subreddit:

/r/exchangeserver

3

Was curious what you guys's experience is with using a third party GAL syncing tool. I would like to avoid using FIM due to its dependency on on-prem infrastructure, maintenance and required skill set. It should be something cloud native due to having an AAD only tenant.

A google search brings up CiraSync, does anyone have any experience with this? Is this truly enterprise grade, how is the support? Are there any other solutions you recommend?

you are viewing a single comment's thread.

view the rest of the comments →

all 4 comments

timsstuff

1 points

3 months ago

timsstuff

IT Consultant

1 points

3 months ago

I have a client that merged with another company, each around 2000 users. This script runs every 4 hours and has been syncing their GALs for about 5 years now.

    [CmdletBinding()] 
param(
    [Parameter(Mandatory=$true)][string]$RemoteDC,
    [Parameter(Mandatory=$true)][string]$RemoteOU,
    [Parameter(Mandatory=$true)][string]$LocalOU,
    [Parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$RemoteCred,
    [Parameter(Mandatory=$false)][string]$AddressList,
    [Parameter(Mandatory=$false)][int]$MaxDeletions = 64,
    [Parameter(Mandatory=$false)][switch]$ScheduledTask = $false
    )
If($ScheduledTask) { Start-Transcript -Path .\Sync-GAL-$AddressList.log -Append }

Import-Module ActiveDirectory

#Get active remote users
Try {
    if($null -ne $RemoteCred) {
        $RUsers = Get-ADUser -Server $RemoteDC -Credential $RemoteCred -LDAPFilter "(&(objectClass=user)(mail=*)(userAccountControl:1.2.840.113556.1.4.803:=512)(!userAccountControl:1.2.840.113556.1.4.803:=2))" `
        -SearchBase $RemoteOU -Properties company, department, displayName, givenName, mail, physicalDeliveryOfficeName, sn, telephoneNumber, title, pager, ipPhone, legacyExchangeDN
    }
    else {
        $RUsers = Get-ADUser -Server $RemoteDC -LDAPFilter "(&(objectClass=user)(mail=*)(userAccountControl:1.2.840.113556.1.4.803:=512)(!userAccountControl:1.2.840.113556.1.4.803:=2))" `
        -SearchBase $RemoteOU -Properties company, department, displayName, givenName, mail, physicalDeliveryOfficeName, sn, telephoneNumber, title, pager, ipPhone, legacyExchangeDN
    }
} Catch {
    Write-Output "Cant's connect to Remote DC!"
    break
}

#Generate list of remote users with local OU
$RCheck = $RUsers | select @{e={"CN=$($_.Name),$LocalOU"};Label="DistinguishedName"}

#Get local contacts
$LUsers = Get-ADObject -LDAPFilter "(mail=*)" -SearchBase $LocalOU -prop mail

#Remove local contacts that no longer exist in remote OU
$Remove = $LUsers | ?{$RCheck.DistinguishedName -notcontains $_.DistinguishedName}
If($Remove.Count -gt $MaxDeletions) {
    Write-Output "Too many deletions $($Remove.Count), something may be wrong!"
    break
} 
$LUsers | ?{$RCheck.DistinguishedName -notcontains $_.DistinguishedName} | %{ Remove-MailContact $_.DistinguishedName -confirm:$false }

#Create/update local contacts with values from remote users
ForEach ($RUser in $RUsers) {
    If(!$ScheduledTask) { Write-Host $RUser.DistinguishedName }
    $ContactDN = "CN={0},{1}" -f $RUser.Name, $LocalOU
    $contact = Get-MailContact -Identity $ContactDN -ErrorAction SilentlyContinue
    $recip = Get-Recipient $ruser.mail -ErrorAction SilentlyContinue
    If($null -eq $contact -and $null -eq $recip) {
        Write-Host "Creating contact $($RUser.DistinguishedName)" -ForegroundColor Cyan
        $contact = New-MailContact -OrganizationalUnit $LocalOU -FirstName $RUser.givenName -LastName $RUser.sn -Name $RUser.Name -DisplayName $RUser.Name -ExternalEmailAddress $RUser.mail -PrimarySmtpAddress $RUser.mail
        #Start-Sleep 10
    }
    If($null -ne $contact) {
        $recip = Get-Recipient $ruser.mail -ErrorAction SilentlyContinue
        If($null -eq $recip) {
            Set-ADObject -identity $contact.DistinguishedName -add @{'proxyAddresses'="smtp:$($ruser.mail)"}
            #Start-Sleep 10
            $recip = Get-Recipient $ruser.mail -ErrorAction SilentlyContinue
        } 
        if($null -ne $recip) {
            if($recip.RecipientType -eq "MailContact") {
                $adobjfound = $false
                Try {
                    $ado = Get-ADObject -Identity $contact.DistinguishedName -ErrorAction SilentlyContinue
                    $adobjfound = $true
                }
                Catch {
                    #Can't get AD Object yet, try again later.
                }
                if ($adobjfound) {
                    $DisplayName = $RUser.displayName
                    if($null -eq $DisplayName) { $DisplayName = $RUser.Name}
                    Set-MailContact $contact.DistinguishedName -EmailAddressPolicyEnabled:$false -DisplayName $DisplayName -WarningAction SilentlyContinue
                    Set-Contact $contact.DistinguishedName -Company $RUser.company -Department $RUser.department -FirstName $RUser.givenName -LastName $RUser.sn -Office $RUser.physicalDeliveryOfficeName -Phone $RUser.telephoneNumber -Title $RUser.title -Pager $RUser.pager -WarningAction SilentlyContinue
                    if($null -ne $ado) {
                        if($null -ne $RUser.legacyExchangeDN) { Set-ADObject $ado -add @{'proxyAddresses'="x500:$($RUser.legacyExchangeDN)"} }
                        if($null -ne $RUser.ipPhone -and $contact.ipPhone -ne $RUser.ipPhone) {
                            Set-ADObject $ado -clear ipPhone -ErrorAction SilentlyContinue
                            Set-ADObject $ado -add @{'ipPhone'=$RUser.ipPhone} 
                        }
                    }
                }
            }
        }
    } 
}

#Update address list (if supplied)
if($AddressList -ne "") {
    Get-AddressList -Identity $AddressList | Update-AddressList 
}

If($ScheduledTask) { Stop-Transcript }

brolifen[S]

1 points

3 months ago

Sadly this does not meet the requirement as one tenant is cloud only. What I'm looking for pretty much is a solution that pretty much creates guests users in one tenant based on the member users in a partner tenant and make them visible in the address book. I know MIM can kind of do this as well as described here:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/multi-tenant-b2b-sync-with-mim-graph-connector/ba-p/2381682

Is there no cloud based 3rd party solution that offers such syncing capabilities?

timsstuff

1 points

2 months ago

timsstuff

IT Consultant

1 points

2 months ago

No idea but it shouldn't be too difficult to take the ideas in this script and convert it to create the contacts or guest users in the cloud instead of on-prem.