This article provides general guidance to enable Active Directory synchronization using the default settings of the Mimecast Synchronization Engine and how to synchronize your organization's Active Directory with Mimecast.
Considerations
- Active Directory synchronization using the Mimecast Synchronization Engine doesn't synchronize passwords.
- It is not a method to allow Active Directory domain authentication with Mimecast applications. The EWS or ADFS domain authentication features are required to enable that capability.
Active Directory Synchronization Overview
This guide explains how you can use the Mimecast Synchronization Engine to synchronize your organization's Active Directory with Mimecast. This uses a secure outbound connection from your internal network to Mimecast.
Supported Scenarios
Single Domain
In a single-domain environment, the default settings for Active Directory Sync should be used.
Only one Mimecast Synchronization Engine server with a single Directory Integration is required. The Mimecast Synchronization Engine is installed on a member server on the same LAN as the Domain Controller.
Parent-Child Domain
In a parent-child domain, one Directory Integration per domain is required. The Replicate Different Domain is used to override the:
- Default connection settings.
- Default user name and password.
- Root-distinguished name filter.
Only domains containing users and groups you want to add to Mimecast must be synchronized.
Where the Domain Controllers for all domains in the forest are hosted in the same geographical location, a single Mimecast Synchronization Engine server can be used to host each Directory Integration.
It is feasible to synchronize some domains from a single Mimecast Synchronization Engine server if the Domain Controllers for each domain are located in different geo-locations. The Mimecast Synchronization Engine's connection speed to a remote domain can be significantly slower, negatively affecting performance.
Where a group contains members from the target domain and one or more remote domains, only users from the target domain will be added to the AD Group in Mimecast. Mimecast seeks to improve this so that users from the target domain and remote domain(s) are added as group members in Mimecast.
Resource Forests
In a resource forest scenario, there are one or more forests with active user accounts and a resource forest where Microsoft Exchange Server is deployed containing disabled user accounts.
In this scenario, it is only necessary to synchronize the resource forest because this is where all mail-enabled objects are hosted.
The resource forest typically disables user accounts. When synchronizing a resource forest, do not use the Acknowledge Disabled Accounts setting.
Suppose there are objects in the user forest, for example, security groups containing users with a mail attribute or additional user attributes. In that case, you can additionally synchronize the forest to add these groups to Mimecast.
If a user forest is synchronized, the Acknowledge Disabled Accounts in Active Directory should be used so legitimately disabled users are also disabled in Mimecast.
Processing the Data
This section explains the data flow process for this feature, which contains the following stages:
STAGE 1 - Extracting your Active Directory Data
The Mimecast Synchronization Engine uses a combination of LDAP and Global Catalog queries to extract user, group, and group membership data from Active Directory. The initial query used is:
|(mail=*)(proxyaddresses=*)(objectclass=group)(objectclass=msExchDynamicDistributionList))
This returns any object with an email address, group objects, OR dynamic distribution list-objects. Active Directory returns all results that the Mimecast Synchronization Engine service account user, or the user specified in the advanced settings in the Administration Console, has permission to read. The Mimecast Synchronization Engine also issues additional queries to extract more information about each object.
STAGE 2 - Transferring Data to the Mimecast Synchronization Engine
Once all the objects have been successfully extracted, they are securely transmitted from the Mimecast Synchronization Engine to Mimecast.
This returns any object with an email address, group objects, OR dynamic distribution list-objects. Active Directory returns all results that the Mimecast Synchronization Engine service account user, or the user specified in the advanced settings in the Administration Console, has permission to read. The Mimecast Synchronization Engine also issues additional queries to extract more information about each object.
- Data is secured during transmission using HTTPS.
- The Mimecast API that receives this data:
- Uses an SSL certificate with a 2048-bit RSA key issued by DigiCert.
- Supports several industry-standard strong cipher suites with a minimum key length of 128 bits.
- Accepts connections using the TLS 1.2 protocol.
STAGE 3 - Applying the Results
Once the data is received, Mimecast commits the user and group information to your account.
- New users are added.
- Existing users are updated to Directory Generated users.
- Groups that contain objects with a mail or proxyAddresses attribute are added.
- Group membership is updated.
- Additional attributes specified for the synchronization are updated.
- If the Automatically Link Aliases setting is enabled, alias addresses are linked to their primary user/address.
- If the Acknowledge Disabled Accounts setting in Active Directory is enabled, disabled Active Directory users are disabled as Mimecast users.
- The configured threshold of "Maximum Sync Deletions" will be applied. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.
- If the Delete Users option is enabled, accounts no longer part of the synchronization result will be deleted. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.
Enabling Active Directory Synchronization
When enabling Active Directory synchronization, there are required and optional settings as outlined below.
Required Settings
- Log in to the Mimecast Administration Console.
- Navigate to Services | Directory Synchronization.
- Click on the Create New Integration button.
- Enter a Name for the integration.
- Enter a Description for the integration.
- Select On-Premises Active Directory (Synchronization Engine) in the Type field.
- Click the Next button.
- On the Settings page, select Synchronization Engine Site.
- When Replicate Different Domain has been enabled, enter the following dialog:
The Replicate Different Domain option is designed for very large and/or multi-domain Active Directory Forests. These settings cannot be used in isolation; if you want to use one of them, then all settings must be configured. The table below describes each of the available settings.
| Name | Description |
|---|---|
| Hostname / IP Address | Override the internal hostname or IP address to which Active Directory Sync should connect. |
| User Name | Override the user name used to connect to Active Directory to synchronize data. Use DOMAIN\user format (e.g., MIMECAST\administrator). |
| Password | Override the password for the user specified in the User Name field. |
| Root Distinguished Name | Specify a filter when synchronizing data from Active Directory (e.g., OU=london, DC=mimecast,dc=local). |
- Click the Next button.
- On the Options step, additional integration options can be configured:
| Name | Description |
|---|---|
| Acknowledge Disabled Accounts in Active Directory | This setting uses the userAccountControl Active Directory attribute to determine a user's status. When enabled, users who are disabled in Active Directory will also be disabled in Mimecast. |
| Filter Email Domains | This setting defines which of your organization's internal email domains will be included in the sync. All email domains registered as a Mimecast Internal Domain will be considered if left empty. Add a comma-separated list (without spaces) to this field to limit synchronization to only considering specific domains. For example, "mimecast.com,mimecast.co.uk" |
| Maximum Sync Deletions | This maximum number of accounts will be updated to "created in transit" when they are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information. |
| Delete Users | This allows the deletion of accounts no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information. |
- Click the Next button.
- A summary of the integration will be displayed.
- Click on Create Integration.
Checking the Configuration
Within two minutes of saving the configuration in the Administration Console, your Mimecast Synchronization Engine server should pick up the new configuration and schedule Active Directory Sync. To check this:
- Login to the Mimecast Synchronization Engine server that the Active Directory synchronization integration is configured to use.
- Navigate to the Service Log Directory. By default, this is %ProgramData%\Mimecast Synchronisation Engine\logs\
- Open the current day's Log File.
- Search for the string "calling siteConfig."
- Following this should be a line similar to the one below showing Active Directory synchronization being applied and the next time the synchronization is scheduled to start:
DEBUG|02062015 08:46:37,319| 4|mseservice|AntiCorruptionScheduler|+ event taskId: 2972, name: Task Description, next occurrence: 02/06/2015 13:00:00
If you don't see this line, you should see an error message indicating why Active Directory synchronization cannot be applied. Typically, this is caused by a networking issue preventing the Mimecast Synchronization Engine from connecting to the Mimecast API (https://api.mimecast.com)
Checking the Status
By default, the Mimecast Synchronization Engine will synchronize your Active Directory every five hours, starting at 8 a.m. local server time and with the last execution of the day starting at 11 p.m. local server time.
The synchronization schedule cannot be changed by Administrators or Mimecast support.
Most of the processing for Active Directory Sync happens on the Mimecast Synchronization Engine server. Once the required data has been extracted from Active Directory, it is submitted to Mimecast to be committed to your service.
At this stage, the status of the Directory Integration is updated. The last sync status from the Services | Directory Synchronization menu item can be viewed in the Administration Console.
Manually Triggering A Sync
If you would like to run a synchronization before the next scheduled execution:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Directory Synchronization.
- Click on the Sync All button.
Comments
Please sign in to leave a comment.