beautypg.com

Troubleshooting, Troubleshooting 37 – Google Postini Directory Sync Configuration Guide User Manual

Page 37

background image

Microsoft Active Directory

37

Server Type (MS Active Directory 2000 or 2003)

Base DN (distinguished name)

Troubleshooting

If you experience problems with using Directory Sync with Active Directory, check
the following steps.

Configuration Checklist

1. Is the Common Name for the SSL certificate identical to the hostname

entered in the Directory Sync configuration page in the Administration
Console? The hostname must be an Fully Qualified Domain Name (FQDN)
with a DNS entry. For example,

dsml.domain.com

is fine, as is

dirsync.domain.com

or

mail.domain.com

. The actual FQDN is not important;

what is important is that there is an A record which resolves to the machine in
question, and that theFQDN chosen matches the SSL certificate's Common
Name.

2. Does the account specified for the sync have sufficient authorizations?

3. Have you set the "Email Address Attribute" and the "Alias Attribute" correctly?

For an "out of the box" Active Directory, they will be "mail" and
"proxyAddresses" respectively.

4. Did you set the Authentication Method on the "dsml" virtual directory

correctly?

5. Can you browse to the website https://hostname/dsml? You should be asked

to log in, and if you do so, using the credentials used in the Directory Sync
configuration page, you should get the error: "Directory Listing Denied. This
Virtual Directory does not allow contents to be listed."

6. Did you enter the correct Base DSN? It is not recommended to sync from the

top level as this will populate Directory Sync with all your AD objects including
Exchange System Objects unless an Org Exclusion Attribute or a User
Exclusion Attribute is specified.

7. Have you correctly specified in your Exclusion Attributes any Active Directory

objects you do not want to be synced?

8. If you have multiple User OUs to sync, you can do this using a single sync by

creating a placeholder OU and moving the User OUs into it, then setting
Directory Sync to use a Base DN of the form
"OU=placeholder,DC=domain,DC=com". Then ensure the "Search entire
subtree" box is checked.

See also other documents in the category Google Software: