Follow

DAVTON ENTERPRISE SYNC SET-UP MS EXCHANGE 2010

DAVTON ENTERPRISE SYNC SET-UP MS EXCHANGE 2010

CREATE A WINDOWS ACCOUNT THAT HAS A MICROSOFT EXCHANGE 2010 MAILBOX

You must create a Windows® account that has a Microsoft® Exchange 2010 mailbox so that the Windows account can authenticate with the Microsoft® Exchange Server. This account must be a domain user only- and not be given any additional administrator privileges except as described below. ( Additional privileges such as domain admin have 'deny' permissions which will stop the account working as required. )

  1. On the computer that hosts Microsoft Exchange, log in using an administrator account that has the correct permission to create accounts.
  2. Open the Microsoft Exchange Management Console.
  3. Create an account and mailbox with the name SyncService.
  4. Give the SyncService account Owner permissions on the Public Folders you will be accessing. (Owner is required to set up certain custom fields.)
  5. Whilst still on the server, configure the Domain Security Policy to allow this account to Log on as a Service.

CONFIGURE MICROSOFT EXCHANGE 2010 PERMISSIONS FOR THE WINDOWS ACCOUNT

  1. Verify the domain name in Microsoft® Active Directory®. When you set the permissions, you will need to match the domain name exactly as it is in Microsoft Active Directory.
  2. On a computer that hosts the Microsoft® Exchange Management Shell, open the Microsoft Exchange Management Shell.
  3. Type:    
    Get-MailboxDatabase | Add-ADPermission -User "SyncService" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin. 
  4. Type:    Add-RoleGroupMember "View-Only Organization Management" -Member "SyncService".
  5. Find the correct identity* for your new SyncService account and then set permissions at common name (or organizational) level:
    1. To set the permissions at the common name level, type the following command:   
      Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As - User "SyncService" -Identity "CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"
    2. To set the permissions at the organizational unit level, type the following command:    
      Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "SyncService" -Identity "OU=<organizational_unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"

How to Find the Correct Identity 

*The correct identity is the exact AD address for the user you created. To find this:

a)    Open Active Directory Users & Computers

b)    In the Menu bar up the top, open View and the select Advanced Features

c)    Browse to your SyncService user, and open the users properties by double clicking

d)    Now select the tab named Attribute Editor. Scroll through the list until you get to distinguishedName and double click it to view its properties.This will say something like: CN=SyncService,CN=Users,DC=mydomain,DC=local 

For this example the command to type would be would be: 

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=BESAdmin, CN=Users,DC=mydomain,DC=local”

 

ALLOW SYNCSERVICE TO LOG ON AS A SERVICE 

This permission should be granted when you install your service, but we have found that sometimes it is not granted.

  1. Click Start > Administrative Tools > Local Security Policy. NOTE: If the computer is a Domain Controller, click Start > Administrative Tools > Domain Controller Security Policy.
  2. In the Local Securities window, click Local Policies > User Rights Assignment.
  3. Perform one of the following steps:
  4. For Windows Server 2000, double-click Log on Locally.
  5. For Windows Server 2003 and 2008, double-click Allow Log on Locally.
  6. Click Add User or Group.
  7. Select the Davton Enterprise Sync Service account name, and then click Add.
  8. Click OK.
  9.  Similarly (still in User Rights Assignment) , double-click Log On As a Service.
  10. Click Add User or Group and then select the Davton Enterprise Sync Service account.
  11. Click OK. 

LOG-OFF THE SERVER AND LOG BACK ON USING YOUR NEW SYNCSERVICE ACCOUNT

You should now log off the server and complete the rest of the installation and configuration using your newly set up SyncService account.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk