Microsoft Directory Synchronization Tool
Administration Guide 9.1
Microsoft Corporation
Published: May 2009
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
©2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, and Windows Server are trademarks of the Microsoft group of
companies. All other trademarks are property of their respective owners.
Contents
Overview .......................................................................................................................................... 5
Why You Should Read This Document ....................................................................................... 5
The Directory Synchronization Tool ............................................................................................. 5
What's New in the Directory Synchronization Tool for 9.1 ........................................................... 6
Before You Deploy the 9.1 Directory Synchronization Tool ............................................................ 6
First-Time Users ........................................................................................................................... 6
Migrating to DST from Admin Center or sFTP using Directory Based Edge Blocking ................ 7
Multiple Directory Upload Modes ................................................................................................. 8
Multiple-Forest Active Directory Environments ............................................................................ 8
Directory Synchronization Tool with Hosted Archive ................................................................... 9
Configure Safe Senders List Synchronization for Exchange Server 2007 (Optional) ................. 9
System Requirements ..................................................................................................................... 9
Supported Operating Systems ..................................................................................................... 9
Required Software........................................................................................................................ 9
Optional Software ....................................................................................................................... 10
Hosted Filtering Requirements ................................................................................................... 10
Hosted Archive and Continuity ................................................................................................... 10
Installing the Directory Synchronization Tool ................................................................................ 10
Rights and Permissions Requirements ...................................................................................... 11
Upgrade to DST 9.1 ................................................................................................................... 11
Configuring Your Hosted Services ................................................................................................ 12
Configuring Hosted Services ...................................................................................................... 12
Enable User List Setting Source and Disable Directory-Based Edge Blocking ......................... 12
Configuring Hosted Archive and Hosted Continuity for the DST ............................................... 13
Select a Directory-Based Edge Blocking Mode ......................................................................... 14
Reject–Test mode ................................................................................................................... 14
Reject mode ............................................................................................................................ 14
Configuring the Directory Synchronization Tool ............................................................................ 15
Provide User Credentials ........................................................................................................... 15
Change Proxy Server Settings ................................................................................................... 15
Active Directory Status ............................................................................................................... 16
Admin Center Settings ............................................................................................................... 17
Sync Simulation Mode ............................................................................................................... 17
Username ................................................................................................................................... 18
Sync Interval............................................................................................................................... 18
Sync Now ................................................................................................................................... 19
Differential Sync ......................................................................................................................... 19
Provide an E-Mail Address for Directory Synchronization Tool Notifications ............................ 20
Select a Directory-Based Edge Blocking Mode ......................................................................... 20
Reject-Test mode.................................................................................................................... 20
Reject mode ............................................................................................................................ 21
PowerShell and cmdlets ................................................................................................................ 21
Cmdlets registered during installation of the tool ....................................................................... 21
Known Issues ................................................................................................................................ 22
Support Information ....................................................................................................................... 23
The four methods for contacting Technical Support .................................................................. 23
Overview
Why You Should Read This Document
The Directory Synchronization Tool
What's New in the Directory Synchronization Tool for 9.1
Why You Should Read This Document
This document provides installation and configuration information for the DST. Please read this
document before you begin the installation process for the tool, as there is important predeployment and service information that you need to consider before installing the DST.
The Directory Synchronization Tool
The Directory Synchronization Tool (DST) 9.1 is an application that helps you keep your on-site
Active Directory® Domain Service and Microsoft® Exchange Server environment synchronized
with your Hosted Services network for use with Forefront Online Security for Exchange (FOSE)
Hosted Filtering and the Exchange Hosted Archive (EHA) Service. You can use the DST to do
the following:

Build an approved recipients list for specified domains.

Upload the approved list to your hosted services over a secure HTTPS Web connection (port
443).

Configure scheduled updates for the user list to help ensure that your service and your onsite environment are up-to-date.
Running the DST in your on-site environment helps ensure that your services and your on-site
resources are synchronized and working correctly. By enabling Directory-Based Edge Blocking
(DBEB) for your domains and installing the DST to update those domains, you can help do the
following:

Avoid false positives, which are legitimate messages that have been misidentified as spam
by your Hosted Filtering service.

Reduce user management needs between the service and your on-site environment.
Increase end user self-management through features such as safelist aggregation with Microsoft
Exchange Server 2007.
To download the 9.1 version of the Directory Synchronization Tool, click here
(http://go.microsoft.com/fwlink/?LinkId=153911).
5
What's New in the Directory Synchronization Tool
for 9.1

Differential Synchronization: Only new, deleted, or changed objects are synchronized.

Frequency of Synchronization: The synchronization interval can be configured to run every
hour, every 4 hours, every 12 hours, once each day, once each week, or every 30 days.

User accounts synchronized with the 9.1 DST are viewable in the Administration Center.

FOSE Hosted Filtering and EHA customers can choose which domains will be synchronized.

Synchronization simulation to assist with on-boarding.

Most settings are now located in the Administration Center, not within the tool.

The upload mode in the Administration Center is independent of the edge blocking mode.

The synchronization tool now communicates with domain controllers as opposed to the global
catalog.
Before You Deploy the 9.1 Directory
Synchronization Tool
This section provides information for customers who are planning to deploy and configure their
service using the Directory Synchronization Tool (DST). If any of the following scenarios apply to
you, the information in this section will provide valuable guidance prior to deployment.

You are using the DST for the first time.

You are already using Directory Based Edge Blocking (DBEB) with your hosted filtering
service.

You are already using multiple User List source upload modes.

You are using multiple-forest Active Directory environments.

You are using multiple organizations for the same company.

You are using the DST for Hosted Archive accounts.
In addition to the topics in this section, the Known Issues section at the end of this guide also
provides valuable information about deployment.
First-Time Users
If you are running the DST for the first time, do not switch your Directory-Based Edge Blocking
(DBEB) mode from Disabled until after you have verified that the DST runs properly and has
successfully completed its synchronization with the hosted services network. After all accounts
appear in the Administration Center, the mode can be changed to Reject or Reject-Test. If you
configure your domain to use DBEB before the full synchronization has completed, your system
6
may reject legitimate e-mail messages for recipients who have not yet been added to the
Administration Center database. The following image shows the User List Settings dialog box.
For more information about configuration, see the Configuring Your Hosted Services topic.
Migrating to DST from Admin Center or sFTP
using Directory Based Edge Blocking
If your system is already configured to use Directory-Based Edge Blocking (DBEB) for recipient
validation through uploads to the Administration Center or Secure FTP (SFTP) methods, make
sure that DBEB is disabled when you switch the mode to Directory Synchronization Tool (DST).
After completing the initial synchronization, the mode can then be set to Reject or Reject-Test. If
you fail to disable DBEB, some e-mail will bounce. If you are upgrading from a previous version of
the DST, please see Upgrade to DST 9.1.
If you are already using DBEB in SFTP or Administration Center modes, do the following when
switching to DST mode:
1. Download and install the 9.1 DST. For more information about installation, see Installing the
Directory Synchronization Tool.
2. Confirm the configuration of the error notification address in the Administration Center on the
Company page. For more information about configuration, see Configuring Your Hosted
Services.
3. Change the User List source upload mode for the domains you want to synchronize to DST.
See Configuring Your Hosted Services for more detail.
7
Note
When moving the upload mode to the DST, edge blocking mode must be disabled.
Do not re-enable the DBEB until after you validate that a full synchronization has
been confirmed as completed.
4. Verify that the DST runs properly in your internal network, and that it successfully
synchronizes with hosted filtering.
5. Set the DBEB mode to Reject or Reject-test.
Note
For users who only subscribe to hosted archive or continuity services, edge blocking
is not available, as this applies only to hosted filtering customers.
Multiple Directory Upload Modes
The DST supports only Reject and Reject–Test recipient edge blocking modes at this time. If
you are currently using Pass Through mode or Passive mode, it is important to note that these
modes are not supported by the DST.
The DST also does not support virtual domains. Although the virtual domain settings will not be
visibly altered by changing the user list source for the parent domain, the settings configured on
the virtual domain will fail to be applied once the user list source for the parent domain has moved
away from Administration Center or SFTP.
Note
For users who only subscribe to hosted archive or continuity and not the filtering service,
the edge blocking mode is not available, as this applies only to hosted filtering customers.
If you want to continue using these transfer modes for some domains while using the DST for
other domains, you can exclude any domains that use Pass Through or Passive mode.

When configuring the upload mode in the Administration Center, only synchronize the
domains that will be using the tool. Do not choose the domains that are already configured to
use Pass Through, Group Filtering, or Intelligent Routing (includes parent and virtual
domains).

Retain the current configuration to manage those domains separately.
Multiple-Forest Active Directory Environments
Currently, the DST can only be used in a single-forest, Active Directory Domain Services
topology. In a single-forest topology, Microsoft Exchange is installed into a single Active Directory
forest that spans the whole organization. All user and group accounts and all Exchange
configuration information are located in the same forest. The use of multiple forests is not
supported at this time.
8
Directory Synchronization Tool with Hosted
Archive
When you use directory synchronization for the hosted archive service, only the Primary SMTP
address and Secondary SMTP aliases are synchronized. Alternate e-mail addresses,
Bloomberg, and Instant Message aliases will not be synchronized with the tool.
Configure Safe Senders List Synchronization for
Exchange Server 2007 (Optional)
The DST allows you to upload end-user safe sender lists from your Microsoft® Exchange Server
2007 environment. If your organization has the safe senders list feature enabled, the DST
includes this information with its scheduled synchronization events.
Before you can begin synchronizing your safe senders list, you must first enable the safelist
aggregation feature for your on-site Exchange Server 2007 environment. When you enable this
feature in Exchange Server 2007, the safe sender lists created by your end users in Microsoft
Office Outlook 2007 will be integrated with your local Active Directory Domain Services (AD DS)
environment. The DST will then upload this information to your service during each scheduled
synchronization event.
For more information about how to enable the safelist aggregation feature in Exchange Server
2007, see Safelist Aggregation (http://go.microsoft.com/fwlink/?LinkId=153567) and How to
Configure Safelist Aggregation (http://go.microsoft.com/fwlink/?LinkId=153568).
System Requirements
Forefront Online Security for Exchange Server (FOSE) is supported on the following operating
systems with the required software noted in this topic.
Supported Operating Systems

Windows Server 2003 with Service Pack 2 (SP2)

Windows Server 2008
Required Software

Active Directory Domain Services, with single-forest topology

Microsoft Exchange Server 2003 with Service Pack 2 or Microsoft Exchange Server 2007.
Exchange Server 2007 is required for the safe list aggregation synchronization feature.

Microsoft .NET Framework 3.5
9
Optional Software
Windows PowerShell™ 1.0. This command-line shell and scripting interface is only required if
additional scripting will be written to be used with FOSE clients, or you will be managing the
application with Windows PowerShell cmdlets.
Hosted Filtering Requirements
The Hosted Filtering Administration Center account that is used to configure the DST must have
the administrator role or the account manager role with a company-level scope.
For each domain you wish to synchronize using 9.1 DST, make sure that the upload mode is set
to use the DST.
A notification address must also be set on the Company Filtering Settings section within the
Administration Center. Using a distribution list as a notification address is recommended so that if
a failure occurs, it is less likely that the failure will go unnoticed.
Hosted Archive and Continuity
The 8.1 Exchange Hosted Archive and Continuity services are not compatible with the 9.1 DST.
Do not use or upgrade to the 9.1 DST if you are using the 8.1 version of the archive or continuity
service. If you are unsure whether you are using the 8.1 archive or continuity service, please log
into the Exchange Hosted Services archive page (http://go.microsoft.com/fwlink/?LinkId=153565)
and view the version before proceeding. If you are using the 8.1 Archive or Continuity service,
you must continue to use the Microsoft Exchange Hosted Services Directory Synchronization
Tool 8.1 (Legacy DST), which is available at the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=140069).
Installing the Directory Synchronization Tool
Install the Directory Synchronization Tool (DST) on a Windows Server operating system in your
on-site messaging environment. To install the 9.1 version of the Directory Synchronization Tool,
click here (http://go.microsoft.com/fwlink/?LinkId=153911).
Warning
The installation instructions in this section are for new installations only. If you are
upgrading from a previous version, please see Upgrade to DST 9.1.
You can find download information for the DST from the Hosted Filtering Administration Center,
on the Information page (Resources Link). Download the installation file for the DST to a
computer running a Windows Server operating system with full administration access to your
Microsoft Exchange environment. For many companies, this means downloading directly to the
Exchange Server. Ensure that you are logged on to your server with an account that has the
10
appropriate permissions to install and run applications on the server. An account that is a
member of the Domain Administrators group is usually sufficient.
Open the downloaded file and complete the installation wizard. When you have completed the
installation process, the DST will open automatically.
Note
If the DST does not open, you can start it manually by clicking Start, point to All
Programs, point to the Microsoft Directory Synchronization Tool folder, and then click
Directory Synchronization Tool.
Rights and Permissions Requirements
In order to use the DST with your hosted filtering service, you must have the Administrator role
with company-level scope, or the account manager role with company-level scope in the Hosted
Filtering Administration Center.
Upgrade to DST 9.1
If you have already deployed a previous version of the DST, use the following instructions to
upgrade to the latest version of the tool.
How to upgrade to the latest version of the DST from a previous version of the tool
1. Log on to the server where you have installed the previous version of the DST.
2. Run the DST configuration wizard for currently installed version of the tool. Make note of
any current configuration settings that you will need in order to configure in the new
version.
3. Close the DST.
4. Go to the DST download page and download the appropriate tool for your environment.
The 9.1 DST and previous versions can both run on the same machine. However, a
domain can only be configured in the Administration Center for one upload mode. In
order to upload the user information from the 9.1 DST, the user list source should be set
to the DST. When using older versions of the tool, the source setting is Legacy Directory
Synchronization Tool. For more information about an upgrade configuration, see
Configuring Your Hosted Services.
Note
When moving the upload mode to Directory Synchronization Tool, edge blocking
mode must be disabled. Do not re-enable the Directory-Based Edge Blocking
until after you validate that a full synchronization has been confirmed as
completed.
5. Change the domain's User List source to Directory Synchronization Tool. When moving
to the new upload mode, be sure to disable the Edge blocking mode. After a full
synchronization is confirmed move the edge blocking mode back to the appropriate
11
setting of Reject or Reject-Test.
6. After all domains are migrated to the new tool, uninstall previous versions of the DST by
using the Add or Remove Programs feature in Windows Server 2003/8 (click Start, point
to Control Panel, click Add or Remove Programs). Be sure to verify you are removing the
legacy version of the tool called EHS Directory Synchronization Tool.
Configuring Your Hosted Services
This section describes how to enable and configure your services to use the Directory
Synchronization Tool.
Configuring Hosted Services
Set the User List source to Directory Synchronization Tool for each domain that you want to
synchronize with the Hosted Services network. You can configure the User List source for each
domain using your Administration Center Administrator account. In order for the tool to access the
Administration Center successfully, the Administrator account used to authenticate the DST must
have a full Company-level Administrator role, or a Company-level Account Manager role.
To verify account permissions, log on to the Administration Center, click the My Account link,
and view your Administrative Permissions area. If you cannot view your account information, or
need the privileges to be assigned to your Administrator account, please contact the
Administrator for the service within your organization.
Enable User List Setting Source and Disable
Directory-Based Edge Blocking
In order for synchronization to work correctly with the 9.1 DST, you must configure your User List
source to the Directory Synchronization Tool option. Edge blocking must be set to disabled until
a full synchronization completes. Failure to do so will result in bounced mail After the first
successful full synchronization has occurred, you can move the Directory-Based Edge Blocking
mode to Reject or Reject-Test.
Note
If you are upgrading from a previous version of DST, or migrating from using edge
blocking using sFTP or Admin Center, it is critical that you disable Directory-Based Edge
Blocking until full synch is confirmed with the new tool. If this is not done, legitimate mail
may be blocked until the full synchronization takes place and is replicated.
12
How to Specify the User List source and Disable Directory-Based Edge Blocking for a
domain
1. On the Administration tab, click the Domains tab.
2. In the Domains pane, click the name of the domain that you want to modify. You can
search for a specific domain name by using the search box.
3. In the Service Settings section of the center pane, next to User List Settings, click
Edit.
4. In Select the User List source, choose Directory Synchronization Tool.
Note
DST is not compatible with the use of Virtual Domains. Changing the Directory
Source to Directory Synchronization will not disable any Virtual Domains
associated with that Parent Domain, but the configuration settings on the Virtual
Domain will not be applied.
5. Set the Directory-Based Edge Blocking (DBEB) mode to Disabled.
6. Click Save.
The following is a view of the User List Settings dialog box.
Configuring Hosted Archive and Hosted
Continuity for the DST
9.1 DST is not compatible with the 8.1 Exchange Hosted Archive or Continuity services. If you
are using the 8.1 version of the Archive service, please continue to use or download the Microsoft
Exchange Hosted Services Directory Synchronization Tool 8.1 (Legacy DST) here. With the
Legacy DST, you can use the tool to synchronize your on-site Active Directory users to your
13
Hosted Archive and Hosted Continuity services. Use the Legacy DST to create, delete, and
update user accounts in the Hosted Archive Web-based interface.
When enabled, the DST synchronizes the following attributes for all users:

First Name

Last Name

E-mail 1 / Aliases

Safe Sender information (if configured)
Select a Directory-Based Edge Blocking Mode
After a full synchronization completes, Hosted Filtering customers can log into the Administration
Center and select the type of recipient edge blocking to use on the User accounts which have
been synchronized to the Hosted Services network. The two types of edge blocking modes
available with the use of DST are Reject–Test and Reject.
Important
If you subscribe only to Hosted Archive or Continuity, the Directory-Based Edge Blocking
configuration is not available.
Reject–Test mode
Reject-Test mode is a test function designed to be used for a short period of time (time period
varies depending on how large your company is). Its purpose is to validate the accuracy of the
user list. While Reject-Test mode is operating, any message received for a recipient who is
included on the user list is processed according to the domain’s settings. When a message is
received for a recipient who is not included on the user list, that message will be processed
according to the domain’s settings, and then delivered to the e-mail redirection address specified
for the test.
Reject mode
In Reject mode, all e-mail addresses that are not included on the list of e-mail addresses
associated with the specified domain are rejected at the network perimeter. If a message is
received that is addressed to a recipient who is not included on that domain’s user list, the sender
receives a 554 error message (which reads as follows: smtp;554 <badaddress@contoso.com>:
Recipient address rejected: Access denied). When a recipient is included on the user list for the
domain and a message is received, the message is processed according to that domain’s
settings.
Note
The DST supports only Reject and Reject–Test recipient edge blocking modes at this
time. If you are currently using Pass Through mode or Passive mode, it is important to
note that these modes are not supported by the DST.
14
Note
The DST also does not support Virtual Domains. Although the Virtual Domain settings will
not be visibly altered by changing the User List Source for the Parent Domain, the
settings configured on the Virtual Domain will fail to be applied once the User List Source
for the Parent Domain has moved away from Admin Center or SFTP.
Configuring the Directory Synchronization
Tool
Before you configure the 9.1 DST, be sure to configure the hosted Administration Center for use
with the tool. See Configuring Your Hosted Services for more details.
Provide User Credentials
The first time you run the setup of the DST, you will be prompted for your Administration Center
account credentials. Enter the user name and password that you use to log on to the
Administration Center. For more information about setup, see Configuring Hosted Services.
Change Proxy Server Settings
If your network uses a proxy server for connecting to external Web sites, you can specify a proxy
server in the Proxy Server Settings page.
The three proxy server options are as follows:

Automatically detect the proxy server. Every time the tool runs, the proxy will be automatically
detected.

Use default proxy server. The proxy will be detected based on your browser settings.

Use manually specified proxy server. Enter the appropriate proxy settings, with port number,
and click OK. An attempt will be made to resolve the proxy in DNS before allowing the next
step.
The proxy settings can be updated by clicking Change next to the user name in the Sync
Settings section of the DST Interface.
The following is a view of the Administration Center sign-in dialog box.
15
Active Directory Status
The Active Directory Status will show the current status of the DST ability to connect with and
read your Active Directory Domain Service. This will allow you to troubleshoot any Active
Directory connection issues before attempting synchronization.
If you click Details, you will see a details page with step-by-step information about the tool’s
ability to connect and read the Active Directory forest. Any errors will clearly be marked to allow
you to troubleshoot issues within your environment.
The Preview sync objects button allows you to search for individual e-mail addresses that will
be synchronized. The results will display First Name, Last Name, all SMTP proxy address, the
16
type of account, and the length of the safe sender hash. After previewing, click the Back button to
return to the main page.
The following image shows the Active Directory Connectivity pane.
Admin Center Settings
The Administration Center settings will display the notification address that alerts will be sent to.
Microsoft recommends using a distribution list for these alerts to ensure proper receipt of alerts.
The notification address displayed is the User List upload notification address configured in
the hosted administration center, found on the Company tab under Service Settings. The
notification address must be configured in order for a synchronization to occur.
The following image shows the Administration Center Settings pane.
The Domains setting will display all domains that have their user list source set for DST in the
Administration Center. If you click View All, you will see a dialog box with a list of all the domains
set to the DST user list source, along with a total domain count.
Sync Simulation Mode
Sync Simulation should be run before running your first full synchronization. Sync Simulation is
available to assist with deploying the 9.1 DST. If you run Sync Simulation you may run the DST
without fully synchronizing data to the hosted services network. Furthermore, after running the
17
simulation, an e-mail summary report of the synchronization, including object counts, will be
compiled and e-mailed to the notification address.
Warning
Once the first full synchronization is run, the ability to run the DST simulation is removed
and will no longer be available. Sync Simulation is only for use prior to the first-time
synchronization. Setting a synchronization interval will also remove the ability to run Sync
Simulation.
The following is a view of the Directory Synchronization Settings pane.
Username
The username of the Administrator who has been configured as the authorization account for the
tool is displayed here. Clicking Change will allow a new Administrator log in with their Hosted
Services credentials. The Administrator account used to authenticate the DST must have full
Company-level Administrator role or Company-level Account Manager role in order for the tool to
access the Administration Center successfully.
Sync Interval
The DST can be configured to run at the following intervals:

Every hour

Every four hours

Every 12 hours

Every 24 hours

Once per week

Once every 30 days
18
Clicking Change will allow you to select how often you want the synchronization to run. After the
first full synchronization, subsequent data transfers will only include data that has changed. For
more information about this synchronization, see Differential Sync.
Sync Now
Once your environment has been properly prepared to run a full synchronization and you have
run a recommended synchronization simulation, you can click Sync Now. Sync Now will
synchronize your Active Directory user information to the hosted service network.
While the synchronization is running, click Details to see the status of your data transfer. Each
step of the process will be displayed as it is completed. Any errors will be displayed to help you
troubleshoot the issue. Clicking the Back button will take you back to the main page.
The following image shows the Synchronization Details pane.
Differential Sync
After the first full synchronization, the DST will only send the changes from your on-site Active
Directory Domain Services (AD DS). This means that subsequent synchronizations will only
include mail-enabled objects that are added, modified, or deleted. User attributes that are added,
modified, or deleted will also be synchronized and the changes will be reflected in the hosted
service network.
The DST uses the Active Directory DirSync control to perform updates for only information that
has been changed. The DirSync control is a Lightweight Directory Access Protocol (LDAP) server
extension that enables a program to search an Active Directory partition for objects that have
changed, AD DS uses a cookie to preserve a user’s change state through the DirSync control
and the cookie is kept alongside the user’s settings in the hosted service network store. The
DirSync control cookies can be cleared through use of the DST Windows PowerShell cmdlets to
refresh the sync state and initiate a full synchronization. Cmdlets resemble built-in commands in
other shells, such as the dir command found in cmd.exe. Similar to these familiar commands,
19
cmdlets can be called directly from the command line in the Microsoft Exchange management
shell and run under the context of the shell, not as a separate process.
Provide an E-Mail Address for Directory
Synchronization Tool Notifications
The user list upload notification address in the Filtering Settings section of the Company tab in
the Administration Center is where the default user list upload status notification address for the
company is configured. In the event that there is an error with synchronization or the DST, a
notification is sent to the e-mail address or distribution list provided.
How to configure the user list upload notification address
1. On the Administration tab, click the Company tab.
2. In the Service Settings section of the center pane, next to Filtering Settings, click Edit.
3. In the User List upload notification address: text box, enter the address that should
receive the user list upload notifications.
Note
The e-mail address specified must belong to one of the domains that are
configured for your company.
4. Click Save.
Select a Directory-Based Edge Blocking Mode
After verifying that a full synchronization is complete, hosted filtering customers can log into the
Administration Center and select the type of recipient edge blocking to use on the user accounts
that have been synchronized to the hosted services network. Two types of edge blocking modes
are available with the use of DST: Reject–Test and Reject.
Important
If you subscribe only to Hosted Archive or Continuity, the DBEB configuration is not
available.
Reject-Test mode
Reject–Test mode is a test function designed to be used for a short period of time. Its purpose is
to validate the accuracy of the user list. While running in Reject-Test mode, any message
received for a recipient who is included on the user list is processed according to the domain
settings. When a message is received for a recipient who is not included on the user list, that
message will be processed according to the domain settings, and then delivered to the e-mail
redirection address specified for the test.
20
Reject mode
In Reject mode, all e-mail addresses that are not included on the list of e-mail addresses
associated with the specified domain are rejected at the network perimeter. If a message is
received that is addressed to a recipient who is not included on that domain’s user list, the sender
receives a 554 error message. When a recipient is included on the user list for the domain and a
message is received, the message is processed according to the domain settings.
The DST supports only Reject and Reject–Test recipient edge blocking modes. If you are
currently using Pass Through mode or Passive mode, it is important to note that these modes
are not supported by the DST. If you want to continue using these transfer modes, see Multiple
Directory Upload Modes.
PowerShell and cmdlets
The Windows PowerShell command line shell and scripting language helps IT professionals
achieve greater control and productivity. Using a new administrator-focused scripting language,
more than 130 standard command-line tools, and consistent syntax and utilities, Windows
PowerShell allows IT professionals to control system administration and accelerate automation.
For more information about Windows PowerShell, or to download the version for your local
environment, see the Microsoft TechNet Technology Center for Windows PowerShell
(http://go.microsoft.com/fwlink/?LinkID=102372).
Cmdlets resemble built-in commands in other shells, for example, the dir command found in
cmd.exe. Like these familiar commands, cmdlets can be called directly from the command line in
the Exchange Management Shell and run under the context of the shell, not as a separate
process.
If you plan on scripting additional automation, you may want to consider using Windows
PowerShell scripts. Before you run Windows PowerShell, configure the Administration Center to
as outlined in Configuring Your Hosted Services. Managing the service (start, stop, restart) is
accomplished with the Services MMC. The service must be stopped and restarted upon changing
the proxy server.
Cmdlets registered during installation of the tool
Cmdlet
Purpose
Parameters
Example
Set-SyncCredentials Sets the
credentials for the
client to use when
connecting.
<username>
<password>
Set-SyncCredentials
adminuser@contoso.com
SecurePassword
Set-SyncInterval
<interval-inminutes>
Set-SyncInterval 240
Sets the interval at
which the sync job
21
Cmdlet
Purpose
Parameters
Example
will run.
SetSyncProxyServer
Sets up the
corporate proxy
server to use when
the client connects
to the backend.
{ [-Address
<address>] | [AutoDetect] | [UseDefault] }
Set-SyncProxyServer -Address
http://proxy.contosoproxy.com
Set-SyncProxyServer AutoDetect
Set-SyncProxyServer –
UseDefault
Get-SyncConfig
Gets the current
sync configuration
and reports it to
console.
none
Get-SyncConfig
Get-SyncStatus
Gets the current
sync service
(client) status and
reports it to
console.
none
Get-SyncStatus
Start-Sync
Starts a new sync
job (out of
schedule) if it's not
already running.
none
Start-Sync
StartSyncSimulation
Starts a new sync
job in simulation
mode if simulation
mode is available.
none
Start-SyncSimulation
Stop-Sync
Stops current sync
job if it's running.
none
Stop-Sync
Clear-SyncCookies
Clears stored
cookies and forces
next
synchronization to
be a full
synchronization.
none
Clear-SyncCookies
Known Issues
The following are known issues with this version of the Directory Synchronization Tool (DST):
22

The DST does not have the ability to exclude specific users or specific addresses from the
synchronization process.

The DST is not designed to support non-Microsoft lightweight directory access protocol
(LDAP) directories.

Running more than one instance of the 9.1 DST is not a supported configuration and may
cause undesirable outcomes, including rejected e-mail for legitimate users.

Query Based Distribution Groups are not synchronized.

If Windows PowerShell is downloaded after installing the DST, a shortcut to launch the
Windows PowerShell version of DST will not be created unless the tool is removed and
reinstalled.

Only one 9.1 DST can exist on a machine at one time. A full uninstall must take place before
re-installation of a new instance of the 9.1 DST.

The DST does not support virtual domains. Although the virtual domain settings will not be
visibly altered by changing the User List Source for the Parent Domain, the settings
configured on the virtual domain will fail to be applied once the User List Source for the
Parent Domain has moved away from Administration Center or SFTP.

DST does not support Pass Through mode.

9.1 DST is not compatible with the 8.1 version of Exchange Hosted Archive or Hosted
Continuity services.
Support Information
The four methods for contacting Technical
Support
1. Microsoft Premier Support is available only to customers who pay an additional amount for
dedicated support. For more information about accessing Premier Support, go to the
Microsoft Premier Support Online Portal or the Microsoft Premier Support Web site.
2. Microsoft Technical Support Web site (http://go.microsoft.com/fwlink/?LinkID=149248).
3. Technical Support e-mail: support@messaging.microsoft.com
4. Telephone (available 24 hours per day, 7 days a week): Toll-free: 866.291.7726
Direct: +1.204.927.2299
International: UIFN 800-0000-0060
In countries or regions that support universal free phone numbers (UIFN) phone routing, the
support number is (800) 00000060. For example, a customer calling from Australia would dial
(0011) (800) 00000060.
Countries or regions with UIFN support and their dialing codes are as follows:

Australia 0011
23

Austria 00

Austria 00

Costa Rica 00

Denmark 00

Finland 00

France 00

Germany 00

Hong Kong SAR 001

Italy 00

Japan 0061-010 if Telco is IDC 0041 010 if Telco is Japan Telecom

Luxembourg 00

Netherlands 00

Norway 00

Switzerland 00
The countries or regions that do not support UIFN have individual numbers. Those are as follows:

Mexico (001) 8885086467

Belgium (0800) 75013
24