Discussion:
IIFP for GAL Synchronization
(too old to reply)
aeko
2006-05-17 21:04:01 UTC
Permalink
I have a few questions now that I've run through the GAL sync scenario on IIFP:

Is IIFP the functional equivalent to MIIS as far as GAL synchronization
between multiple forests (AD & Exchange 2003)?

Is the sync transitive? As stated, I have multiple remote forests that need
to sync with my local forest, but each are distinct organizations and have no
operational requirement to see contacts outside of my forest.

I've read a few posts regarding this next question, but have not found a
good answer that directs me to a solution... Can the exported contacts be
filtered into subcontainers to simplify the managability?
Markus Vilcinskas
2006-05-17 22:52:22 UTC
Permalink
The main difference between MIIS and IIFP is only the number of supported
MAs. There is no difference in the way objects are processed.



I'm not sure what you mean with a "transitive sync". However, according your
description I think you are after the required rights for accessing identity
data. You can narrow down the accessible area of an account to the minimum
you need to accomplish your scenario requirements.



You can define the target container of a contact in your provisioning logic.



Cheers,

Markus



///////////////////////////////////////////////////////////////////////
Markus Vilcinskas

Technical Writer
Microsoft Identity Integration Server
mailto:***@microsoft.com.NO_SPAM

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/copyright.htm
///////////////////////////////////////////////////////////////////////
Post by aeko
Is IIFP the functional equivalent to MIIS as far as GAL synchronization
between multiple forests (AD & Exchange 2003)?
Is the sync transitive? As stated, I have multiple remote forests that need
to sync with my local forest, but each are distinct organizations and have no
operational requirement to see contacts outside of my forest.
I've read a few posts regarding this next question, but have not found a
good answer that directs me to a solution... Can the exported contacts be
filtered into subcontainers to simplify the managability?
aeko
2006-05-17 23:21:02 UTC
Permalink
Thank you for the reply. I've done the scenario with 2 forests, so I may be
off base dealing with 3 or more... Correct me if I'm wrong:

ForestA needs to exchange GAL information with ForestB and ForestC.

My assumption: If management agents are created for each, they will all
share a common GAL that consists of recipients from all three forests.

What if ForestB should not see the GAL information from ForestC (and vice
versa)?

I'm currently using a Domain User with the Replicate Directory Changes
right, as well as write/create/delete permissions to the target container.
When you mention limiting the accessible area of an account, to where are you
referring to?

---

I'm looking into IIFP because I want to replace the manual CSDVE
import/export functionality with an automated solution.
Post by Markus Vilcinskas
I'm not sure what you mean with a "transitive sync". However, according your
description I think you are after the required rights for accessing identity
data. You can narrow down the accessible area of an account to the minimum
you need to accomplish your scenario requirements.
Markus Vilcinskas
2006-05-18 19:53:56 UTC
Permalink
You can run a GAL sync scenario with more than two forests. There is no
technical limit. However, at some point, you will reach a logical limit.

You can control the amount of data you are feeding into MIIS and pushing out
from MIIS to a connected data source. This is completely depending on the
configuration of your synchronization logic. If information from forest A is
supposed to be pushed out to forest B but not to forest C, you can certainly
configure this.

However, I think it is important to mention that this kind of modification
requires some experience with MIIS.

Using a domain user with limited rights and not an administrator is what I
was refereeing to - exactly the configuration you have right now.



Cheers,

Markus



///////////////////////////////////////////////////////////////////////
Markus Vilcinskas

Technical Writer
Microsoft Identity Integration Server
mailto:***@microsoft.com.NO_SPAM

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/copyright.htm
///////////////////////////////////////////////////////////////////////
Post by aeko
Thank you for the reply. I've done the scenario with 2 forests, so I may be
ForestA needs to exchange GAL information with ForestB and ForestC.
My assumption: If management agents are created for each, they will all
share a common GAL that consists of recipients from all three forests.
What if ForestB should not see the GAL information from ForestC (and vice
versa)?
I'm currently using a Domain User with the Replicate Directory Changes
right, as well as write/create/delete permissions to the target container.
When you mention limiting the accessible area of an account, to where are you
referring to?
---
I'm looking into IIFP because I want to replace the manual CSDVE
import/export functionality with an automated solution.
Post by Markus Vilcinskas
I'm not sure what you mean with a "transitive sync". However, according your
description I think you are after the required rights for accessing identity
data. You can narrow down the accessible area of an account to the minimum
you need to accomplish your scenario requirements.
Loading...