In today’s M&A-heavy environment, GAL synchronization between two or more forests is becoming more and more important. IT departments are regularly called upon to integrate two organizations’ global address lists on the first day that the merger is complete, expecting employees to be able to see the new organizations as one even if the backend infrastructure is not combined yet. So there has to be a fast efficient way to synchronize GALs across forests.
The process is actually fairly simple using GroupID Synchronize, our Active Directory provisioning and synchronization module; you just take users from one forest and create them as mailbox enabled contacts in the other forest. And vice versa, creating a full GAL in each Active Directory so that employees don’t know the difference. And, thankfully, GroupID can read and write to almost any directory or database so if you are merging with a Lotus Notes shop, the same process works.
It gets a bit trickier when you have more than two forests. How do you keep from creating duplicates in that case? You would use a hub and spoke design designating one of the forests as the hub which consolidates objects from all other forests and then could be used to push out full GAL to spoke forests. The fear is that the spokes receive duplicate contact records for the user objects already defined in the org. How do you solve that?
The way we have avoided the duplicate contacts is by synching a platform ID that represents the source, or by putting the contacts from each domain into separate OU’s. I prefer the ID method. Here is how it works:
- Always sync three additional pieces of information into the destination contact (which attributes you populate in the destination is completely up to you:
- ObjectGUID->ExtensionAttribute1
- SourcePlatformID (just hard code a static moniker like “DOMAINA”)->ExtensionAttribute2
- DistinguishedName->ExtensionAttribute3
- Configure jobs that pull from “Domain B” to “Domain A” to exclude objects from Domain A (SELECT * FROM DOMAIN B WHERE ExtensionAttribute2<>’DOMAINA’).
It is really that easy, you can manage multiple forest GAL synchronization with just a few minutes of codeless provisioning, throw in a few transforms, schedule the job nightly, and every single GAL in your environment will always be accurate.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.