Appendix B: Configuring PureMessage for Microsoft Exchange with AD LDS (using AdamSync)

AdamSync is a tool that allows an instance of Active Directory Lightweight Directory Services (AD LDS) to be synchronized with Active Directory (AD). It is intended primarily to be used to copy recipient information from AD to an instance of AD LDS that has been installed with an Exchange server in an Edge Transport server role. Such a server will usually be in a perimeter network (DMZ), where direct access to AD is blocked by the firewall. AdamSync is run from inside the firewall, where it has access to AD, and pushes data to AD LDS through a port that has been opened in the firewall.

The complete set of steps required to set up AdamSync manually are as follows:

  1. Install AD LDS.
  2. From the desktop, click Start > All programs > Administrative Tools > Active Directory Lightweight Directory Services to create an AD LDS instance.
    1. In the Welcome dialog box, click Next.
    2. In the Setup Options dialog box, select A unique instance and click Next.
    3. In the Instance Name dialog box, select the default name Instance 1 and click Next.
    4. In the Ports dialog box, select the default ports for LDAP (389) and SSL (636) and click Next.
    5. In the Application Directory Partition dialog box, select Yes create an application directory partition and enter the name of the partition. To avoid confusion, keep the partition name the same as the partition name in Active Directory, e.g. dc=jazz,dc=sophos,dc=com
    6. In the File Locations dialog box, accept the default locations and click Next.
    7. In the Service Account Selection dialog box, select the option This account and specify the administrator account name and password.
    8. In the Active Directory Lightweight Directory Services Setup Wizard dialog box, select Yes to add permission for the selected account to run as a service.
    9. In the AD LDS Administrators dialog box, add the currently logged in user (the default) and click Next.
    10. In the Importing LDIF Files dialog box, add the MS-InetOrgPerson.LDF, MS-User.LDF and MS-UserProxy.LDF as schemas to be imported and click Next.
    11. Verify the settings and click Next to create an instance of AD LDS.
    12. After the instance is created, click Finish to exit the wizard.
  3. The schema of the AD LDS instance must be extended to allow synchronization information to be stored. From the command prompt, go to the folder C:\Windows\ADAM and use the command:

    ldifde -i -f ms-AdamSyncMetaData.ldf -s localhost:389 -c "cn=configuration, dc=x" #configurationNamingContext

    The schema must also be extended to accept the attributes present on the AD objects being synchronized. The above command should be repeated using the file MS-AdamSchemaW2K3.ldf.

  4. Make a copy of the file MS-AdamSyncConf.xml called Conf.xml and open it for editing in Notepad.exe.
    1. The <source-ad-name> element value should be set to the AD server name
    2. The <source-ad-partition> element value must be set to the AD partition name, e.g. dc=jazz,d=sophos,dc=com
    3. The <base-dn> element value must be modified so that it points to the users container with AD E.g. cn=users,dc=jazz,dc=sophos,dc=com
    4. The <target-dn> element value must be set to the name of the partition created in step 2.
    5. Change the <object-filter> element value to the following string (|(objectclass=user) (objectclass=group) (objectclass=contact))
    6. By default, several attributes are excluded from synchronization by the <exclude> elements. Add the following attributes to the list:
      <exclude>homeMTA</exclude>
      <exclude>homeMDB</exclude>
      <exclude>mDBUseDefaults</exclude>
      <exclude>mailNickname</exclude>
      <exclude>msExchHomeServerName</exclude>
      <exclude>msExchMailboxSecurityDescriptor</exclude>
      <exclude>msExchUserAccountControl</exclude>
      <exclude>msExchMailboxGuid</exclude>
      <exclude>msExchPoliciesIncluded</exclude>
      <exclude>msExchRecipientDisplayType</exclude>
      <exclude>msExchVersion</exclude>
      <exclude>msExchRecipientTypeDetails</exclude>
      <exclude>legacyExchangeDN</exclude>
      <exclude>showInAddressBook</exclude>
      <exclude>msNPAllowDialin</exclude>
      <exclude>msExchUserCulture</exclude>
  5. Install the configuration file by using the following command:

    adamsync /i localhost:389 Conf.xml

  6. Perform synchronization by using the following command:

    adamsync /sync localhost:389 "dc=jazz,dc=sophos,dc=com" /log log.txt

    Important Check the log.txt file to see if there were any errors.

    If the operation was successful then at the end of the log file you will notice text similar to:

    Finished (successful) synchronization run

    Number of entries processed via dirSync: 46

    Number of entries processed via ldap: 0

    Processing took 0 seconds (0,0).

    Beginning again run

    Aging requested every 0 runs. We last aged 1 runs ago.

    Saving Configuration File on dc=jazz,dc=sophos,dc=com

    Saved configuration file

    If you notice an error such as "ldap_add_sw: No such attribute" or "ldap_add_sw: Object class violation" then exclude the offending attributes listed in the log file one by one in conf.xml (as described in step 4.6). Each time you add an attribute for exclusion, reinstall the configuration by running:

    adamsync /d localhost:389 "dc=jazz,dc=sophos,dc=com"

    Repeat steps 5 and 6.

    Synchronization can be performed from any computer on the network, provided it has access to AD and to AD LDS through the configured LDAP port. Synchronization is incremental, and will only include changes made since the last synchronization was performed.

  7. Connect to AD LDS using ADSIEdit and check if all objects have been imported correctly. Note that this synchronization was a one time operation and step 6 needs to be repeated whenever changes are made to Active Directory so that the changes get synchronized with AD LDS.
  8. To configure PureMessage for Microsoft Exchange with AD LDS, open the PureMessage administration console and go to Configuration > Users and groups > Active Directory.
    1. Enter the name of the server where AD LDS is installed and specify the port number as 389.
    2. The BaseDN for users and groups should be set to the name of the AD LDS partition created in step 2.
    3. The Name attribute should be name, the Email attribute should be mail, the Email alias attribute should be proxyaddresses and the Description attribute should be description.
    4. Specify the logon credentials and click Verify settings.
    5. Click Synchronize now to synchronize data between AD LDS and PureMessage for Microsoft Exchange, and click OK.