. Office 365 doesn’t share the same concept, however UnitySync will keep track of objects it manages.
For each connection we create we’ll define settings for the source directory. In the example below we are syncing the source GMIUK to the target, central, GMI forest. We choose the basics like server and credentials and specify the types of objects.
For our example we are most interested in syncing Users and Groups. Because we don’t want to sync service accounts or admin accounts, nor sync back any contacts UnitySync creates we’ll scope the source context to the aforementioned People OU:
Figure 5: New source AD connection
We’ll also compete configuration for the destination directory. For our first set of connectors that sync from each source forest to the central forest, GMI, the configuration will be very similar as we’ll be pulling into the same directory and using the same base Placement DN, a UnitySync OU in the GMI forest that objects will be placed. We’re also specifying the Structure Name which defines the sub-OU within the Placement DN that this individual connector will be limited to.
Figure 6: New destination AD connection
We’ll repeat similar configuration for the third Active Directory, the Lisajanedesigns.co.uk (LJD) directory.
The connector for Office 365 is slightly different to the LDAP-based connectors like the Active Directory connector. It uses Exchange Online PowerShell to connect to Office 365 and retrieve data. This makes the setup fairly simple – an administrative account is used to connect, and then PowerShell filters can be used to scope which Users, Contacts and Groups.
Therefore the example Filter parameter shown below can be used directly in the Source configuration:
Figure 7: Example PowerShell filter
Figure 8: New Office 365 Source
We’ll complete the configuration for each source, then create a reverse configuration, meaning we end up with six total connectors:
Figure 9: Viewing all six connections
We can then run these manually to test using the Action pane within the General tab. We have the options to Discover, which will pull in the data from the directory, then the Simulate option allows us test before actually Synchronizing the data. The Batch Run button allows us to run this in order:
Figure 10: Forcing a batch sync run
After a successful sync, UnitySync will create contacts within the structure we’ve specified; so for the example multi-forest sync we see that the GMI forest – the one that will be the “hub” – we have a UnitySync OU, with OUs within for each forest:
Figure 11: OU structure in GMI
In each “spoke” environment we also have a similar structure, which then shows up within the Exchange organization relative to each forest, for example the Exchange 2010 environment for GMIUK will show contacts for recipients from each other “spoke”, LJD and O365, along with the “hub” GMI environment:
Figure 12: Combined GAL in GMIUK
Likewise if we visit the Exchange Admin Center in Office 365, we’ll see the same, full Global Address List displayed:
Figure 13: Combined GAL in Office 365
Multi-Tenant Global Address List Example
The second scenario I’ve tested is where we have two separate Office 365 tenants, for example one USA-based tenant and one EMEA-based tenant. We want to set up a two-way sync of the Global Address List. This could be straight after a company merger, so we don’t want to depend on WAN links being set up or domain trusts, just simply Office 365 to Office 365:
Figure 14: Office 365 multi-tenant sync example
To perform the configuration I’ve created two near-identical connectors – both using the source and destination Office 365 engines:
Figure 15: Creating a new Office 365 to Office 365 connection
As with the multi-forest example, I set the credentials for source and target forests. To make it easy to identify who is in each forest I’ve also used a simply built in feature to add a suffix to display names:
Figure 16: Altering the format for Display Name creation
As expected the sync worked without issue – the Global Address List in either tenant is populated and each Office 365 tenant has a full GAL:
Figure 17: Viewing the combined GAL
The installation process for UnitySync doesn’t add or install a scheduling service, and just adding the connections via the web interface doesn’t mean that the directories will stay in sync. To keep the directories in sync we need to create a scheduled task that runs a batch script using the Shell interface to UnitySync.
The batch script can be very simple – for example a standard batch file that runs shell.exe multiple times against each connector in the order we wish. In the example below I’ve created a batch file to first synchronize data from each source “spoke” environment in the multi-forest test and then another three jobs to synchronize data out from the “hub”.
Figure 18: Creating a batch Scheduler file
It would be great if the web GUI had the ability to build and control schedules, but this is a small gripe. If you are configuring sync jobs between your directories, then putting together a simple batch file should be within your reach.
UnitySync does everything tested without problem, and more. Some of the more advanced niche features it offers include the full flexibility to deal with adding the LegacyExchangeDN as an X500 address when creating matching users or contacts cross directory – a must to ensure reply-ability when performing mailbox moves. When talking to support about these features I was pleasantly surprised not only to be informed it could do it – but shown immediately how to do it.
You’ll see in the example below the proxyaddresses attribute is simply edited with an additional line in the Object Map to add the LegacyExchangeDN as an X500 address. No complex coding was required however it did require an understanding of the formatting for the object map.
Figure 19: Customizing mappings
The overall impression is that UnitySync has been asked to fulfill pretty much every requirement organizations have when synchronizing directories, so it’s unusual that a customer will have a new requirement.
Where it perhaps is let down is the lack of installation of shortcuts and services along with a “Getting started” wizard. I’d certainly recommend getting a short session with Directory Wizard’s support team to see the product in action after purchase as this very basic, fifteen minute screen-sharing demo was very useful. Without it, the product could seem daunting as it doesn’t have a Start Menu shortcut or install itself as a service.
Whilst I mention the fit and polish of UnitySync it would be unfair not to mention the issues with the alternatives. Forefront Identity Manager and related products are perhaps the closest commercial equivalents wildly in use. FIM ranges from hard to licence, requires installation and knowledge of Visual Basic .Net to do anything useful (why not C#? Or PowerShell?) and doesn’t come with the wide range of connectors.
FIM requires an SQL Server install and licence to use and doesn’t have a scheduling interface either. Whilst FIM can work with Office 365 and other systems to help with password management, bear in mind the free black-box solutions like DirSync or Azure AD Sync Services can be used in combination with UnitySync for a simpler experience and better directory sync functionality.
The experience with Directory Wizard’s support for UnitySync has been first class. The review was conducted partly over a holiday season, yet support were still keen to assist and answer any questions about the product. If the product were to be judged on the support experience alone, it would receive full marks.
I’ve seen UnitySync in use at a range of customers, from government departments to manufacturing companies been told it worked well, so it’s fair to say expectations of the product were high. UnitySync didn’t disappoint, and within the web interface it is intuitive and simple to use, and comes with great support. The only reason it didn’t receive a full 5 is because it could be improved with a built-in scheduler and a simpler getting started experience. However neither of these would deter me from recommending the product.
MSExchange.org Rating 4.6/5