Quest ActiveRoles Quick Connect Express: GAL Sync Step-by-step Guide

By | January 6, 2011

A couple of weeks ago I blogged about using Quest’s ActiveRoles Quick Connect Express for Exchange 2010 Global Address List synchronisation (GAL Sync).  Since then I’ve written a step-by-step guide which will hopefully help others who want to use this very useful freeware utility.  You can download the guide (pdf format) here:

GAL Sync with ActiveRoles Quick Connect Express – Step-by-Step Guide v1

I have also updated the Powershell script that exposes the provisioned Contact objects in the target GAL.  You can download the script here:

ConfigureContacts.ps1

If you have any feedback on the guide please post a comment here or contact me directly (tony@activedir.org)

21 thoughts on “Quest ActiveRoles Quick Connect Express: GAL Sync Step-by-step Guide

  1. colin

    Nice guide as this saved me a lot of time and leg work.

    The script won’t work without encrypted password file on the server that you are running QQCE from. To create one, do the following:

    $TPasswordFile = convertto-securestring “mypassword” -asplaintext -force

    $TPasswordFile = convertfrom-securestring $TPasswordFile -key (1..16)

    $TPasswordFile > c:\util\password.txt

    Then add -key (1..16) to the configurecontactsps1:

    $password = Get-Content $passwordFile | ConvertTo-SecureString

    S now it looks like this:

    $password = Get-Content $passwordFile | ConvertTo-SecureString -key (1..16)

    Thanks

    Colin

    Reply
  2. admin Post author

    Thanks for the feedback Colin. Glad the guide saved you some time.

    I included the following lines in the script to handle the creation of the password file. Slightly different to your code, but looks like it has the same result.

    # The following command can be used outside this script
    # to store the password in a local file
    # read-host -assecurestring | convertfrom-securestring | out-file “c:\util\password.txt”

    Tony

    Reply
  3. fryguy451

    Nice job!

    I have an issue I hope you can help with. I used the guide to create contacts in a cross forest trust. I am migrating user account to the target domain, but until it is decommisioned, the user account resides in both the source and target domain.

    Using the guide, a contact is created for the source account, but there is a target account with that sAMAccountName already.

    How can I prevent the contact creation for source account that exits as a target account as well?

    Thanks.

    Reply
  4. admin Post author

    Hi fryguy451

    The usual approach would be to disable (disconnect) the source Exchange mailbox when the mailbox migration is complete (i.e. the user is active with the target mailbox). This would cause the homeMDB attribute value to be dropped from the source user object and therefore remove it from the scope covered by the sync engine.

    Another alternative would be to use custom attributes (as Quest does with their QMMAD/EX migration tools) to manage the migration status of the source and target user objects. That way you can, for example, query extensionAttribute14 to determine wether a user is pre or post migration.

    Hope this helps, but give me shout if you need further clarification.

    Tony

    Reply
  5. fryguy451

    Unfortunately we have had to re-enable the mailbox to continue Cisco Unity support.

    I was hoping for some way to query the target server as a script function while it determined what user needed to have a contact created, but I’ve not been able to figure it out.

    Reply
  6. Monte Davis

    Has anyone come across the following error message when testing the PS script?

    “Synchronization aborted. The error message: script invocation exception. Cannot validate argument on parameter ‘Session’. The argument is null. Supply a non-null argument and try the command again.”

    Reply
  7. Monte Davis

    Has anyone come across the following error message when testing the PS script?

    “Synchronization aborted. The error message: script invocation exception. Cannot validate argument on parameter ‘Session’. The argument is null. Supply a non-null argument and try the command again.”

    Reply
  8. admin Post author

    @Monte

    Have you tried running the script outside QQCE to see if you get any further info?

    Also, did you download the script from here or did you copy/paste from the Appendix? If the latter then you might have formatting problems with special characters.

    Tony

    Reply
  9. Monte Davis

    I copied it from the Appendix. When I run it outside of the QQCE, I get to the $Session line and get an error:

    PS C:\Users\qqce_admin> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $connectionUri -Cr
    edential $Credential
    [xxx.xxx.com] Connecting to remote server failed with the following error message : WinRM cannot process
    the request. The following error occured while using Kerberos authentication: The network path was not found.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or us
    e HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information,
    see the about_Remote_Troubleshooting Help topic.
    CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
    eption
    FullyQualifiedErrorId : PSSessionOpenFailed

    Reply
  10. Monte Davis

    I copied it from the Appendix. When I run it outside of the QQCE, I get to the $Session line and get an error:

    PS C:\Users\qqce_admin> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $connectionUri -Cr
    edential $Credential
    [xxx.xxx.com] Connecting to remote server failed with the following error message : WinRM cannot process
    the request. The following error occured while using Kerberos authentication: The network path was not found.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or us
    e HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information,
    see the about_Remote_Troubleshooting Help topic.
    CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
    eption
    FullyQualifiedErrorId : PSSessionOpenFailed

    Reply
  11. Monte Davis

    After lots of testing and configuration changes, I was able to get this working. Here are the changes I made to get my script working.

    1. My $connectionuri was pointing to the virtual name of a NLB cluster. I changed it to point to a single node within the cluster. My guess is this was breaking kerberos due to the virtual name not having a computer account in AD, and therefore no SPN.

    2. Updated the local trusted hosts to include the FQDN of the server specified in the $connectionuri:

    set-item wsman:\localhost\Client\TrustedHosts -value “xxx.whatever.com”

    3. Enabled Windows Authentication on the PowerShell directory within IIS Manager on the server specified in the $connectionuri. Followed by an IISReset.

    4. Added -Authentication Kerberos to the $session line of the script:

    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri $connectionUri –Credential $Credential -Authentication Kerberos

    I’m not sure if I needed all or just some magic combination of a few of these, but it is working now. My contacts are appearing in the GAL on the target side.

    Monte

    Reply
  12. Monte Davis

    After lots of testing and configuration changes, I was able to get this working. Here are the changes I made to get my script working.

    1. My $connectionuri was pointing to the virtual name of a NLB cluster. I changed it to point to a single node within the cluster. My guess is this was breaking kerberos due to the virtual name not having a computer account in AD, and therefore no SPN.

    2. Updated the local trusted hosts to include the FQDN of the server specified in the $connectionuri:

    set-item wsman:\localhost\Client\TrustedHosts -value “xxx.whatever.com”

    3. Enabled Windows Authentication on the PowerShell directory within IIS Manager on the server specified in the $connectionuri. Followed by an IISReset.

    4. Added -Authentication Kerberos to the $session line of the script:

    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri $connectionUri –Credential $Credential -Authentication Kerberos

    I’m not sure if I needed all or just some magic combination of a few of these, but it is working now. My contacts are appearing in the GAL on the target side.

    Monte

    Reply
  13. admin Post author

    Hi Monte

    Great that you got it sorted out and thanks for posting your method. Might well help others who encounter the same problem.

    Tony

    Reply
  14. Josh

    Tony,

    Do you have a list of what Exchange cmdlets the user needs access to? I’m trying to setup a custom RBAC role and want to make sure I get them all.

    Reply
  15. adam

    Hi Tony

    Thanks for your help. One small issue, when the contacts are copied across using the mail attribute mapping to the targetaddress, the mail attribute is missing the prefix smtp: The targetaddress attribute seems to need this to route email successfully. Do you know how I can add this?

    Reply
  16. Pingback: Quest Quick Connect Express for Active Directory : iocon.com.au

  17. admin Post author

    @adam

    The syntax for both the targetAddress and mail attributes is simply the address without any prefix, e.g. bob@gmail.com and not smtp:bob@gmail.com. The prefix is only used with the proxyAddresses attribute. You shouldn’t need to be too concerned withthe proxyAddresses values as the targetAddress is the one used by Exchange for routing purposes.

    Tony

    Reply
  18. Scott

    I have an issue with the script, If I run it from powershell it reads the password file correctly. Running it from QQCE I get the following error.

    Error details: Synchronization aborted. The error message: script invocation exception
    Exception calling “.ctor” with “2” argument(s): “Cannot process argument because the value of argument “password” is null. Change the value of argument “password” to a non-null value.”
    Cannot process argument because the value of argument “password” is null. Change the value of argument “password” to a non-null value.

    Any help appreciated.

    Reply
  19. Nathan Raper

    Scott (or anyone else) – did you ever resolve your issue regarding the “Cannot process argument because the value of argument “password is null.” error? I’ve been struggling with the same issue for more than 8 hours now. Changing around certain settings, I can get the “Session” error instead. Either way – I can’t get passed these two errors… Do you remember your resolution?

    Thank you!

    Reply
  20. Nathan Raper

    Disregard my previous question – I figured out my problem. It should probably be noted for all that you have to use the SAME account to create the password.txt file as the service account you’re running QQCE from.

    I was previously configuring it from my personal account yet using a service account to run the application – hence it was unable to decrypt the password file. Almost 10 hours to figure that out… PLEASE SHARE FOR OTHERS!!!

    Reply
  21. Pingback: Open a Socket! » Quest One Quick Connect no longer a Freebie

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.