Installing the MIM server Prerequisites
Note: The exchange 2007 management tools need to be installed on the MIM server for it to be able to provision users correctly.
Note: In order for the GALSync process to access the exchange 2010 environment the server(s) that will be used to create objects with will have to be added to the WinRM ‘Trusted Hosts’ list (Due to the lack of a two-way trust)
Installing prerequisites
import-module ServerManager
Install-WindowsFeature Net-Framework-Features,rsat-ad-powershell,Application-Server,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature -restart -source d:\sources\SxS
WinRM Trusted hosts
Add the remote domain machine we'll be connecting to (exchange powershell) for provisioning to the trustedhosts list: “set-item -path WSMAN:\localhost\client\trustedhosts -value 'Exchange 2010 servername’ –concatenate”
In order to test if the server can access the Exchange 2010 environment use the following commands:
· $rs = new-pssession -conf microsoft.exchange -conn http://EX2010FQDN/PowerShell -auth kerberos -cred (get-credential)
· Invoke-Command $rs {get-recipient -ResultSize 1}
Prepare Active Directory for GALSync
Note: Change the password in variable “$SP” below to match your password policy for service accounts.
import-module activedirectory
$sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force
New-ADUser –SamAccountName MIMMA –name MIMMA
Set-ADAccountPassword –identity MIMMA –NewPassword $sp
Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName MIMSync –name MIMSync
Set-ADAccountPassword –identity MIMSync –NewPassword $sp
Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName SqlServer –name SqlServer
Set-ADAccountPassword –identity SqlServer –NewPassword $sp
Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1
New-ADUser –SamAccountName BackupAdmin –name BackupAdmin
Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp
Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1
New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins
Note: Replace the values in the below command with the appropriate values for the domain.
New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperatorssetspn -S FIMSync/..local \MIMSync
New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners
New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse
New-ADGroup –name MIMSyncPasswordReset –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordReset
Add-ADGroupMember -identity MIMSyncAdmins -Members Administrator
Configure the server security policy
Note: This is necessary to allow them to run as services.
1. Launch the Local Security Policy program.
2. Navigate to Local Policies, User Rights Assignment.
3. On the details pane, right click on Log on as a service, and select Properties.
4. Click Add User or Group, and in User and group names, type corp\mimsync; corp\mimma; corp\SqlServer, click Check Names, and click OK.
5. Click OK to close the Log on as a service Properties window.
6. On the details pane, right click on Deny access to this computer from the network, and select Properties.
7. Click Add User or Group, and in the User and group names, type corp\MIMSync; corp\MIMService and click OK.
8. Click OK to close the Deny access to this computer from the network Properties window
9. On the details pane, right click on Deny log on locally, and select Properties.
10. Click Add User or Group, and in the User and group names, type corp\MIMSync; corp\MIMService and click OK.
11. Click OK to close the Deny log on locally Properties window.
12. Close the Local Security Policy window.
Install SQL server 2014 (if required)
Note: Change the value of to match your netbios name for the active directory domain.
.\setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION=install /FEATURES=SQL,SSMS /INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="\SqlServer" /SQLSVCPASSWORD="Pass@word1" /AGTSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\Network Service" /SQLSYSADMINACCOUNTS="\Administrator"
 | Coexistence between Exchange forests (without trusts…) -- Part 4: Preparing the US Exchange 2010 environment |
 | Coexistence between Exchange forests (without trusts…) -- Part 6: Installing the MIM 2016 Synchronization Service (GALSync) |