GALSync with hub-and-spoke architecture

Source reference

This article has originally been posted on the (now archived) ILM forum. Therefore it has been ported to the TN Wiki for continued maintenance.

 

---

Hub-and-spoke GALSync

In case you wish to implement a hub-and-spoke infrastructure for your Global Address List Sync with ILM/FIM, you need to tune the original GALSync setup.

Hub-and-spoke architecture means one master GAL domain which communicates with slave domains, without direct provisioning between slave domains.

For ease of use, I've put the decision logic in one function (shouldprovision).

In the GALMV.vb file you need to create a private function (based on VB.NET code):

 

Private Function  shouldprovision( _         ByVal currentMVentry As MVEntry, _   
     ByVal mANAme As String) As  Boolean
 
    'The only domain and MA name you need to know is the master domain
    'The master domain name is the FQDN of the AD domain
    'this is compared with the msOriginationForest attribute 
    Const masterDomain As String  = "g1.local" 'msOriginatingForest format
 
    'The master MA Name is the GALSync MA Name in the ILM GUI
    Const masterMAName As String  = "GALSYNC1" 'MA NAME
 
    Dim IsHub As Boolean  = _
           currentMVentry(EXCH_ORIGINATING_FOREST).StringValue.Equals(masterDomain)   
    Dim IsSpoke As Boolean  = (Not  mANAme.Equals(masterMAName))   
    'Provisioning OK if
          '1. source = hub and target = spoke
          '2. source = spoke and target = hub
 
    'Provisioning NOT OK if  
          'source = spoke and target = spoke  
 
    'Sample configuration with Hub: GAL1, spokes = GAL2,GAL3
       'See Truth table below
 
    'The function who matches this functionality is an inverted XOR
    'More info: http://en.wikipedia.org/wiki/XNOR_gate
 
    Return Not  (IsSpoke Xor  IsHub)   
End Function

 

Truth table:

'Source MA	Target MA	isHub	IsSpoke	ShouldProvision Result
GAL1	GAL2	TRUE	TRUE	TRUE
GAL1	GAL3	TRUE	TRUE	TRUE
GAL2	GAL1	FALSE	FALSE	TRUE
GAL2	GAL3	FALSE	TRUE	FALSE
GAL3	GAL1	FALSE	FALSE	TRUE
GAL3	GAL2	FALSE	TRUE	FALSE

In the Sub Provision of the GALMV.vb extension, add a call to the ShouldProvision function, like

       

/../
For i = 0 To galMAs.Length - 1
     MA = mventry.ConnectedMAs(galMAs(i).MAName)
     If 0 = MA.Connectors.Count Then
     '
     ' If there were no connectors, then we are going to add one
     '
     '## NEW CODE SNIPPET##>
     If shouldprovision(mventry, galMAs(i).MAName) THEN _  '<## NEW CODE SNIPPET##
     AddOrRenameConnector(MA, galMAs(i), mventry)
     ElseIf 1 = MA.Connectors.Count Then
/../

In this way the provisioning is blocked if not allowed.

 

---

See also:

• https://curah.microsoft.com/64101/galsync
• http://social.technet.microsoft.com/Forums/en-US/c93a6fe0-b25e-46b8-b92d-baf24e104b08/ilm-galsync-with-hubandspoke-architecture?forum=identitylifecyclemanager
• http://aka.ms/GALSyncResources