Directory Synchronization - Migrating LDAP Directory Synchronization to Push Synchronization

Updated

This article provides guidelines on how to migrate the On-Premises Active Directory (LDAP) integration if your organization wants to switch from an inbound-based retrieve mechanism to an outbound-based push mechanism that uses the Mimecast Synchronization Engine

It is important to follow the guidance in this article to prevent interruptions to mail flow and end-user access to Mimecast applications.

The Active Directory push mechanism does not support end-user authentication.

 

Prerequisites

  • At least version 2.8.0.6217 (new version required) of the Mimecast Synchronization Engine deployed in your environment.
  • An Active Directory user with read permissions to your organization's Active Directory.
  • An administrator login with edit permissions to the Users & Groups | Directory Synchronization, Users & Groups | Applications, and Directories | Internal Directories menu items.
  • If the users in your organization use their Active Directory password to authenticate with Mimecast applications, you will need an alternative domain authentication provider in place.

Required Steps

  1. Adjust Recipient Validation
  2. Configure an alternate domain authentication provider
  3. Create a user to Integrate to Active Directory
  4. Install and configure the Mimecast Synchronization Engine
  5. Change the Directory integration

Adjust Recipient Validation

This step is very important to prevent interruption to mail flow during the migration.

If your organization is using the Accept inbounds for valid Directory users only method of recipient validation for your internal domains you should change this to remove the dependency on Directory Synchronization while you are migrating the integration.

This can be switched back after migration if required. To do this:

  1. Log in to the Mimecast Administration Console.
  2. Select the Users & Groups | Internal Directories menu item.
  3. For each of the domains using this method of recipient validation, right-click the domain and select Edit-Domain.
  4. Change the Check Inbounds to an option other than Accept Inbounds for valid Directory users only. The Accept emails for known recipients only option is the recommended setting.

Configure an Alternate Domain Authentication Provider

This step is very important to prevent interruption to end-user access to Mimecast applications.

When migrating from LDAP Directory Synchronization, you will be removing the inbound channel that Mimecast uses to authenticate users using their Active Directory password. Before migrating your Directory Integration, you need to implement an alternative domain authentication method. Mimecast offers alternate Active Directory domain authentication mechanisms using either Active Directory Federation Services (ADFS) or SAML Authentication against your Identity Provider (IdP).

Create a User to Connect to Active Directory

As part of the configuration of Active Directory Synchronization, you will need to supply the credentials of a user with read permissions. This will be the user who connects to Active Directory to synchronize data with Mimecast.

Mail-enabled Public Folders: In order to replicate the email addresses of Exchange mail-enabled Public Folders, this user must also be a member of the Organization Management group.

 

Install and Configure the Mimecast Synchronization Engine

To configure Mimecast Synchronization Engine, please refer to this article Mimecast Synchronization Engine - Directory Synchronization.

Change the Directory Integration

The final step in the migration is to change the type of your existing LDAP Directory Integration to the new Active Directory Synchronization using the Mimecast Synchronization Engine. To do this:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization.
  3. Select your existing On-Premises Active Directory (LDAP) integration and click Edit.
  4. In the Details step, change the Type to On-Premises Active Directory (Synchronization Engine).
  5. Update the Description for your integration and click Next.
  6. From the Synchronization Engine Site drop-down list, select the Mimecast Synchronization Engine site where Active Directory Synchronization should run.
  7. Optionally configure the Replicate Different Domain section

The Replicate Different Domain Settings are designed to be used for very large and / or multi-domain Active Directory Forests. These settings cannot be used in isolation; if you want to use one of them, then all settings must be configured.

The table below describes each of the available settings.

Field / Option Description
Hostname / IP Address Override the internal hostname or IP address that Active Directory Synchronization should connect to.
User Name Override the user name used to connect to Active Directory to synchronize data. Use DOMAIN\user format, for example, MIMECAST\administrator
Password Override the password for the user specified in the User Name field.
Root Distinguished Name Specify a filter to use when synchronizing data from Active Directory, for example, OU=london,DC=mimecast,dc=local.


8. Configure the Options step and click Next

Field / Option Description
Acknowledge Disabled Accounts Uses the useraccountcontrol Active Directory attribute to determine the status of a user. When enabled, users who are disabled in Active Directory are also disabled in Mimecast.
Filter Email Domains  When enabled, you can list the domains the integration will synchronize. This setting defines which of your organization's internal email domains will be included in the synchronization. If left empty, all email domains registered as Mimecast internal domains are considered. To limit the synchronization to only consider specific domains, add a comma-separated list without spaces to this field (e.g., mimecast.com, mimecast.co.uk).
Maximum Synchronization Deletions This is the maximum number of accounts that will be updated to "Created by message in transit" when they are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.
Delete Users This allows the deletion of accounts that are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.


9. Review the Summary and click Update Integration.

Next Steps

Check that the Mimecast Synchronization Engine has Applied the Configuration

Within 2 minutes of saving the configuration in the Mimecast Administration Console, your Mimecast Synchronization Engine server should pick up the new configuration and schedule Active Directory Synchronization. To check this:

  1. Log on to the Mimecast Synchronization Engine server that the Active Directory integration is configured to use and navigate to the service log directory, by default C:\Program Files\Mimecast\SynchronizationEngine\log\service.
  2. Open the log file for the current day and search for the string, "calling siteConfig."
  3. Following this, you should see a line similar to the one below showing Active Directory Synchronization being applied and the next time the synchronization is scheduled to start:

If you do not see this line, you should see an error message indicating why Active Directory Synchronization cannot be applied. Typically, this is caused by a networking issue preventing the Mimecast Synchronization Engine connecting to the Mimecast API. If you would like to run a synchronization before the next scheduled execution, use the Sync Directory Data button on Users & Groups | Directory Synchronization page in the Mimecast Administration Console.

Check the Status of Active Directory Synchronization

By default, the Mimecast Synchronization Engine will synchronize your Active Directory every 5 hours, starting at 8 AM local server time with the last execution of the day launching at 11 PM local server time.

Most of the processing for Active Directory Synchronization happens on the Mimecast Synchronization Engine server. Once the required data has been extracted from Active Directory, it is submitted to Mimecast to be committed to your service.

At this stage, the status of the Directory Integration is updated. The status of the last synchronization can be viewed in the Mimecast Administration Console from the Users & Groups | Directory Synchronization menu.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.