- In this article I am setting this up on a Windows 2008 (64-bit) domain controller to sync Active Directory user accounts with Google\Postini hosted mail security. Although the download site doesn’t list Windows 2008 as a supported operating system it does work but there is an additional step to get this setup (step 3)
- This article does not cover other aspects of Postini such as the initial setup it only focuses on directory sync
- Please note that as you are likely charged per mailbox please manually verify the accounts you are synchronising as if there is an error you may well have setup a lot more mailboxes then you intended.
- You can also setup directory sync via a web based method using IIS. This is not covered in this article. I prefer this method as it doesn’t require publishing an IIS site on the web.
Step 1 – Installation
- Download the directory sync utility from here… http://www.postini.com/dir_sync
- Install the program choosing all the default options
Step 2 Configuration Manager
Once installed open the “configuration manager” utility
- Then run through the installation steps. In the below steps I have just showed the screens where you need to enter info.
- The admin email account is usually specified during setup. If you have forgotten the password for this you can change it from login.postini.com
- I like to create a new user-level org dedicated for the directory sync users
- Specify this new org below.
- In the below screen you must setup the LDAP info to enable the user info to be retrieved from Active Directory.
- In my example the baseDN is OU=SBSUsers,OU=Users,OU=MyBusiness;DC=cmdomain,DC=local
- You will need to modify this with your Active Directory Info
- I recommend running this using a “service account” i.e. a domain account where the password doesn’t expire.
- Also note the “test connection” button.
- In the below screen I have added “proxyAddresses” this means that it will also sync a users other email address as opposed to just syncing their primary SMTP address.
Specify the org you created and enter objectclass=person as shown below
Setup delete limits if desired this can be a useful way of guarding against mass (accidential) deletions!
You should now be ready to run a test sync
Step 3 Windows 2008 step
You only need to do this on Windows 2008. If you are not using Windows 2008 skip to step 4. This step is necessary because of the restrictions Windows 2008 has on writing to files.
Create a new file in the directory sync program folder and call it sync2.log
Then within the utility change the log file used.
Step 4 Sync
- If you are happy with the results save your configurator settings as an .xml file.
Go to file save as and specify the location and name of your file. In my example I saved the file as f:\dirsync\sync_users.xml).
- Open an elevated cmd prompt
Navigate to the google apps dfirectory sync utiliy folder, e.g.
C:\Program Files\Google Apps Directory Sync for Email Security, or
C:\Program Files (x86)\Google Apps Directory Sync for Email Security if using 64-bit windows
Run the command
sync-cmd.exe -a -c f:\dirsync\sync_users.xml
(f:\dirsync\sync_users.xml) is the file saved above. Change this to the filename and location you have just created).
Step 5 Schedule Syncs
Assuming the above successfully worked you will probably want to schedule synchronisations so as user accounts are added and removed in Active Directory they are added and removed in Postini.
- In server manager create a task as shown below
- Then set the properties as shown on the following screenshots.
- Note I have changed the account it runs under to the service account (servacct)
Set to run every day at 2pm
Specify the sync program and options. To get the program browse to the sync-cmd.exe file found in the directory sync folder under program files.
This is all you need to set. Press ok to save the task you will likely be prompted to enter the password for the service account.
You should now have scheduled synchronisations.
Step 6 Test
I now recommend you test this. Thoroughly!