contactsync 7.6 manual - netsec
Post on 18-Dec-2021
11 Views
Preview:
TRANSCRIPT
CONTACTSYNC® V7.6
Manual
NETsec
07. July 2021
NETsec GmbH & Co.KG | Schillingsstrasse 117 | DE - 52355 Düren
co
nta
ctS
ync 7
.6 M
an
ua
l
2
Introduction .................................................................................. 6
contactSync ................................................................................... 6
Global Address List (GAL) into mailboxes by using GALsync policies ...... 6
GALsync ........................................................................................ 6
Recommendations (Do’s and Don’ts) ................................................ 7
Suggestions to test contactSync policies ......................................... 7
Schedule without overlaps ............................................................ 7
Performance (Exchange Online) ..................................................... 7
Licensing ....................................................................................... 7
Trial license ................................................................................ 7
How to add a license .................................................................... 8
How many objects are to be licensed? ............................................ 8
Quickstart: Global Address List (GAL) into mailboxes .................... 9
1 Prerequisites ............................................................................. 10
2 Install the software .................................................................... 12
3 Create and run a contactSync policy ............................................ 16
Deployment Guide ....................................................................... 28
Introduction ................................................................................ 28
Exchange 2010-2019 -> Mailbox Contacts ....................................... 28
Exchange Online -> Mailbox Contacts ............................................. 29
Technical Guide ........................................................................... 30
System Requirements ................................................................... 30
Prerequisites ................................................................................ 31
Service Account ......................................................................... 31
Mailbox .................................................................................... 32
Modern Authentication OAuth2 for Exchange Web Services (EWS) to
access Exchange Online .............................................................. 33
Permission to access the mailboxes (Mailbox contacts) ................... 54
Execution Policy (Exchange online) .............................................. 56
Some notes to the remote PowerShell management for Office 365
tenants ..................................................................................... 57
Running contactSync policies via command line ............................. 58
co
nta
ctS
ync 7
.6 M
an
ua
l
3
contactSync components ............................................................... 59
Files ......................................................................................... 59
Policy ....................................................................................... 59
GUI .......................................................................................... 59
Policy Wizard ............................................................................. 60
Service ..................................................................................... 60
Internal Marks ............................................................................. 61
NoContactSync (internal mark).................................................... 61
NoMailboxSync (internal mark) .................................................... 61
Global Settings ............................................................................ 62
Settings Tab ................................................................................ 62
Status file directory. ................................................................... 62
Use LDAP over SSL (LDAPS) ........................................................ 63
Exchange Tab .............................................................................. 63
Exchange On-Premises ............................................................... 63
Policies Tab ................................................................................. 64
Status Tab................................................................................... 65
Retain status information ............................................................ 65
NETsec LogViewer ...................................................................... 65
Open and export log files ............................................................ 66
Help Tab ..................................................................................... 67
Filter mailboxes ........................................................................... 68
NoMailboxSync (internal mark) .................................................... 68
Choose mailboxes (On-premises) ................................................. 68
Choose mailboxes (Exchange Online) ........................................... 71
Search mailboxes (On-premises) ................................................. 73
Search mailboxes (Exchange Online) ............................................ 75
Directory Tab ............................................................................... 76
NoContactSync (internal mark).................................................... 76
Choose (On-premises) ................................................................ 77
Choose (Exchange Online) .......................................................... 82
Search (On-premises) ................................................................ 83
co
nta
ctS
ync 7
.6 M
an
ua
l
4
Search (Exchange Online) ........................................................... 84
Special options for contactSync ...................................................... 88
Exchange On-Premises ............................................................... 88
Exchange Online ........................................................................ 89
Maximum errors to transfer data file ............................................ 90
Minimum objects to transfer data file ........................................... 90
Include hidden objects (On-Premises only) ................................... 90
Export ‘MasteredOnPremise’ objects (Exchange Online only) ........... 90
Mark synchronized contacts as private.......................................... 90
Synchronize Picture (On-Premises) .............................................. 91
Modify or delete existing contacts with source domain .................... 91
Object Filter .............................................................................. 91
Filter and Modify objects for import into mailboxes ........................... 92
Choose (Mailbox contacts) .......................................................... 92
Properties (Mailbox contacts) ...................................................... 95
Status notification ...................................................................... 101
Schedule Service ........................................................................ 102
How to ....................................................................................... 103
How to configure Exchange Impersonation? ................................... 103
Exchange Impersonation in Exchange 2010, 2013, 2016, 2019 and
Exchange Online (Mailbox contacts) ........................................... 103
How to grant full access to the user mailboxes? ............................. 109
Exchange 2010 ........................................................................ 109
Exchange 2013, 2016, 2019 and Exchange Online ....................... 109
How to bulk assign full access permissions to multiple user mailboxes
............................................................................................. 110
How to disable EWS Throttling for the contactSync account? ............ 112
Exchange 2010 ........................................................................ 112
Exchange 2013, Exchange 2016 and Exchange 2019 .................... 112
How to check the PowerShell version on the contactSync server? ..... 113
Troubleshooting and Support Guide ........................................... 114
Issue with Exchange Online connection ......................................... 114
co
nta
ctS
ync 7
.6 M
an
ua
l
5
The Autodiscover service returned an error ................................. 114
11021 - LegacyExchangeDN of the contactSync service account is in the
old syntax. Please update this by re-mailenabling the service account or
create a new contactSync service account. .................................... 115
Could not load file or assembly 'netstandard, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its
dependencies. The system cannot find the file specified. ................. 116
12010 - Error getting Exchange Online connection 62003 – Current user
cannot decrypt the token. ........................................................... 117
Support: What to do when I notice an error / bug? ......................... 118
co
nta
ctS
ync 7
.6 M
an
ua
l
6
Introduction
contactSync
contactSync synchronizes the Global Address List (GAL) into users’
mailboxes, which are in the same environment. Mail-enabled objects of an
on-premises Active Directory can be synchronized into on-premises
Exchange mailboxes of the same forest and mail-enabled objects of an
Office 365 tenant can be synchronized into Exchange Online mailboxes of
the same Office 365 tenant.
This document describes how to synchronize the Global Address List (GAL)
into users’ mailboxes, which are in the same environment.
Global Address List (GAL) into mailboxes by using GALsync policies
A cross-forest synchronization from mail-enabled objects of an on-
premises Active Directory into Exchange Online mailboxes of an Office 365
or mail-enabled objects of an Office 365 tenant into on-premises
Exchange mailboxes is only possible with two GALsync policies. One of the
GALsync policies exports the mail-enabled objects from an on-premises
Active Directory or from an Office 365 tenant and the second GALsync
policy imports the exported objects as contacts into on-premises
Exchange mailboxes or Exchange Online mailboxes. Please have a look in
the GALSYNC – GLOBAL ADDRESS LIST (GAL) INTO MAILBOXES BY USING GALSYNC
POLICIES for further information.
https://www.netsec.de/en/products/galsync/documentation.html
GALsync
GALsync synchronizes the Global Address List (GAL) between different
Exchange environments, which can be on-premises Exchange
environments or Exchange Online of Office 365 tenants. Please have a
look in the GALSYNC MANUAL for further information.
https://www.netsec.de/en/products/galsync/documentation.html
MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020
AND EXCHANGE 2007 ON THE 11TH APRIL 2017.
AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT SUPPORT
AN ENVIRONMENT, WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.
co
nta
ctS
ync 7
.6 M
an
ua
l
7
Recommendations (Do’s and Don’ts)
Suggestions to test contactSync policies
We recommended to test contactSync before using with your production
accounts. This way you will prevent any unwanted changes or impacts you
might not have considered during setup.
• First use some test accounts and groups
• Then use only 1-5 real accounts
Schedule without overlaps
It is strongly recommended that you configure the scheduler in such a
way, that policies do not overlap. Try the time for each policy will run by a
manual execution. After that configure your schedules.
Performance (Exchange Online)
When using any Exchange Online related policy in contactSync, please be
aware of the possibility of some lag. This is due Exchange Online being a
remote environment, which contactSync connects to using Remote
PowerShell. This puts contactSync inside any existing limitation Microsoft
might apply to the connection.
Licensing
Trial license
It is possible to run contactSync without license. Please note that in this
case only up to 20 objects can be synchronized for up to 21 days.
If you run contactSync as trial this is displayed in information bar at the
bottom of the program window.
If you have any licensing questions or queries, please feel free to contact
our contactSync Sales Team
by phone +49 2421 998 78 20
or via e-mail sales@netsec.de
co
nta
ctS
ync 7
.6 M
an
ua
l
8
How to add a license
Click HELP and select ABOUT.
• contactSync will provide you with basic information about your current
license status.
• To add a license, you press the ADD LICENSE button, and then select the
license file you received.
How many objects are to be licensed?
• Create a contactSync policy, choose the appropriate objects.
Then you can count all of the objects which are valid for
synchronization and would be synchronized during a run. This can help
you choose for how many sync objects you need to license.
co
nta
ctS
ync 7
.6 M
an
ua
l
9
Quickstart: Global Address List (GAL) into mailboxes
Here you test the basic steps for a successful first unidirectional
synchronization.
In this example, you synchronize the mail-enabled objects of the on-
premise Active Directory forest into contacts folder of user mailboxes,
which are on the on-premise Exchange server in the same forest.
co
nta
ctS
ync 7
.6 M
an
ua
l
10
Or you synchronize the mail-enabled objects of the Office 365 tenant into
contacts folder of user mailboxes, which are on the Exchange Online in the
same Office 365 tenant.
1 Prerequisites
• Your environment must be based on Exchange 2010* SP1, Exchange
2013 and later or Exchange Online (Microsoft Office 365).
MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020
AND EXCHANGE 2007 ON THE 11TH APRIL 2017. MICROSOFT ALSO STOPPED SUPPORTING
WINDOWS 2008 R2 AND WINDOWS 7 PROFESSIONAL ON THE 14TH JANUARY 2020.
AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT
SUPPORT AN ENVIRONMENT WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.
• The computer you want to install contactSync on
• Must be a member of the domain if your side is On-Premises. It
should have a good bandwidth to the next DC/GC and an Exchange
Server with CAS role.
• Can also be a standalone machine if your side is Exchange Online.
• Should have a dual-core processor and 2GB RAM.
• Can be a client OS, e.g. Windows 10 Professional (64-Bit), for
testing or a server OS, e.g. Windows 2012 R2 (64-Bit).
co
nta
ctS
ync 7
.6 M
an
ua
l
11
• Must be configured with .NET Framework 4.7.1.
• Must be configured with PowerShell 3.0 and later.
• Create a service account with an Exchange mailbox.
• On-Premises: Provide the user of the mailbox with administrative
permissions on the machine you want to install contactSync on.
• Exchange Online: The user of the mailbox must be member of the
EXCHANGE ADMINISTRATOR role or GLOBAL ADMINISTRATOR role.
• contactSync must have direct access to the user mailbox via
Exchange Web Services.
NOTE: DIRECT ACCESS TO KIOSK USER MAILBOXES VIA EXCHANGE WEB SERVICES IS NOT
PERMITTED. SEE http://community.office365.com/en-us/forums/158/t/62635.aspx
AND http://social.msdn.microsoft.com/Forums/en-
US/exchangesvrdevelopment/thread/1758d5f8-be86-4dc9-b53c-d6eb38d2d7d2
• Ensure that the mailbox is accessible (e.g. by Outlook Web Access),
that the mailbox can send to and receive mails from the other
organization and that incoming mails from the other organization do
not get caught by your spam filter or firewall.
NOTE: NEW CREATED EXCHANGE ONLINE ACCOUNTS NEED TO LOG ON AT LEAST ONE TIME TO
RESET THEIR TEMPORARY PASSWORD. OTHERWISE REMOTE POWERSHELL WILL NOT WORK.
• If your side is On-Premises, make sure that you can logon with the
configured service account. It is also required that the setup of
contactSync can grant this account with local security permissions to
LOG ON AS SERVICE. You may also add the service account to the local
group REMOTE DESKTOP USERS.
• For testing purposes create some mailboxes and a group. Add the
mailboxes as member to the group.
• The service account needs EXCHANGE IMPERSONATION or the FULL ACCESS
PERMISSIONS for the mailboxes where you want to import into the
mailbox contacts.
Please have a look at the chapters:
• How to configure Exchange Impersonation?
• How to grant full access to the user mailboxes?
NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO IMPORT POLICIES.
ONE IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED ON AN
ON-PREMISES EXCHANGE SERVER.
THE OTHER IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED
ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.
co
nta
ctS
ync 7
.6 M
an
ua
l
12
2 Install the software
• Login with the user you created before. Run setup.
co
nta
ctS
ync 7
.6 M
an
ua
l
13
• Run contactSync the first time and configure the contactSync Service
with a Service Account (SA) by taking the same account as you are
logged in (On-Premises).
IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE DOMAIN SERVICE ACCOUNT
IN THE CONTACTSYNC GUI USING EXCHANGE ON-PREMISES, IT WILL BE NECESSARY USE THE
FORMAT DOMAIN\USERNAME.
If the setup detects that contactSync was installed on a standalone
machine, we recommend to create a local account on the standalone
server and use this local account for the contactSync Service and the
contactSync GUI.
This is necessary to use Modern Authentication for Office 365 Exchange
Online. The contactSync Service Account of the Office 365 Exchange
Online tenant is independent of this local account.
For example: “contactsync” is a local account of the “standalone”
server.
Please run also the contactSync GUI in the credentials of this local
account.
co
nta
ctS
ync 7
.6 M
an
ua
l
14
IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE LOCAL SERVICE ACCOUNT IN
THE CONTACTSYNC GUI, IT WILL BE NECESSARY USE THE FORMAT COMPUTERNAME\USERNAME.
If the setup detects that contactSync was installed on a standalone
machine, the account for the contactSync Service can be LOCALSYSTEM.
This is not recommended anymore, because configure Modern
Authentication for Office 365 Exchange Online does not work with a
contactSync Service running in the credentials of LOCALSYSTEM.
Running contactSync you can check the service account configuration
and your log-in account on the bottom left corner of the GUI.
AD Member Server
Standalone Server
co
nta
ctS
ync 7
.6 M
an
ua
l
15
• In menu HELP select ABOUT and add your license. See also chapter
LICENSING.
On-Premise only: In menu OPTIONS select EXCHANGE.
• Configure the access to your Exchange Server. Click MANUAL SETTING and
the SEARCH icon. Now contactSync tries to use autodiscover and
displays the EXCHANGE WEB SERVICES URL it discovers. If you get an error
message please insert the correct EXCHANGE WEB SERVICES URL for your
environment.
• Leave the other option unclicked.
• Confirm the first configuration by pressing the SAVE button.
co
nta
ctS
ync 7
.6 M
an
ua
l
16
3 Create and run a contactSync policy
• Create a contactSync policy lead by the wizard
• Choose to SYNCHRONIZE DIRECTORY INFORMATION(GAL) INTO USERS´
MAILBOXES OF AN ON-PREMISE EXCHANGE ENVIRONMENT.
or choose to SYNCHRONIZE DIRECTORY INFORMATION(GAL) INTO USERS´
MAILBOXES OF AN EXCHANGE ONLINE / OFFICE 365 TENANT.
co
nta
ctS
ync 7
.6 M
an
ua
l
17
• If you are at Exchange Online then click on ADD to insert new
credentials.
• Insert the username, password and e-mail address of an appropriate
account in the Exchange Online (Microsoft Office 365).
NOTE: MICROSOFT ALLOWS ONLY 3 POWERSHELL CONNECTION PER ACCOUNT TO EXCHANGE
ONLINE (MICROSOFT OFFICE 365).
co
nta
ctS
ync 7
.6 M
an
ua
l
18
• You can test the credentials.
contactSync will only use the mailbox of the primary account to send
and receive e-mails.
NOTE: ALL ACCOUNTS MUST BE FROM THE SAME EXCHANGE ONLINE (MICROSOFT OFFICE 365)
TENANT
• Click NEXT
co
nta
ctS
ync 7
.6 M
an
ua
l
19
• On-premises Exchange:
The contactSync service account needs the EXCHANGE IMPERSONATION
or the FULL ACCESS PERMISSION for each mailbox, where you want to
import the mail-enabled objects as contacts.
If you don´t want, give the contactSync service account the
EXCHANGE IMPERSONATION or the FULL ACCESS PERMISSION for each
mailbox, you can insert a dedicated mailbox user, which has the
EXCHANGE IMPERSONATION or the FULL ACCESS PERMISSION for each
mailbox.
• Exchange Online:
The primary account for Exchange Online needs EXCHANGE
IMPERSONATION or the FULL ACCESS PERMISSION for each mailbox, where
you want to import the mail-enabled objects as contacts.
If you don´t want, give the primary account for Exchange Online the
EXCHANGE IMPERSONATION or the FULL ACCESS PERMISSION for each
mailbox, you can insert a dedicated mailbox user, which has the
EXCHANGE IMPERSONATION or the FULL ACCESS PERMISSION for each
mailbox.
co
nta
ctS
ync 7
.6 M
an
ua
l
20
If EXCHANGE IMPERSONATION is configured, maximum 5 mailboxes
concurrently are recommended.
If FULL ACCESS is configured in an on-premises Exchange environment
and the server-side EWS Throttling is disabled, maximum 5 mailboxes
concurrently are recommended.
It depends on the Exchange environment how many mailboxes getting
the contacts to be synchronized at the same time.
• Click NEXT
co
nta
ctS
ync 7
.6 M
an
ua
l
21
• Choose the mailbox users, which should get the mail-enabled objects
as contacts.
NoMailboxSync (internal mark)
If you do not want import into a special mailbox, you may insert the
value NOMAILBOXSYNC in any of the custom attributes (on-premises:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this mailbox to the list of mailboxes, which get directory objects
into the contact folder.
co
nta
ctS
ync 7
.6 M
an
ua
l
22
• Choose the mail-enabled objects, which should synchronize into the
users´ mailboxes as contacts.
NoContactSync (internal mark)
If you do not want a special object to be exported, you may insert the
value NOCONTACTSYNC in any of the custom attributes (on-premises:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this object to the export list.
co
nta
ctS
ync 7
.6 M
an
ua
l
23
• As directory information SEARCH for the group which you created for
test purposes with some test-mailboxes and groups as member. Click
APPLY and choose GROUP +ONLY MEMBERSHIP, click OK and NEXT.
co
nta
ctS
ync 7
.6 M
an
ua
l
24
• CHOOSE a mailbox contact folder.
• CREATE a folder for the contacts and select it.
• Click NEXT.
co
nta
ctS
ync 7
.6 M
an
ua
l
25
• Leave STATUS NOTIFICATION EMAILS unclicked and click NEXT.
• Leave SCHEDULE SERVICE unclicked and click NEXT.
co
nta
ctS
ync 7
.6 M
an
ua
l
26
• In the GENERAL SECTION insert a name for the policy and click NEXT.
• After in SUMMARY SECTION all your configuration is validated click FINISH.
co
nta
ctS
ync 7
.6 M
an
ua
l
27
• Execute the policy by clicking RUN while mouse focus is set to the policy
name in the hierarchy tree on the left hand side.
• The OPERATION STATUS displays the progress. After execution click CLOSE.
Now you should see the synchronized mail-enabled objects in the folder
of the mailbox contacts.
co
nta
ctS
ync 7
.6 M
an
ua
l
28
Deployment Guide
Introduction
This chapter will help you to plan your contactSync installation. To simplify
the description of each scenario below.
You can create a limitless number of policies. Multiple policies must be
scheduled for execution – no concurrent executions are possible. Policies
are kept in a queue and will be run sequentially.
Exchange 2010-2019 -> Mailbox Contacts
If your environment is based on Exchange 2010*, 2013, 2016 or 2019
and you want to sync into a folder of mailbox contacts, which are located
on the Exchange 2010*, 2013, 2016 or 2019 please use contactSync to
synchronize directory objects.
You have to install an instance of contactSync on a domain member
computer in Exchange 2010*, 2013, 2016 or 2019 forest.
NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO CONTACTSYNC POLICIES.
ONE CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED
ON AN ON-PREMISE EXCHANGE SERVER.
THE OTHER CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE
LOCATED ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.
co
nta
ctS
ync 7
.6 M
an
ua
l
29
Exchange Online -> Mailbox Contacts
If your environment is based on Exchange Online and you want to sync
into a folder of mailbox contacts, which are located on the Exchange
Online please use contactSync to synchronize directory objects.
To get access to an Exchange Online (cloud only) environment you can
also use a standalone server.
NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO CONTACTSYNC POLICIES.
ONE CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED
ON AN ON-PREMISE EXCHANGE SERVER.
THE OTHER CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE
LOCATED ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.
You can also use the contactSync software on the machine you installed in
Exchange 2010*, 2013, 2016 or 2019 forest to access Exchange Online,
so you can import the directory objects into a folder of mailbox contacts,
which are located on the Exchange Online. But in this case, you need a
mailbox user in the Office 365 tenant, which has the full access permission
to the mailboxes, which are located on Exchange Online.
co
nta
ctS
ync 7
.6 M
an
ua
l
30
Technical Guide
System Requirements
* MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020 AND
EXCHANGE 2007 ON THE 11TH APRIL 2017. MICROSOFT ALSO STOPPED SUPPORTING WINDOWS
2008 R2 AND WINDOWS 7 PROFESSIONAL ON THE 14TH JANUARY 2020.
AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT SUPPORT
AN ENVIRONMENT WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.
Components Required
OS (64Bit) Windows 2008* R2 SP1 Server
Windows 2012 Server
Windows 2012 R2 Server
Windows 2016
Windows 2019
In small environments or for testing purposes you can also install contactSync on a
client computer running Windows 7* Professional or Windows 10 Professional.
Hardware Processor: minimum dual core
RAM: minimum 2GB
Software .NET Framework 4.7.1
PowerShell 3.0 and later
Recommendations Exchange On-Premises: We recommend to install contactSync on a member server
within the domain (e.g. dedicated contactSync server, file server or backup server). The
machine should be uncritical (e.g. may be restarted without complications). The
contactSync server must have a high bandwidth connection to the DC/GC.
Exchange Online: See recommendations for on-premise; but you can also use a
standalone computer.
Supported
Exchange
Versions*
Exchange 2010* SP1 and later
Exchange 2013 and later
Exchange 2016 and later
Exchange 2019 and later
Exchange Online (Office 365)
co
nta
ctS
ync 7
.6 M
an
ua
l
31
Prerequisites
Service Account
If you run contactSync in the context of a domain then create a service
account which will be owner of the contactSync service.
• The service account must be a domain user in the same domain, the
contactSync server is also a member.
• Make sure that the service account is a member of the LOCAL
ADMINISTRATORS group.
• The service account needs the local right to RUN AS A SERVICE (this right
is added to the service account during the installation).
• Make sure you can logon as the service account. It is likely that the
user requires membership in the Remote Desktop Users group.
• In order to install contactSync you need administrative permission.
Setup will also install the contactSync Service on the computer you
install contactSync on.
NOTE: WE STRONGLY RECOMMEND LOGGING ON AS THE SERVICE ACCOUNT TO RUN THE
CONTACTSYNC GUI.
IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE DOMAIN SERVICE ACCOUNT IN
THE CONTACTSYNC GUI USING EXCHANGE ON-PREMISES, IT WILL BE NECESSARY USE THE FORMAT
DOMAIN\USERNAME.
If you run contactSync on a standalone machine (this is only valid in an
Exchange Online cloud-only scenario), please create a local account for
contactSync.
Please use the local account to configure and run the contactSync Service
and the contactSync GUI in the credentials of this local account.
The local account needs the same local permissions as a domain user as
described above.
The local account will be required to use Modern Authentication for Office
365 Exchange Online. The contactSync Service Account of the Office 365
Exchange Online tenant is independent of this local account.
For example: “contactsync” is a local account on the “standalone” server.
Please also run the contactSync GUI in the credentials of this local
account.
IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE LOCAL SERVICE ACCOUNT IN THE
CONTACTSYNC GUI, IT WILL BE NECESSARY USE THE FORMAT COMPUTERNAME\USERNAME.
co
nta
ctS
ync 7
.6 M
an
ua
l
32
Mailbox
At the Exchange on-premises side create an Exchange Mailbox, which will
run all contactSync policies from now on. If you are in a domain then this
mailbox should be owned by the contactSync service account. The mailbox
cannot be hidden from Exchange address lists.
At the Exchange Online side create an Exchange Mailbox, which will be
used from all contactSync policies. The mailbox user must be member of
the EXCHANGE ADMINISTRATOR role or GLOBAL ADMINISTRATOR role.
NOTE: BY DEFAULT, THE EXCHANGE ONLINE PASSWORD HAS TO BE CHANGED WITHIN 30
DAYS. TO ENSURE, THAT CONTACTSYNC WORKS PROPERLY, YOU HAVE TO CONFIGURE USER
PASSWORDS TO NEVER EXPIRE. TO CONFIGURE YOUR PASSWORD PLEASE FOLLOW THE STEPS
DESCRIBED IN THE FOLLOWING ARTICLE:
https://support.office.com/en-us/article/Set-a-user-s-password-expiration-policy-
0f54736f-eb22-414c-8273-498a0918678f
• contactSync must have direct access to the user mailbox via Exchange
Web Services.
NOTE: DIRECT ACCESS TO KIOSK USER MAILBOXES VIA EXCHANGE WEB SERVICES IS NOT
PERMITTED. SEE http://community.office365.com/en-us/forums/158/t/62635.aspx
AND http://social.msdn.microsoft.com/Forums/en-
US/exchangesvrdevelopment/thread/1758d5f8-be86-4dc9-b53c-d6eb38d2d7d2
• Ensure that the mailbox is accessible (e.g. by Outlook Web Access).
• Ensure that the mailbox can send to and receive mails from the other
organization.
• Ensure that incoming mails from the other organization do not get
caught by your spam filter or firewall.
co
nta
ctS
ync 7
.6 M
an
ua
l
33
Modern Authentication OAuth2 for Exchange Web Services (EWS) to access Exchange
Online
The contactSync service account of an Office 365 tenant needs access to
its own mailbox, therefor the Modern Authentication OAuth 2.0 for
Exchange Web Services (EWS) can be configured.
Please note, that Microsoft will stop supporting and fully decommission the
Basic Authentication for Exchange Web Services (EWS) to access
Exchange Online on 13th October 2020.
Please check first, that the contactSync GUI is running in the credentials
of the local contactSync service account, otherwise contactSync cannot
decrypt the token later.
You can check this on the information bar at the bottom of the
contactSync GUI.
“User consent” or “Admin consent request” required in Azure Active Directory Enterprise
Applications to register NETsec contactSync as Enterprise Application
Please note, that contactSync cannot request the necessary “User
consent“ for a non admin user with restricted settings “Consent and
permissions” for Modern Authentication OAuth 2.0 for Exchange Web
Services (EWS) of Exchange Online.
Azure Active Directory admin center -> Enterprise applications -> Consent
and permissions
co
nta
ctS
ync 7
.6 M
an
ua
l
34
You have two options, if you do not want to use permantly the “Allow user
consent for apps” option.
1. User consent: Set the “Allow user consent for apps” option temporary for the first
login.
2. Admin consent request
User consent
You switch temporary to the “Allow user for apps” option
Azure Active Directory admin center -> Enterprise applications -> Consent
and permissions
After that you proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of Exchange Online with your contactSync Service Account
successfully.
co
nta
ctS
ync 7
.6 M
an
ua
l
35
PLEASE NOTE, THAT THE USER-ID AND THE E-MAIL ADDRESS CAN BE DIFFERENT FOR AN
EXCHANGE ONLINE MAILBOX USER. THIS DEPENDS ON YOUR OFFICE 365 EXCHANGE
ONLINE TENANT.
Insert the credentials of the contactSync service account,
select the OAuth 2.0 authentication method for Exchange Web Services
(EWS) of the Office 365 tenant and click the “Login” button.
co
nta
ctS
ync 7
.6 M
an
ua
l
36
Select the same contactSync service account, which you have used in the
“Exchange Online Credential” dialog before.
co
nta
ctS
ync 7
.6 M
an
ua
l
37
Insert the password of the contactSync service account.
co
nta
ctS
ync 7
.6 M
an
ua
l
38
NETsec contactSync needs the requested permissions.
co
nta
ctS
ync 7
.6 M
an
ua
l
39
After you accepted the requested permissions, NETsec contactSync gets a
token for the OAuth2 authentication.
contactSync can now use OAuth tokens for authentication to access the
Exchange Web Services (EWS) for your Exchange Online during the policy
runs.
You can test the Login and to send an e-mail on the “Status notification
emails” tab of a policy, e.g. to yourself.
Please have also a look at the TROUBLESHOOTING AND SUPPORT GUIDE chapter
12010 - Error getting Exchange Online connection
62003 – Current user cannot decrypt the token.
co
nta
ctS
ync 7
.6 M
an
ua
l
40
NETsec contactSync has an entry in ENTERPRISE APPLICATIONS of your Office
365 AZURE ACTIVE DIRECTORY ADMIN CENTER, where you can also check and
manage the permissions.
NETsec contactSync has the token and the required delegated permissions
at the “User consent”:
co
nta
ctS
ync 7
.6 M
an
ua
l
41
After that, you can switch back to your preferred settings, if you do not
want to use the “Allow user consent for apps” permantly.
After that, test the Login again and you can test to send an email e.g. to
yourself again.
co
nta
ctS
ync 7
.6 M
an
ua
l
42
Admin consent request
The “Consent and permissions” settings of the “Enterprise applications”
are restricted:
Azure Active Directory admin center -> Enterprise applications -> Consent
and permissions
co
nta
ctS
ync 7
.6 M
an
ua
l
43
Enable the “User can request admin consent to apps they are unable to
consent to” option in “User settings” of the “Enterprise applications”.
co
nta
ctS
ync 7
.6 M
an
ua
l
44
Select an administrator account for the consent request
“Select admin consent request reviewers”
After that save the “User Settings”
co
nta
ctS
ync 7
.6 M
an
ua
l
45
You proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of
Exchange Online with your contactSync Service Account.
PLEASE NOTE, THAT THE USER-ID AND THE E-MAIL ADDRESS CAN BE DIFFERENT FOR AN
EXCHANGE ONLINE MAILBOX USER. THIS DEPENDS ON YOUR OFFICE 365 EXCHANGE
ONLINE TENANT.
Insert the credentials of the contactSync service account,
select the OAuth 2.0 authentication method for Exchange Web Services
(EWS) of the Office 365 tenant and click the “Login” button.
co
nta
ctS
ync 7
.6 M
an
ua
l
46
Select the same contactSync service account, which you have used in the
“Exchange Online Credential” dialog before.
co
nta
ctS
ync 7
.6 M
an
ua
l
47
Insert the password of the contactSync service account.
co
nta
ctS
ync 7
.6 M
an
ua
l
48
NETsec contactSync needs the requested permissions.
co
nta
ctS
ync 7
.6 M
an
ua
l
49
co
nta
ctS
ync 7
.6 M
an
ua
l
50
The OAuth2 authentication will be failed.
Now you will have a pending requests in “Admin consent requests” of the
“Enterprise applications”.
Please “Review permissions and consent” with the administrator account
and “Accept” it.
co
nta
ctS
ync 7
.6 M
an
ua
l
51
After that NETsec contactSync has an entry in the “Enterprise application”
list
The “Admin consent” of “Permissions” for NETsec contactSync
co
nta
ctS
ync 7
.6 M
an
ua
l
52
You proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of
Exchange Online with your contactSync Service Account again.
The login will be successful now.
contactSync can now use OAuth tokens for authentication to access the
Exchange Web Services (EWS) for your Exchange Online during the policy
runs.
co
nta
ctS
ync 7
.6 M
an
ua
l
53
You can test the Login and to send an e-mail on the “Status notification
emails” tab of a policy, e.g. to yourself.
Please have also a look at the TROUBLESHOOTING AND SUPPORT GUIDE chapter
12010 - Error getting Exchange Online connection
62003 – Current user cannot decrypt the token.
co
nta
ctS
ync 7
.6 M
an
ua
l
54
Permission to access the mailboxes (Mailbox contacts)
The service account needs EXCHANGE IMPERSONATION or the FULL ACCESS
PERMISSIONS for the mailboxes where you want to import into the mailbox
contacts.
Please have a look at the chapters:
• How to configure Exchange Impersonation?
• How to grant full access to the user mailboxes?
NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO IMPORT POLICIES.
ONE IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED ON AN
ON-PREMISES EXCHANGE SERVER.
THE OTHER IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED
ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.
On-premises Exchange:
co
nta
ctS
ync 7
.6 M
an
ua
l
55
Exchange Online:
Use impersonation for access to mailboxes
The contactSync service account needs the EXCHANGE IMPERSONATION to get
access to the mailboxes, where you want to import the mail-enabled
objects as contacts.
Use full access for access to mailboxes
The contactSync service account needs FULL ACCESS PERMISSIONS for each
mailbox to get access to the mailboxes, where you want to import the
mail-enabled objects as contacts.
co
nta
ctS
ync 7
.6 M
an
ua
l
56
Count of concurrent mailboxes getting the contacts
The contactSync service account can synchronize the contacts into
multiple mailboxes concurrently.
If EXCHANGE IMPERSONATION is configured, maximum 5 mailboxes
concurrently are recommended.
If FULL ACCESS is configured in an on-premises Exchange environment and
the server-side EWS Throttling is disabled, maximum 5 mailboxes
concurrently are recommended.
NOTE: IT DEPENDS ON THE EXCHANGE ENVIRONMENT HOW MANY MAILBOXES GETTING THE
CONTACTS TO BE SYNCHRONIZED AT THE SAME TIME.
Execution Policy (Exchange online)
If you configure a policy which needs the parameter EXECUTIONPOLICY to be
set to REMOTESIGNED, a message is displayed requiring your confirmation.
The reason for this is a security setting built into Windows PowerShell,
called execution policy. Execution Policy determines how (or if) PowerShell
runs scripts. By default, PowerShell’s execution policy is set to Restricted;
this means that scripts will not run. contactSync requires that scripts are
allowed to execute.
GET-EXECUTIONPOLICY
http://technet.microsoft.com/en-us/library/hh849821.aspx
SET-EXECUTIONPOLICY REMOTESIGNED
https://technet.microsoft.com/en-us/library/hh849812.aspx
co
nta
ctS
ync 7
.6 M
an
ua
l
57
Some notes to the remote PowerShell management for Office 365 tenants
Since contactSync 7.2.0, contactSync has a redesigned remote PowerShell
management for Office 365 tenants.
contactSync will now try to reconnect broken remote PowerShell sessions
to the Office 365 tenant during a policy run.
If a PowerShell connection to the Office 365 tenant is broken, then
contactSync will try to reconnect to the Office 365 tenant, but it may
happen, that some data are not completely synchronized due to the
broken connection.
In this case contactSync will try to complete it in the next synchronization
run.
In the worst case it can happened, that some existing contacts in the
target mailboxes of the synchronization will be deleted and that after they
have been re-created, NDR issues in the target environment can occur.
co
nta
ctS
ync 7
.6 M
an
ua
l
58
Running contactSync policies via command line
Start a contactSync policy with the following command:
Syntax:
<contactSync program folder>\NETsec contactSync\
<CommonApplicationDataPath>\contactSync\policies\<policy file>
Example:
cd "C:\Program Files\NETsec contactSync\"
NETsecPolicyExecuter.exe "C:\ProgramData\NETsec GmbH & Co.
KG\contactSync\policies\policyname.xml"
You can find the COMMONAPPLICATIONDATA path one level up from the log file
folder which you can find on the STATUS tab.
co
nta
ctS
ync 7
.6 M
an
ua
l
59
contactSync components
Files
The executables are stored by default in C:\PROGRAM FILES\NETSEC
CONTACTSYNC, but you may change this during setup routine. This folder
will be removed if you uninstall the software.
Files containing your configured policies, created encryption keys, log files
and so on are placed in folder
%PROGRAMDATA%\NETSEC GMBH & CO. KG\CONTACTSYNC.
NOTE: THE FOLDER %PROGRAMDATA% USUALLY IS HIDDEN. YOU MAY ACTIVATE THE
OPTION ‘SHOW HIDDEN FILES, FOLDERS, AND DRIVES’ IN FOLDER ‘OPTIONS’ OF THE
WINDOWS EXPLORER.
Policy
Policies are the core logical component. A policy defines
• which data you want to share,
(filter the objects of your own directory),
• to which mailboxes you want to send the data included in this policy,
• to which email address you want to send an administrative report,
• at what times you want the policy to be executed automatically.
GUI
The Graphical User Interface is used to configure policies. You can also
test and execute policies manually.
NOTE: IF YOU RUN A POLICY USING THE GUI THE POLICY RUNS IN THE CONTEXT OF THE
USER THAT IS LOGGED IN. THEREFORE IT IS RECOMMENDED TO LOG IN WITH THE SAME
ACCOUNT WHICH IS CONFIGURED FOR THE CONTACTSYNC SERVICE.
The GUI is executed as process named CONTACTSYNC.EXE.
co
nta
ctS
ync 7
.6 M
an
ua
l
60
Policy Wizard
The contactSync Console also provides Wizards for simplifying the tasks of
creating policies. The Wizards walk you through each step-in order to
create a usable policy that you can run manually or scheduled. If you go
through the wizard contactSync provides you with different information
Indicates a positive validation
Indicates that some conditions in this step have not been
validated yet
Feature is not used
Indicates a configuration process
Service
The contactSync Service is only used to execute the scheduled policies.
The contactSync Service checks once a minute if there are enabled
policies to be executed. These policies will be added to the execution
queue and run sequentially.
The service is executed as a process named CONTACTSYNCSERVICE.EXE.
Every scheduled policy runs in the context of the user that is used by the
contactSync Service.
co
nta
ctS
ync 7
.6 M
an
ua
l
61
Internal Marks
NoContactSync (internal mark)
If you do not want a special object to be exported, you may insert the
value NOCONTACTSYNC in any of the custom attributes (on-premise:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this object to the export list.
NoMailboxSync (internal mark)
If you do not want to import into a special mailbox, you may insert the
value NOMAILBOXSYNC in any of the custom attributes (on-premise:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this mailbox to the list of mailboxes, which get directory objects
into the contact folder.
co
nta
ctS
ync 7
.6 M
an
ua
l
62
Global Settings
The Global Settings are available if you click the CONTACTSYNC node in the
left hierarchy tree. The content pane now displays the TABs SETTINGS,
EXCHANGE, POLICIES, STATUS and HELP.
Settings Tab
Here you can configure general settings used in all policies.
Status file directory.
contactSync stores the log files in the application data of the program for
all users. If the log files are stored somewhere else the suitable directory
path can be put down here.
co
nta
ctS
ync 7
.6 M
an
ua
l
63
Use LDAP over SSL (LDAPS)
Use LDAP over SSL (LDAPS) to connect an on-premises Active Directory.
If you have configured LDAP over SSL (LDAPS) in your on-premises Active
Directory, contactSync can use LDAP over SSL (LDAPS) to communicate
with your on-premises Active Directory.
NOTE: THE ACTIVE DIRECTORY SCHEMA PARTITION IS ONLY READ USING LDAP.
You can get more information about "LDAP over SSL (LDAPS)" in the
Microsoft TechNet Wiki article LDAP over SSL (LDAPS) Certificate
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-
over-ssl-ldaps-certificate.aspx
You can check if LDAP over SSL (LDAPS) works at your
environment/machine with Microsoft ldp.exe tool.
Exchange Tab
Here you can configure general Exchange settings used in all policies
Exchange On-Premises
If you work with Exchange On-Premises you can choose USE AUTODISCOVER
to find the EXCHANGE WEB SERVICE (EWS). If Autodiscover does not work
you may set the value for EXCHANGE WEB SERVICES (EWS) manually. If you
click the SEARCH icon then contactSync tries to discover the Autodiscover
settings.
co
nta
ctS
ync 7
.6 M
an
ua
l
64
Policies Tab
The POLICIES tab lists all existing contactSync policies. Select a listed policy
to see or modify configuration. After initial setup, if there is no policy
created yet, so this list is empty.
Please run the contactSync GUI and the policy in the credentials of your
contactSync service account.
You can check this in the information bar the bottom.
co
nta
ctS
ync 7
.6 M
an
ua
l
65
Status Tab
The STATUS tab shows quick reports about the status of reports that were
executed during the log retention timespan.
For support purposes you may export the status files (see menu ACTION
EXPORT STATUS).
NOTE: IF A POLICY JUST IS RUNNING ACCESS TO THE STATUS FILE MAY NOT BE POSSIBLE.
THE STATUS FILE WILL BE DISPLAYED AT THE TOP OF THE LIST AND IS INDICATED WITH
“ERROR”.
Retain status information
Here you can configure how long status information (log files) is stored on
your machine. Logs older than the specified number of days will be
deleted. You will find a link to the folder where the log files are stored.
Please keep in mind that windows explorer usually hides this folder by
default. If you do not see this link, please open the window symbol at the
bottom on the right.
NETsec LogViewer
Please have a look at the NETsec LogViewer manual
https://www.netsec.de/fileadmin/download/LogViewer/NETsec_LogViewer
_manual.pdf
co
nta
ctS
ync 7
.6 M
an
ua
l
66
Open and export log files
For support purposes you may open or export the status files / log files.
Open log file.
1. You can double-click an entry of the status table and the log file will
open in the NETsec LogViewer.
•
2. After you select an entry of the status table, you can right-click to
open the context-menu and “Open the log file” will open it in the
NETsec LogViewer.
Export log file
Exports only the one log file, which is selected, to a zip file.
Export all log files
1. Exports all filtered log files of the status table to a zip file.
E.g. all log files of the last week or all log files of a selected policy.
•
2. The menu ACTION EXPORT STATUS exports all log files to a zip file.
co
nta
ctS
ync 7
.6 M
an
ua
l
67
Help Tab
The HELP tab provides you with a hyperlink for downloading the latest
manual as well as mail-addresses and phone numbers for support and
sales.
co
nta
ctS
ync 7
.6 M
an
ua
l
68
Filter mailboxes
In the Mailboxes TAB of contactSync policies for mailbox contacts you
select the directory objects, which have mailbox objects. Search scope is a
single object type all over the domain or selected organizational units in
the local domain. You may also remove a selected entry from the list.
NoMailboxSync (internal mark)
If you do not want import into a special mailbox, you may insert the value
NOMAILBOXSYNC in any of the custom attributes (on-premises:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this mailbox to the list of mailboxes, which get directory objects
into the contact folder.
Choose mailboxes (On-premises)
Here you may tick a dedicated Organizational Unit in the listed domains.
An active directory tree with all domains and organizational units will be
listed.
In forests with multiple domains all domains are displayed.
co
nta
ctS
ync 7
.6 M
an
ua
l
69
Group Option
Only this OU
All mailbox objects included in the selected OU will be recognized for
synchronization at runtime.
Only Sub-OUs
All mailbox objects included in one of the sub-OUs of the selected OU will
be recognized for synchronization at runtime.
OU + Sub-OUs
All mailbox objects included in a selected OU and all nested OUs will be
recognized for synchronization at runtime.
Include group memberships
All mailbox objects, which are members of a group, will be recognized for
synchronization at runtime, if the group is in a selected OU.
Include nested groups + memberships
Nested groups and their members will be also resolved for synchronization
at runtime.
co
nta
ctS
ync 7
.6 M
an
ua
l
70
Exportable RecipientTypeDetails
contactSync synchronizes objects which have one of the
RECPIENTTYPEDETAILS set in the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property or the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property has not been set.
The list of RECPIENTTYPEDETAILS can be modified with “Add/Remove
RecipientTypeDetails …”.
NOTE: IN THE CASE OF RECIPIENTTYPEDETAILS, THAT ARE NOT PRESENT IN THE
EXPORTABLE RECIPIENTTYPEDETAILS LIST BY DEFAULT, CONTACTSYNC DOES NOT CHECK
WHETHER THEY ARE PRESENT OR USEFUL IN YOUR ENVIRONMENT. WE LEAVE THE
VERIFICATION TO THE RESPONSIBLE ADMINISTRATOR TO SUPPORT AS MANY SCENARIOS AS
POSSIBLE. A DISADVANTAGE IS THAT THE ADMINISTRATOR CAN CONFIGURE NONSENSE.
co
nta
ctS
ync 7
.6 M
an
ua
l
71
Choose mailboxes (Exchange Online)
Here you may pick all USERMAILBOX objects.
co
nta
ctS
ync 7
.6 M
an
ua
l
72
Exportable RecipientTypeDetails
contactSync synchronizes objects which have one of the
RECPIENTTYPEDETAILS set in the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property or the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property has not been set.
The list of RECPIENTTYPEDETAILS can be modified with “Add/Remove
RecipientTypeDetails …”.
NOTE: IN THE CASE OF RECIPIENTTYPEDETAILS, THAT ARE NOT PRESENT IN THE
EXPORTABLE RECIPIENTTYPEDETAILS LIST BY DEFAULT, CONTACTSYNC DOES NOT CHECK
WHETHER THEY ARE PRESENT OR USEFUL IN YOUR ENVIRONMENT. WE LEAVE THE
VERIFICATION TO THE RESPONSIBLE ADMINISTRATOR TO SUPPORT AS MANY SCENARIOS AS
POSSIBLE. A DISADVANTAGE IS THAT THE ADMINISTRATOR CAN CONFIGURE NONSENSE.
co
nta
ctS
ync 7
.6 M
an
ua
l
73
Search mailboxes (On-premises)
You can search an object by inserting an expression. Uncheck all object
types you do not want to have as a result.
NOTE: THE SCOPE OF THE QUERY IS THE FOREST.
The result listed contains all objects found. Select certain or all objects to
be gathered for import and press Apply.
With * you can find all objects which you want to have as a result.
User
You can search for user objects with a mailbox and select dedicated
mailboxes for import matching the inserted expression.
RECOMMENDATION: SELECT DEDICATED MAILBOX USERS ONLY IF YOU ARE SURE THEY WILL
NEVER BE DELETED FROM ACTIVE DIRECTORY. CONSIDER TO TAKE OBJECTS WITH ‘DYNAMIC’
MEMBERS AS OUS, GROUPS ETC.
Container
You can search for container objects to get all objects with a mailbox in
this container matching the inserted expression.
co
nta
ctS
ync 7
.6 M
an
ua
l
74
OU
You can search for Organizational Units to get all objects with a mailbox in
this OU matching the inserted expression.
Dynamic Distribution Group
DYNAMIC DISTRIBUTION GROUP (formerly QUERY-BASED GROUP) provides a type
of Distribution Group with a flexible method to dynamically define the
membership to this type of group. It is not a static membership like
regular groups.
Search for DYNAMIC DISTRIBUTION GROUPS matching the inserted expression
and select if you want to get all members with a mailbox of this group.
Groups
Search for LOCAL, GLOBAL and UNIVERSAL groups of type SECURITY GROUP or
DISTRIBUTION GROUP.
If you check SETTING FOR ALL GROUPS the configuration will be applied to all
listed and selected groups. Otherwise you will be asked for every selected
group.
co
nta
ctS
ync 7
.6 M
an
ua
l
75
Search mailboxes (Exchange Online)
Here you may pick either all objects or specify a filter by ticking recipient
types you want to choose. With * you can find all objects which you want
to have as a result. For example, you tick only
MAILUNIVERSALDISTRIBUTIONGROUP and you will have all
MailUniversalDistributionGroups as a result.
The result listed contains all objects found. Select certain or all objects to
be gathered for import and press APPLY. It is very important that you
change this option if you want to get more than 500 objects.
You can limit the results which you want to be get.
NOTE: THE DEFAULT 500 IS SET TO PREVENT YOU FROM A LONG-TIME SEARCH. IF YOUR
RESULT IS LARGER THAN THE GIVEN VALUE, THE NOT LISTED OBJECTS ARE NOT INCLUDED IN
THE POLICY!
co
nta
ctS
ync 7
.6 M
an
ua
l
76
Directory Tab
In the Directory tab of contactSync policies for mailbox contacts you select
mail-enabled objects, which will synchronize as contacts into user’s
mailboxes. You may also remove a selected entry from the list.
NoContactSync (internal mark)
If you do not want a special object to be exported, you may insert the
value NOCONTACTSYNC in any of the custom attributes (on-premises:
EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:
CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from
adding this object to the export list.
co
nta
ctS
ync 7
.6 M
an
ua
l
77
Choose (On-premises)
Here you may tick a dedicated Organizational Unit in the listed domains.
An active directory tree with all domains and organizational units will be
listed. All mail-enabled objects (users, contacts and groups) included in a
selected OU (and all nested OUs) will be recognized for import at runtime.
In forests with multiple domains all domains are displayed.
co
nta
ctS
ync 7
.6 M
an
ua
l
78
Group Option
Only this OU
All mail-enabled objects, included in the selected OU will be recognized for
synchronization at runtime.
Only Sub-OUs
All mail-enabled objects included in one of the sub-OUs of the selected OU
will be recognized for synchronization at runtime.
OU + Sub-OUs
All mail-enabled objects included in a selected OU and all nested OUs will
be recognized for synchronization at runtime.
Include group memberships
All mail-enabled objects, which are members of a group, will be
recognized for synchronization at runtime, if the group is in a selected OU.
Include nested groups + memberships
Nested groups and their members will be also resolved for synchronization
at runtime.
co
nta
ctS
ync 7
.6 M
an
ua
l
79
Exportable RecipientTypeDetails
contactSync synchronizes objects which have one of the
RECPIENTTYPEDETAILS set in the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property or the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property has not been set.
The list of RECPIENTTYPEDETAILS can be modified with “Add/Remove
RecipientTypeDetails …”.
NOTE: IN THE CASE OF RECIPIENTTYPEDETAILS, THAT ARE NOT PRESENT IN THE
EXPORTABLE RECIPIENTTYPEDETAILS LIST BY DEFAULT, CONTACTSYNC DOES NOT CHECK
WHETHER THEY ARE PRESENT OR USEFUL IN YOUR ENVIRONMENT. WE LEAVE THE
VERIFICATION TO THE RESPONSIBLE ADMINISTRATOR TO SUPPORT AS MANY SCENARIOS AS
POSSIBLE. A DISADVANTAGE IS THAT THE ADMINISTRATOR CAN CONFIGURE NONSENSE.
co
nta
ctS
ync 7
.6 M
an
ua
l
80
Add/Remove RecipientTypeDetails…
Show a dialog, where you can modify the list of RECIPIENTTYPEDETAILS,
which are allow for synchronization.
NOTE: IF THE MSEXCHRECIPIENTTYPEDETAILS / RECIPIENTTYPEDETAILS PROPERTY IS
NOT SET, THE OBJECT WILL BE SYNCHRONIZED.
co
nta
ctS
ync 7
.6 M
an
ua
l
81
Add value for export
contactSync adds a value to an attribute of a synchronized object during
the synchronization. This value is only added to the synchronized object,
but not to the source object.
co
nta
ctS
ync 7
.6 M
an
ua
l
82
Choose (Exchange Online)
Here you may tick either all objects or specify a filter by ticking recipient
types you want to choose.
After that you define the list of RECIPIENTTYPEDETAILS for each recipient
type, which will be recognized for synchronization at runtime.
co
nta
ctS
ync 7
.6 M
an
ua
l
83
Search (On-premises)
You can search an object by inserting an expression. Uncheck all object
types you do not want to have as a result.
NOTE: THE SCOPE OF THE QUERY IS THE FOREST.
The result listed contains all objects found. Select certain or all objects to
be gathered for import and press Apply.
With * you can find all objects which you want to have as a result.
co
nta
ctS
ync 7
.6 M
an
ua
l
84
Search (Exchange Online)
Here you may tick either all objects or specify a filter by choosing recipient
types you want to choose. With * you can find all objects which you want
to have as a result. For example, you check only
MAILUNIVERSALDISTRIBUTIONGROUP and you will have all
MAILUNIVERSALDISTRIBUTIONGROUPS as a result.
The result listed contains all objects found. Select certain or all objects to
be gathered for import and press APPLY. It is very important that you
change this option if you want to get more than 500 objects.
You can limit the results which you want to be get.
NOTE: THE DEFAULT 500 IS SET TO PREVENT YOU FROM A LONG-TIME SEARCH. IF YOUR
RESULT IS LARGER THAN THE GIVEN VALUE, THE NOT LISTED OBJECTS ARE NOT INCLUDED IN
THE POLICY!
co
nta
ctS
ync 7
.6 M
an
ua
l
85
Group Option
Only group
Synchronize the selected group object.
Only Membership
Synchronize the members of the selected group object
Group + Membership
Synchronize the group object and the members.
Include nested groups
Synchronize also the nested group objects and the members.
co
nta
ctS
ync 7
.6 M
an
ua
l
86
Exportable RecipientTypeDetails
contactSync synchronizes objects which have one of the
RECPIENTTYPEDETAILS set in the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property or the MSEXCHRECIPIENTTYPEDETAILS /
RECIPIENTTYPEDETAILS property has not been set.
The list of RECPIENTTYPEDETAILS can be modified with “Add/Remove
RecipientTypeDetails …”.
NOTE: IN THE CASE OF RECIPIENTTYPEDETAILS, THAT ARE NOT PRESENT IN THE
EXPORTABLE RECIPIENTTYPEDETAILS LIST BY DEFAULT, CONTACTSYNC DOES NOT CHECK
WHETHER THEY ARE PRESENT OR USEFUL IN YOUR ENVIRONMENT. WE LEAVE THE
VERIFICATION TO THE RESPONSIBLE ADMINISTRATOR TO SUPPORT AS MANY SCENARIOS AS
POSSIBLE. A DISADVANTAGE IS THAT THE ADMINISTRATOR CAN CONFIGURE NONSENSE.
co
nta
ctS
ync 7
.6 M
an
ua
l
87
Add value for export
contactSync adds a value to a property during the synchronization.
co
nta
ctS
ync 7
.6 M
an
ua
l
88
Special options for contactSync
You can configure some optional SETTINGS on the DIRECTORY tab
Exchange On-Premises
co
nta
ctS
ync 7
.6 M
an
ua
l
89
Exchange Online
co
nta
ctS
ync 7
.6 M
an
ua
l
90
Maximum errors to transfer data file
In the DIRECTORY SETTINGS of a contactSync policy you can set a limit how
many errors may occur when creating a data file before importing. If this
limit of errors is exceeded, the effected data file will not be imported into
the mailboxes.
Minimum objects to transfer data file
In the DIRECTORY SETTINGS of a contactSync policy you can define a
minimum number of objects to be written to the data file before importing
into the mailboxes. As long as the data file contains less objects it will not
be imported into the mailboxes.
For example, if you expect to export over 1000 objects, you can set a
minimum of number of objects to 1000. Assuming that a network error
occurs at runtime and contactSync identifies only 600 objects for export
(because of unavailability of your domain controller). The data file will not
be importing into the mailboxes. Otherwise, in the mailboxes the missing
number of contacts would have been deleted even though they still exist
in the environment.
Include hidden objects (On-Premises only)
If this option in the DIRECTORY SETTINGS of a contactSync policy is selected
the objects, which are hidden from the GAL, are also synchronized.
Export ‘MasteredOnPremise’ objects (Exchange Online only)
Allow you to export objects from Exchange Online (Office 365), which are
synchronized with Microsoft Directory Synchronization tool. Microsoft
Directory synchronization allows identities to be mastered on-premises
and all updates to that identity are synchronized to Office 365.
NOTE: BY DEFAULT CONTACTSYNC EXPORTS ONLY OBJECTS FROM EXCHANGE ONLINE
(OFFICE365) WHICH ARE NOT STAMPED WITH “MASTEREDONPREMISE”.
Mark synchronized contacts as private
Allow you to mark the imported contacts as "private" in the user´s
mailboxes. Private contacts are not visible to other people, if the Microsoft
Exchange account contacts are shared.
NOTE: A PERSON WITH DELEGATE ACCESS OR PERMISSION TO READ YOUR SHARED FOLDERS
COULD VIEW THE CONTENTS OF YOUR PRIVATE CONTACTS AND EVENTS BY USING OTHER
APPLICATIONS.
co
nta
ctS
ync 7
.6 M
an
ua
l
91
Synchronize Picture (On-Premises)
If this option in the DIRECTORY SETTINGS of a contactSync policy is selected
the user’s photos stored in the source directory are exported as well.
Photos usually are stored in attribute THUMBNAILPHOTO. This option is only
available in an on-premise environment.
NOTE: IMPORTING THUMBNAILPHOTO INTO MAILBOXES IS VERY SLOWLY.
THE EXCHANGE ENVIRONMENT NEEDS SOME DAYS TO UPDATE THE THUMBNAILPHOTO OF THE
IMPORTED CONTACTS IN THE MAILBOXES, BEFORE YOU CAN SEE THE THUMBNAILPHOTO IN
THE OUTLOOK CLIENTS.
Modify or delete existing contacts with source domain
Please be careful with this option.
You can add a further source domain, which is not contain in the
synchronization.
This means that contacts in the mailboxes have been synchronized with
GALsync or contactSync, whose source domain is no longer included in the
synchronization, then these contacts can be synchronized.
To do this, the old source domain, as it is in the log file, must be entered
in the field. E.g. the source domain is DC=forestB,DC=com
After that all existing contacts with this source domain will be also
modified or deleted.
This can be helpful e.g. after a migration.
Object Filter
Exclude all objects of the synchronization, which has one of the
conditions. This feature allows you to exclude objects from the
synchronize process. If you enable this feature inside your policy
configuration dialog, you may add conditions containing a name of the
property of which value is compared to the given value using your chosen
comparison operator. During an export every object will be analyzed, if
one or more properties matches these conditions. If at least one condition
is fulfilled, the object will neither be synchronized."
co
nta
ctS
ync 7
.6 M
an
ua
l
92
Filter and Modify objects for import into mailboxes
Configure all mailbox contact folder settings.
Choose (Mailbox contacts)
Add a new folder, where you want to store the imported directory
information in and select it.
Please select a folder for contact synchronization.
All folders displayed by this control are for selecting purpose.
Adding and deleting folders inside this dialog will not result in physically
removing or adding this folder inside a mailbox.
By selecting a folder this folder will be used on target mailboxes as folder
to be filled with contacts. If the chosen folder does not exist in a target
mailbox, this folder will be created during the next import.
Selected Folder
The selected folder will be used as target folder inside mailboxes during
imports so that contacts will only be created inside this folder.
co
nta
ctS
ync 7
.6 M
an
ua
l
93
Allow synchronization into the well-known contact folder of the mailboxes.
This option allows contactSync to create and synchronize the contacts into
the well-known contact folder of the mailboxes. Please be careful with this
option because it allows you to directly change and delete contacts that
your employees have created. This could also confuse some of your
employees.
We recommend to create and synchronize an additional contact for each
existing contact which was not created by contactSync.
Do not touch untagged contacts, these contacts will not be synchronized
All existing contacts will not be touched, unless they were created by
contactSync.
contactSync does not create and synchronize a contact if there is already
an existing contact which was not created by contactSync.
Synchronize untagged contacts with contactSync
Please be very careful with this option.
All existing contacts are synchronized, even if they were not created by
contactSync. This means that if contacts have been created by your
employees below the selected contact folder, contactSync will also
synchronize and possibly delete them, which could cause your employees
to lose information.
Synchronize an additional contact for each untagged contact
contactSync creates and synchronizes an additional contact for each
existing contact which was not created by contactSync.
co
nta
ctS
ync 7
.6 M
an
ua
l
94
Create folder
You can create a new folder, into which contactSync creates and
synchronizes the contacts. This option gives you the possibility to separate
the contacts, which have been created by your employees, from the
contacts, which have been created by contactSync.
Please keep in mind that the name of the folder should be unique and
should not exist in the mailbox of your employees, otherwise contactSync
will use the existing folder with the same name below the well-known
contact folder of the mailbox for the synchronization.
RECOMMENDATION: THE CONTACTSYNC SERVICE ACCOUNT CAN ONLY CREATE A SUB FOLDER
FOR IMPORT, IF THE CONTACTSYNC SERVICE ACCOUNT HAS FULL ACCESS PERMISSION TO ALL
MAILBOXES, WHICH SHOULD GET THE DIRECTORY INFORMATION.
PLEASE GRANT FULL ACCESS TO THE USER MAILBOXES FOR THE CONACTSYNC SERVICE
ACCOUNT.
PLEASE HAVE A LOOK AT THE CHAPTER ‘HOW TO GRANT FULL ACCESS TO THE USER
MAILBOXES?’
Remove folder
This option removes a folder inside this dialog but will not remove a folder
inside a mailbox. Please select the folder, which you want to remove.
co
nta
ctS
ync 7
.6 M
an
ua
l
95
Properties (Mailbox contacts)
Modify the values for the contactSync policy. The modified objects are
prioritized during the import.
Usually in your import list, there are different classes of objects (e.g. USER,
CONTACT and GROUP). Because these classes have different attributes rules
are apply related to the object class. E.g. the attribute FILEAS, DISPLAYNAME
the first rule displayed in the screenshot will be apply only to users and
contacts, because a group does not have an attribute GIVENNAME.
PLEASE NOTE THAT PUBLIC FOLDER MEANS THE OLD OBJECT CLASS OF EXCHANGE 2003
TECHNOLOGY AND NOT THE CURRENT PUBLIC FOLDER MAILBOX TECHNOLOGY.
The property INITIALS can be ignored for all object classes, because you
cannot see the imported value in the Outlook clients.
Property to modify
These attributes can be modified before import:
CompanyName, Department, Body, FileAs, BusinessFax, GivenName, HomePhone,
Initials, BusinessPhone, BusinessAddressCity, MobilePhone, Pager, OfficeLocation,
BusinessAddressPostalCode, Surname, BusinessAddressState, BusinessAddressStreet,
PrimaryPhone, JobTitle, BusinessHomePage, NickName
NOTE: SOME PROPERTIES ARE NOT SHOWN IN OUTLOOK, E.G. INITIALS.
co
nta
ctS
ync 7
.6 M
an
ua
l
96
We support this matrix to transform the property between Exchange On-
Premise / Exchange Online and the Outlook Contact:
Active Directory
(Exchange On-Premise)
Active Directory
(Exchange Online)
Outlook Contact
(Exchange Mailbox)
C BusinessAddressCountryOrRegion
Company Company CompanyName
Department Department Department
Description Body
DisplayName DisplayName FileAs
FacsimileTelephoneNumber Fax BusinessFax
GivenName FirstName GivenName
HomePhone HomePhone HomePhone
Initials Initials *
L City BusinessAddressCity
Mail EmailAddress3
Mobile MobilePhone MobilePhone
OtherFacsimileTelephone
Number OtherFax OtherFax
IpPhone BusinessPhone2
OtherMobile CarPhone
OtherTelephone OtherTelephone OtherTelephone
Pager Pager Pager
PhysicalDeliveryOfficeName Office OfficeLocation
PostalCode PostalCode BusinessAddressPostalCode
ProxyAddresses
(primary SMTP)
EmailAddresses
(primary SMTP) EmailAddress2
Sn LastName Surname
St StateOrProvince BusinessAddressState
StreetAddress StreetAddress BusinessAddressStreet
TargetAddress ExternalEmailAddress EmailAddress1
TelephoneNumber Phone BusinessPhone
ThumbnailPhoto Photo
Title Title JobTitle
WWWHomePage WebPage BusinessHomePage
*Outlook will not show the synchronized property value,
Outlook generate its own value and show it.
co
nta
ctS
ync 7
.6 M
an
ua
l
97
Add Value
You can add a text to a property. Choose the property that you want to
add a value to, and then choose the option ADD VALUE.
You then have the option to add your value before the property (PREFIX) or
after it (SUFFIX).
co
nta
ctS
ync 7
.6 M
an
ua
l
98
Find and Replace
You can replace a specific string with a new value. Choose the property,
select FIND AND REPLACE.
In the find textbox insert the text which you wish to replace and in the
replace textbox insert the new text.
co
nta
ctS
ync 7
.6 M
an
ua
l
99
Build Property
You can create values by concatenating other property values. Choose the
property and select the option BUILD PROPERTY.
In the textbox BUILD PROPERTY, add a string, how the property value should
be built. Via the ADD PROPERTY button, you can choose which properties are
used.
For Example, you want to generate the property, FILEAS from the last
name, and first name comma separated. Choose the property SURNAME
and the property GIVENNAME and insert a comma and space between them
in the textbox BUILD PROPERTY.
Thereafter, all values in property FILEAS will be created from a comma
separated SURNAME and GIVENNAME.
Please keep in mind, that only users and contacts have given name and
surname, so the rule should be only valid for objects, which are users or
contacts in the on-premise environment or Office 365 tenant.
co
nta
ctS
ync 7
.6 M
an
ua
l
100
Ignore this Property
If you do not want to import a specific property, then you can select
IGNORE THIS PROPERTY.
NOTE: VALUES WHICH ARE ALREADY ASSIGNED TO THE OBJECTS PROPERTY WILL NOT BE
MODIFIED BY CONTACTSYNC.
TIP: YOU EXPORT A PROPERTY AND YOU WANT TO IMPORT A DIFFERENT PROPERTY IN THE
TARGET ENVIRONMENT. BY COMBINING THE OPTIONS ‘BUILD PROPERTY’ AND ‘IGNORE THIS
PROPERTY’ YOU CAN EITHER COPY OR MOVE A PROPERTY VALUE TO A DIFFERENT PROPERTY.
Copy Property
You can copy a property by choosing the end property and selecting the
option BUILD PROPERTY. Then choose the property you wish to copy via the
ADD PROPERTY dialog. Add the rule with the button ADD.
Move Property
You can move a property by doing the following:
1. Choose the end property and selecting the option BUILD PROPERTY. Then
choose the property you wish to copy via the ADD PROPERTY dialog. Add the
rule with the button ADD.
2. Choose the initial property and select the option IGNORE THIS PROPERTY
and add the rule by clicking the ADD button.
Ergo the property value moved from the initial property to the end
property.
co
nta
ctS
ync 7
.6 M
an
ua
l
101
Status notification
contactSync can send status notification emails to inform you about errors
that may have occurred. Status notification is a component of each policy.
If you leave this option unselected no notification email will be sent.
Subject: The email header
Send to: The SMTP-address of the person who will receive the
administrative report
Test: contactSync will send an email to the specified email address.
Send only on error: contactSync will only send status notification mails if
at least one error occurred during a running policy.
NOTE: CONTACTSYNC DOES NOT SEND A STATUS NOTIFICATION MAIL IF A POLICY HAS NOT
BEEN STARTED DUE TO AN ERROR.
co
nta
ctS
ync 7
.6 M
an
ua
l
102
Schedule Service
contactSync can perform the synchronization of policies automatically. You
can schedule weekly or monthly, on different days, the synchronization
should be carried out. Furthermore, they can decide between what times
and how many times a day the scheduler service works. Here, it is
possible to synchronize the scheduler service every 15 minutes, every
hour or once a day. We recommend to schedule the policies once a day.
Using start time and end time option contactSync starts only in the
defined period. The synchronization itself may take a longer time.
co
nta
ctS
ync 7
.6 M
an
ua
l
103
How to
How to configure Exchange Impersonation?
contactSync needs a service account, which has the Exchange
Impersonation.
Exchange Impersonation enables a caller to impersonate a given user
account. This enables the caller to perform operations by using the
permissions that are associated with the impersonated account, instead of
the permissions that are associated with the caller's account.
For more information, see
Impersonation and EWS in Exchange1
MSDN Library - Configuring Exchange Impersonation2
Exchange Impersonation in Exchange 2010, 2013, 2016, 2019 and Exchange Online
(Mailbox contacts)
How you can check existing management role for Exchange Impersonation
and how you can create a management role for Exchange Impersonation?
For on-premises Exchange:
Please log in on the on-premises Exchange Server with an Exchange
Administrator account and open the Exchange Management Shell.
For Office 365 Exchange Online:
Please connect via remote PowerShell to the Office 365 tenant with an
Exchange Administrator account.
Check existing Exchange Impersonation:
Please check, if you have a ROLE GROUP for APPLICATIONIMPERSONATION exists.
You can check the existing Exchange Impersonation via PowerShell:
GET-MANAGEMENTROLEASSIGNMENT -ROLE APPLICATIONIMPERSONATION
1 https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-
services/impersonation-and-ews-in-exchange
2 http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx
co
nta
ctS
ync 7
.6 M
an
ua
l
104
You can find an existing ROLE GROUP in the EXCHANGE ADMIN CENTER under
PERMISSIONS as ADMIN ROLES.
E.g. The IMPERSONATION ROLE to manage the APPLICATIONIMPERSONATION
co
nta
ctS
ync 7
.6 M
an
ua
l
105
Create an Impersonation Role Group for ApplicationImpersonation via PowerShell
You can create a new ROLE GROUP to manage the APPLICATIONIMPERSONATION
and add your contactSync service account as member to the ROLE GROUP.
This example creates a ROLE GROUP called IMPERSONATION ROLE:
NEW-ROLEGROUP -NAME "IMPERSONATION ROLE" -ROLES
"APPLICATIONIMPERSONATION" -MEMBERS contactsync@foresta.com
The IMPERSONATION ROLE is also available in the EXCHANGE ADMIN CENTER
under PERMISSIONS as ADMIN ROLES.
co
nta
ctS
ync 7
.6 M
an
ua
l
106
Create an Impersonation Role for ApplicationImpersonation via Exchange Admin Center
You can create a new ROLE GROUP in the EXCHANGE ADMIN CENTER under
PERMISSIONS as ADMIN ROLES.
Add new admin role:
co
nta
ctS
ync 7
.6 M
an
ua
l
107
The new role group dialog:
• Add the name “Impersonation Role”
• Add “ApplicationImpersonation” to the Roles
• Add your contactSync service account to the Members
co
nta
ctS
ync 7
.6 M
an
ua
l
108
After that the new IMPERSONATION ROLE is available as ADMIN ROLE.
You can check the ASSIGNED ROLES and the MEMBERS of the IMPERSONATION
ROLE.
co
nta
ctS
ync 7
.6 M
an
ua
l
109
How to grant full access to the user mailboxes?
contactSync needs a service account, which has the FULL ACCESS PERMISSION
to these user mailboxes.
Exchange 2010
The following article MANAGE FULL ACCESS PERMISSIONS describes for
Exchange 2010, how to grant Full Access permissions to mailboxes
https://technet.microsoft.com/en-
us/library/bb676551%28v=exchg.141%29.aspx
We recommend to grant the service account for contactSync FULL ACCESS
PERMISSIONS to mailboxes and to disable the auto-mapping feature.
This example is the command for the Exchange Management Shell to
grant the contactSync service account FULL ACCESS PERMISSIONS to John
Doe’s mailbox:
ADD-MAILBOXPERMISSION -IDENTITY 'JOHN DOE' -USER 'CONTACTSYNC' -
ACCESSRIGHTS FULLACCESS -INHERITANCETYPE ALL -AUTOMAPPING $FALSE
You can assign the FULL ACCESS PERMISSION for a user mailbox by using the
Exchange 2010 Management Console, but you cannot bulk assign
permissions for multiple mailboxes.
Exchange 2013, 2016, 2019 and Exchange Online
The following article MANAGE FULL ACCESS PERMISSIONS describes for
Exchange 2013, 2016, 2019 and Exchange Online how to grant Full Access
permissions to mailboxes
https://technet.microsoft.com/en-
us/library/jj919240%28v=exchg.160%29.aspx
We recommend to grant the service account for contactSync FULL ACCESS
PERMISSIONS to mailboxes and to disable the auto-mapping feature.
This example is the command for the Exchange Management Shell to
grant the contactSync service account FULL ACCESS PERMISSIONS to John
Doe’s mailbox:
ADD-MAILBOXPERMISSION -IDENTITY 'JOHN DOE' -USER 'CONTACTSYNC' -
ACCESSRIGHTS FULLACCESS -INHERITANCETYPE ALL -AUTOMAPPING $FALSE
Using the Exchange Admin Center (EAC)
co
nta
ctS
ync 7
.6 M
an
ua
l
110
How to bulk assign full access permissions to multiple user mailboxes
You can bulk assign the FULL ACCESS PERMISSION for multiple user mailboxes
with the PowerShell cmdlet at the Exchange Management Shell.
You can use the parameter –FILTER of Get-Mailbox to add the FULL ACCESS
permissions to multiple mailboxes.
This example is the command for the Exchange Management Shell to
grant the contactSync service account FULL ACCESS PERMISSIONS to all user
mailboxes:
GET-MAILBOX -RESULTSIZE UNLIMITED -FILTER {(RECIPIENTTYPEDETAILS -EQ
'USERMAILBOX') -AND (ALIAS -NE 'CONTACTSYNC')} | ADD-MAILBOXPERMISSION -
USER CONTACTSYNC@CONTOSO.COM -ACCESSRIGHTS FULLACCESS -INHERITANCETYPE
ALL -AUTOMAPPING $FALSE
https://technet.microsoft.com/en-
us/library/bb124097%28v=exchg.160%29.aspx
co
nta
ctS
ync 7
.6 M
an
ua
l
111
Since Exchange 2013 you can bulk assign permissions for multiple user
mailboxes by using the Exchange admin center (EAC)
Click MAILBOX DELEGATION -> ADD
co
nta
ctS
ync 7
.6 M
an
ua
l
112
How to disable EWS Throttling for the contactSync account?
Exchange 2010
Open the Microsoft Exchange Management Shell (EMS) or connect via
remote PowerShell.
NEW-THROTTLINGPOLICY CONTACTSYNCPOLICY;
SET-THROTTLINGPOLICY CONTACTSYNCPOLICY -RCAMAXCONCURRENCY $NULL -
RCAPERCENTTIMEINAD $NULL -RCAPERCENTTIMEINCAS $NULL -
RCAPERCENTTIMEINMAILBOXRPC $NULL -EWSMAXCONCURRENCY $NULL -
EWSPERCENTTIMEINAD $NULL -EWSPERCENTTIMEINCAS $NULL -
EWSPERCENTTIMEINMAILBOXRPC $NULL -EWSMAXSUBSCRIPTIONS $NULL -
EWSFASTSEARCHTIMEOUTINSECONDS $NULL -EWSFINDCOUNTLIMIT $NULL -
CPAMAXCONCURRENCY $NULL -CPAPERCENTTIMEINCAS $NULL -
CPAPERCENTTIMEINMAILBOXRPC $NULL -CPUSTARTPERCENT $NULL;
SET-MAILBOX "CONTACTSYNCACCOUNT" -THROTTLINGPOLICY CONTACTSYNCPOLICY;
Exchange 2013, Exchange 2016 and Exchange 2019
Open the Microsoft Exchange Management Shell (EMS) or connect via
remote PowerShell.
NEW-THROTTLINGPOLICY CONTACTSYNCPOLICY;
SET-THROTTLINGPOLICY CONTACTSYNCPOLICY -RCAMAXCONCURRENCY UNLIMITED -
EWSMAXCONCURRENCY UNLIMITED -EWSMAXSUBSCRIPTIONS UNLIMITED -
CPAMAXCONCURRENCY UNLIMITED -EWSCUTOFFBALANCE UNLIMITED -EWSMAXBURST
UNLIMITED -EWSRECHARGERATE UNLIMITED;
SET-MAILBOX "CONTACTSYNCACCOUNT" -THROTTLINGPOLICY CONTACTSYNCPOLICY;
co
nta
ctS
ync 7
.6 M
an
ua
l
113
How to check the PowerShell version on the contactSync server?
Please log in on the contactSync server with your contactSync service
account.
Open the WINDOWS POWERSHELL and check the result of the following two
PowerShell cmdlets:
GET-HOST
and
$PSVERSIONTABLE
co
nta
ctS
ync 7
.6 M
an
ua
l
114
Troubleshooting and Support Guide
Issue with Exchange Online connection
The Autodiscover service returned an error
Please ensure, that the server, where you run contactSync, can resolve
the DNS of MICROSOFT OFFICE 365 and you can find/connect the
Autodiscover to resolve the EXCHANGE WEB SERVICES URL.
Please do the following steps from the contactSync server:
First go to the website MICROSOFT REMOTE CONNECTIVITY ANALYZER
https://testconnectivity.microsoft.com/
Select the tab OFFICE 365, scroll to MICROSOFT OFFICE OUTLOOK CONNECTIVITY
TESTS and choose OUTLOOK AUTODISCOVER
Please run the test.
Make sure that this test is successful and that contactSync can retrieve
the correct URL for the EXCHANGE WEB SERVICES.
co
nta
ctS
ync 7
.6 M
an
ua
l
115
11021 - LegacyExchangeDN of the contactSync service account is in the old
syntax. Please update this by re-mailenabling the service account or create a
new contactSync service account.
Your current contactSync service account is migrated from an Exchange
2003 environment. The LEGACYEXCHANGEDN of the contactSync service
account is in the old syntax, which was used up to Exchange 2003,
however contactSync need a service account with a mailbox which has the
new LEGACYEXCHANGEDN syntax which is used by Exchange 2007 and later.
Please create a new contactSync service account with a new mailbox and
the same permissions like the old one.
After that log on with the new contactSync service account, run the
contactSync GUI with the new contactSync service account and change
the contactSync service to the new contactSync service account.
Use CONFIGURE SERVICE to start the wizard for changing the service account
of the contactSync service.
co
nta
ctS
ync 7
.6 M
an
ua
l
116
Could not load file or assembly 'netstandard, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system
cannot find the file specified.
contactSync needs the .NET Framework 4.7.1 or later,
otherwise you will get errors and contactSync does not work.
Error message:
Could not load file or assembly 'netstandard, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system cannot find
the file specified.
You can download the Microsoft .NET Framework 4.7.1 here:
https://www.microsoft.com/en-us/download/details.aspx?id=56116
co
nta
ctS
ync 7
.6 M
an
ua
l
117
12010 - Error getting Exchange Online connection
62003 – Current user cannot decrypt the token.
This error occurs, if the policy was configured with the credentials of a
different user as the policy was executed.
Please run the policy in the credentials of the user, who configured the
policy. We recommend to run the contactSync GUI in the credentials of
the local contactSync service account.
You can encrypt the token for Modern Authentication OAuth 2.0 for
Exchange Web Services (EWS) again, if you click the Login button for
OAuth 2.0 and delete the token cache.
Please have also a look at the chapter Modern Authentication OAuth2 for
Exchange Web Services (EWS) to access Exchange Online
co
nta
ctS
ync 7
.6 M
an
ua
l
118
Support: What to do when I notice an error / bug?
We always try to provide a very responsive, solution orientated and
effective support. Should you encounter any issue, bug or inconvenience
please do not hesitate to contact us.
To enable us providing you the best quality support, please provide us
with the following information:
• Environment Overview
o contactSync Installations (Planned and Implemented)
▪ Domain Infrastructure (e.g.: Single Domain “dom.local”)
▪ Exchange Version (e.g.: Exchange 2013)
▪ Windows Version of contactSync Machine (e.g.: Windows
Server 2012 R2)
▪ contactSync Version (e.g.: 7.6.x)
▪ Does the contactSync Service Account have an Exchange
Mailbox?
▪ Did you log on to the contactSync Machine using that
Service Account to configure the policies?
▪ Is the contactSyncService logging on using the Service
Account?
• Please describe your issue/bug/inconvenience thoroughly, in detail,
what you wanted to achieve and what you were doing as it occurred.
• A screenshot of the issue often helps us to understand
• We also require the configuration and the logs, preferably zipped.
In menu Action -> Export Configuration you can zip the policies.
In menu Action -> Export Status you can zip the log files.
Do you have more questions or need further support than please do not
hesitate to contact the contactSync Support Team.
contactSync Support Team
By phone +49 2421 998 78 20 or via e-mail support@netsec.de
top related