contactsync 7.6 manual - netsec

CONTACTSYNC® V7.6

Manual

NETsec

07. July 2021

NETsec GmbH & Co.KG | Schillingsstrasse 117 | DE - 52355 Düren

co

nta

ctS

ync 7

.6 M

an

ua

l

2

Introduction .................................................................................. 6

contactSync ................................................................................... 6

Global Address List (GAL) into mailboxes by using GALsync policies ...... 6

GALsync ........................................................................................ 6

Recommendations (Do’s and Don’ts) ................................................ 7

Suggestions to test contactSync policies ......................................... 7

Schedule without overlaps ............................................................ 7

Performance (Exchange Online) ..................................................... 7

Licensing ....................................................................................... 7

Trial license ................................................................................ 7

How to add a license .................................................................... 8

How many objects are to be licensed? ............................................ 8

Quickstart: Global Address List (GAL) into mailboxes .................... 9

1 Prerequisites ............................................................................. 10

2 Install the software .................................................................... 12

3 Create and run a contactSync policy ............................................ 16

Deployment Guide ....................................................................... 28

Introduction ................................................................................ 28

Exchange 2010-2019 -> Mailbox Contacts ....................................... 28

Exchange Online -> Mailbox Contacts ............................................. 29

Technical Guide ........................................................................... 30

System Requirements ................................................................... 30

Prerequisites ................................................................................ 31

Service Account ......................................................................... 31

Mailbox .................................................................................... 32

Modern Authentication OAuth2 for Exchange Web Services (EWS) to

access Exchange Online .............................................................. 33

Permission to access the mailboxes (Mailbox contacts) ................... 54

Execution Policy (Exchange online) .............................................. 56

Some notes to the remote PowerShell management for Office 365

tenants ..................................................................................... 57

Running contactSync policies via command line ............................. 58

co

nta

ctS

ync 7

.6 M

an

ua

l

3

contactSync components ............................................................... 59

Files ......................................................................................... 59

Policy ....................................................................................... 59

GUI .......................................................................................... 59

Policy Wizard ............................................................................. 60

Service ..................................................................................... 60

Internal Marks ............................................................................. 61

NoContactSync (internal mark).................................................... 61

NoMailboxSync (internal mark) .................................................... 61

Global Settings ............................................................................ 62

Settings Tab ................................................................................ 62

Status file directory. ................................................................... 62

Use LDAP over SSL (LDAPS) ........................................................ 63

Exchange Tab .............................................................................. 63

Exchange On-Premises ............................................................... 63

Policies Tab ................................................................................. 64

Status Tab................................................................................... 65

Retain status information ............................................................ 65

NETsec LogViewer ...................................................................... 65

Open and export log files ............................................................ 66

Help Tab ..................................................................................... 67

Filter mailboxes ........................................................................... 68

NoMailboxSync (internal mark) .................................................... 68

Choose mailboxes (On-premises) ................................................. 68

Choose mailboxes (Exchange Online) ........................................... 71

Search mailboxes (On-premises) ................................................. 73

Search mailboxes (Exchange Online) ............................................ 75

Directory Tab ............................................................................... 76

NoContactSync (internal mark).................................................... 76

Choose (On-premises) ................................................................ 77

Choose (Exchange Online) .......................................................... 82

Search (On-premises) ................................................................ 83

co

nta

ctS

ync 7

.6 M

an

ua

l

4

Search (Exchange Online) ........................................................... 84

Special options for contactSync ...................................................... 88

Exchange On-Premises ............................................................... 88

Exchange Online ........................................................................ 89

Maximum errors to transfer data file ............................................ 90

Minimum objects to transfer data file ........................................... 90

Include hidden objects (On-Premises only) ................................... 90

Export ‘MasteredOnPremise’ objects (Exchange Online only) ........... 90

Mark synchronized contacts as private.......................................... 90

Synchronize Picture (On-Premises) .............................................. 91

Modify or delete existing contacts with source domain .................... 91

Object Filter .............................................................................. 91

Filter and Modify objects for import into mailboxes ........................... 92

Choose (Mailbox contacts) .......................................................... 92

Properties (Mailbox contacts) ...................................................... 95

Status notification ...................................................................... 101

Schedule Service ........................................................................ 102

How to ....................................................................................... 103

How to configure Exchange Impersonation? ................................... 103

Exchange Impersonation in Exchange 2010, 2013, 2016, 2019 and

Exchange Online (Mailbox contacts) ........................................... 103

How to grant full access to the user mailboxes? ............................. 109

Exchange 2010 ........................................................................ 109

Exchange 2013, 2016, 2019 and Exchange Online ....................... 109

How to bulk assign full access permissions to multiple user mailboxes

............................................................................................. 110

How to disable EWS Throttling for the contactSync account? ............ 112

Exchange 2010 ........................................................................ 112

Exchange 2013, Exchange 2016 and Exchange 2019 .................... 112

How to check the PowerShell version on the contactSync server? ..... 113

Troubleshooting and Support Guide ........................................... 114

Issue with Exchange Online connection ......................................... 114

co

nta

ctS

ync 7

.6 M

an

ua

l

5

The Autodiscover service returned an error ................................. 114

11021 - LegacyExchangeDN of the contactSync service account is in the

old syntax. Please update this by re-mailenabling the service account or

create a new contactSync service account. .................................... 115

Could not load file or assembly 'netstandard, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its

dependencies. The system cannot find the file specified. ................. 116

12010 - Error getting Exchange Online connection 62003 – Current user

cannot decrypt the token. ........................................................... 117

Support: What to do when I notice an error / bug? ......................... 118

co

nta

ctS

ync 7

.6 M

an

ua

l

6

Introduction

contactSync

contactSync synchronizes the Global Address List (GAL) into users’

mailboxes, which are in the same environment. Mail-enabled objects of an

on-premises Active Directory can be synchronized into on-premises

Exchange mailboxes of the same forest and mail-enabled objects of an

Office 365 tenant can be synchronized into Exchange Online mailboxes of

the same Office 365 tenant.

This document describes how to synchronize the Global Address List (GAL)

into users’ mailboxes, which are in the same environment.

Global Address List (GAL) into mailboxes by using GALsync policies

A cross-forest synchronization from mail-enabled objects of an on-

premises Active Directory into Exchange Online mailboxes of an Office 365

or mail-enabled objects of an Office 365 tenant into on-premises

Exchange mailboxes is only possible with two GALsync policies. One of the

GALsync policies exports the mail-enabled objects from an on-premises

Active Directory or from an Office 365 tenant and the second GALsync

policy imports the exported objects as contacts into on-premises

Exchange mailboxes or Exchange Online mailboxes. Please have a look in

the GALSYNC – GLOBAL ADDRESS LIST (GAL) INTO MAILBOXES BY USING GALSYNC

POLICIES for further information.

https://www.netsec.de/en/products/galsync/documentation.html

GALsync

GALsync synchronizes the Global Address List (GAL) between different

Exchange environments, which can be on-premises Exchange

environments or Exchange Online of Office 365 tenants. Please have a

look in the GALSYNC MANUAL for further information.


MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020

AND EXCHANGE 2007 ON THE 11TH APRIL 2017.

AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT SUPPORT

AN ENVIRONMENT, WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.



co

nta

ctS

ync 7

.6 M

an

ua

l

7

Recommendations (Do’s and Don’ts)

Suggestions to test contactSync policies

We recommended to test contactSync before using with your production

accounts. This way you will prevent any unwanted changes or impacts you

might not have considered during setup.

• First use some test accounts and groups

• Then use only 1-5 real accounts

Schedule without overlaps

It is strongly recommended that you configure the scheduler in such a

way, that policies do not overlap. Try the time for each policy will run by a

manual execution. After that configure your schedules.

Performance (Exchange Online)

When using any Exchange Online related policy in contactSync, please be

aware of the possibility of some lag. This is due Exchange Online being a

remote environment, which contactSync connects to using Remote

PowerShell. This puts contactSync inside any existing limitation Microsoft

might apply to the connection.

Licensing

Trial license

It is possible to run contactSync without license. Please note that in this

case only up to 20 objects can be synchronized for up to 21 days.

If you run contactSync as trial this is displayed in information bar at the

bottom of the program window.

If you have any licensing questions or queries, please feel free to contact

our contactSync Sales Team

by phone +49 2421 998 78 20

or via e-mail [email protected]

mailto:[email protected]

co

nta

ctS

ync 7

.6 M

an

ua

l

8

How to add a license

Click HELP and select ABOUT.

• contactSync will provide you with basic information about your current

license status.

• To add a license, you press the ADD LICENSE button, and then select the

license file you received.

How many objects are to be licensed?

• Create a contactSync policy, choose the appropriate objects.

Then you can count all of the objects which are valid for

synchronization and would be synchronized during a run. This can help

you choose for how many sync objects you need to license.

co

nta

ctS

ync 7

.6 M

an

ua

l

9

Quickstart: Global Address List (GAL) into mailboxes

Here you test the basic steps for a successful first unidirectional

synchronization.

In this example, you synchronize the mail-enabled objects of the on-

premise Active Directory forest into contacts folder of user mailboxes,

which are on the on-premise Exchange server in the same forest.

co

nta

ctS

ync 7

.6 M

an

ua

l

10

Or you synchronize the mail-enabled objects of the Office 365 tenant into

contacts folder of user mailboxes, which are on the Exchange Online in the

same Office 365 tenant.

1 Prerequisites

• Your environment must be based on Exchange 2010* SP1, Exchange

2013 and later or Exchange Online (Microsoft Office 365).

MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020

AND EXCHANGE 2007 ON THE 11TH APRIL 2017. MICROSOFT ALSO STOPPED SUPPORTING

WINDOWS 2008 R2 AND WINDOWS 7 PROFESSIONAL ON THE 14TH JANUARY 2020.

AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT

SUPPORT AN ENVIRONMENT WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.

• The computer you want to install contactSync on

• Must be a member of the domain if your side is On-Premises. It

should have a good bandwidth to the next DC/GC and an Exchange

Server with CAS role.

• Can also be a standalone machine if your side is Exchange Online.

• Should have a dual-core processor and 2GB RAM.

• Can be a client OS, e.g. Windows 10 Professional (64-Bit), for

testing or a server OS, e.g. Windows 2012 R2 (64-Bit).

co

nta

ctS

ync 7

.6 M

an

ua

l

11

• Must be configured with .NET Framework 4.7.1.

• Must be configured with PowerShell 3.0 and later.

• Create a service account with an Exchange mailbox.

• On-Premises: Provide the user of the mailbox with administrative

permissions on the machine you want to install contactSync on.

• Exchange Online: The user of the mailbox must be member of the

EXCHANGE ADMINISTRATOR role or GLOBAL ADMINISTRATOR role.

• contactSync must have direct access to the user mailbox via

Exchange Web Services.

NOTE: DIRECT ACCESS TO KIOSK USER MAILBOXES VIA EXCHANGE WEB SERVICES IS NOT

PERMITTED. SEE http://community.office365.com/en-us/forums/158/t/62635.aspx

AND http://social.msdn.microsoft.com/Forums/en-

US/exchangesvrdevelopment/thread/1758d5f8-be86-4dc9-b53c-d6eb38d2d7d2

• Ensure that the mailbox is accessible (e.g. by Outlook Web Access),

that the mailbox can send to and receive mails from the other

organization and that incoming mails from the other organization do

not get caught by your spam filter or firewall.

NOTE: NEW CREATED EXCHANGE ONLINE ACCOUNTS NEED TO LOG ON AT LEAST ONE TIME TO

RESET THEIR TEMPORARY PASSWORD. OTHERWISE REMOTE POWERSHELL WILL NOT WORK.

• If your side is On-Premises, make sure that you can logon with the

configured service account. It is also required that the setup of

contactSync can grant this account with local security permissions to

LOG ON AS SERVICE. You may also add the service account to the local

group REMOTE DESKTOP USERS.

• For testing purposes create some mailboxes and a group. Add the

mailboxes as member to the group.

• The service account needs EXCHANGE IMPERSONATION or the FULL ACCESS

PERMISSIONS for the mailboxes where you want to import into the

mailbox contacts.

Please have a look at the chapters:

• How to configure Exchange Impersonation?

• How to grant full access to the user mailboxes?

NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO IMPORT POLICIES.

ONE IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED ON AN

ON-PREMISES EXCHANGE SERVER.

THE OTHER IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED

ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.

http://community.office365.com/en-us/forums/158/t/62635.aspx

http://social.msdn.microsoft.com/Forums/en-US/exchangesvrdevelopment/thread/1758d5f8-be86-4dc9-b53c-d6eb38d2d7d2


co

nta

ctS

ync 7

.6 M

an

ua

l

12

2 Install the software

• Login with the user you created before. Run setup.

co

nta

ctS

ync 7

.6 M

an

ua

l

13

• Run contactSync the first time and configure the contactSync Service

with a Service Account (SA) by taking the same account as you are

logged in (On-Premises).

IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE DOMAIN SERVICE ACCOUNT

IN THE CONTACTSYNC GUI USING EXCHANGE ON-PREMISES, IT WILL BE NECESSARY USE THE

FORMAT DOMAIN\USERNAME.

If the setup detects that contactSync was installed on a standalone

machine, we recommend to create a local account on the standalone

server and use this local account for the contactSync Service and the

contactSync GUI.

This is necessary to use Modern Authentication for Office 365 Exchange

Online. The contactSync Service Account of the Office 365 Exchange

Online tenant is independent of this local account.

For example: “contactsync” is a local account of the “standalone”

server.

Please run also the contactSync GUI in the credentials of this local

account.

co

nta

ctS

ync 7

.6 M

an

ua

l

14

IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE LOCAL SERVICE ACCOUNT IN

THE CONTACTSYNC GUI, IT WILL BE NECESSARY USE THE FORMAT COMPUTERNAME\USERNAME.

If the setup detects that contactSync was installed on a standalone

machine, the account for the contactSync Service can be LOCALSYSTEM.

This is not recommended anymore, because configure Modern

Authentication for Office 365 Exchange Online does not work with a

contactSync Service running in the credentials of LOCALSYSTEM.

Running contactSync you can check the service account configuration

and your log-in account on the bottom left corner of the GUI.

AD Member Server

Standalone Server

http://www.dict.cc/englisch-deutsch/bottom+left+corner.html

co

nta

ctS

ync 7

.6 M

an

ua

l

15

• In menu HELP select ABOUT and add your license. See also chapter

LICENSING.

On-Premise only: In menu OPTIONS select EXCHANGE.

• Configure the access to your Exchange Server. Click MANUAL SETTING and

the SEARCH icon. Now contactSync tries to use autodiscover and

displays the EXCHANGE WEB SERVICES URL it discovers. If you get an error

message please insert the correct EXCHANGE WEB SERVICES URL for your

environment.

• Leave the other option unclicked.

• Confirm the first configuration by pressing the SAVE button.

co

nta

ctS

ync 7

.6 M

an

ua

l

16

3 Create and run a contactSync policy

• Create a contactSync policy lead by the wizard

• Choose to SYNCHRONIZE DIRECTORY INFORMATION(GAL) INTO USERS´

MAILBOXES OF AN ON-PREMISE EXCHANGE ENVIRONMENT.

or choose to SYNCHRONIZE DIRECTORY INFORMATION(GAL) INTO USERS´

MAILBOXES OF AN EXCHANGE ONLINE / OFFICE 365 TENANT.

co

nta

ctS

ync 7

.6 M

an

ua

l

17

• If you are at Exchange Online then click on ADD to insert new

credentials.

• Insert the username, password and e-mail address of an appropriate

account in the Exchange Online (Microsoft Office 365).

NOTE: MICROSOFT ALLOWS ONLY 3 POWERSHELL CONNECTION PER ACCOUNT TO EXCHANGE

ONLINE (MICROSOFT OFFICE 365).

co

nta

ctS

ync 7

.6 M

an

ua

l

18

• You can test the credentials.

contactSync will only use the mailbox of the primary account to send

and receive e-mails.

NOTE: ALL ACCOUNTS MUST BE FROM THE SAME EXCHANGE ONLINE (MICROSOFT OFFICE 365)

TENANT

• Click NEXT

co

nta

ctS

ync 7

.6 M

an

ua

l

19

• On-premises Exchange:

The contactSync service account needs the EXCHANGE IMPERSONATION

or the FULL ACCESS PERMISSION for each mailbox, where you want to

import the mail-enabled objects as contacts.

If you don´t want, give the contactSync service account the

EXCHANGE IMPERSONATION or the FULL ACCESS PERMISSION for each

mailbox, you can insert a dedicated mailbox user, which has the


mailbox.

• Exchange Online:

The primary account for Exchange Online needs EXCHANGE

IMPERSONATION or the FULL ACCESS PERMISSION for each mailbox, where

you want to import the mail-enabled objects as contacts.

If you don´t want, give the primary account for Exchange Online the


mailbox, you can insert a dedicated mailbox user, which has the


mailbox.

co

nta

ctS

ync 7

.6 M

an

ua

l

20

If EXCHANGE IMPERSONATION is configured, maximum 5 mailboxes

concurrently are recommended.

If FULL ACCESS is configured in an on-premises Exchange environment

and the server-side EWS Throttling is disabled, maximum 5 mailboxes


It depends on the Exchange environment how many mailboxes getting

the contacts to be synchronized at the same time.

• Click NEXT

co

nta

ctS

ync 7

.6 M

an

ua

l

21

• Choose the mailbox users, which should get the mail-enabled objects

as contacts.

NoMailboxSync (internal mark)

If you do not want import into a special mailbox, you may insert the

value NOMAILBOXSYNC in any of the custom attributes (on-premises:

EXTENSIONATTRIBUTE1 - EXTENSIONATTRIBUTE15 or Exchange online:

CUSTOMATTRIBUTE1 - CUSTOMATTRIBUTE15). This prevents contactSync from

adding this mailbox to the list of mailboxes, which get directory objects

into the contact folder.

co

nta

ctS

ync 7

.6 M

an

ua

l

22

• Choose the mail-enabled objects, which should synchronize into the

users´ mailboxes as contacts.

NoContactSync (internal mark)

If you do not want a special object to be exported, you may insert the

value NOCONTACTSYNC in any of the custom attributes (on-premises:



adding this object to the export list.

co

nta

ctS

ync 7

.6 M

an

ua

l

23

• As directory information SEARCH for the group which you created for

test purposes with some test-mailboxes and groups as member. Click

APPLY and choose GROUP +ONLY MEMBERSHIP, click OK and NEXT.

co

nta

ctS

ync 7

.6 M

an

ua

l

24

• CHOOSE a mailbox contact folder.

• CREATE a folder for the contacts and select it.

• Click NEXT.

co

nta

ctS

ync 7

.6 M

an

ua

l

25

• Leave STATUS NOTIFICATION EMAILS unclicked and click NEXT.

• Leave SCHEDULE SERVICE unclicked and click NEXT.

co

nta

ctS

ync 7

.6 M

an

ua

l

26

• In the GENERAL SECTION insert a name for the policy and click NEXT.

• After in SUMMARY SECTION all your configuration is validated click FINISH.

co

nta

ctS

ync 7

.6 M

an

ua

l

27

• Execute the policy by clicking RUN while mouse focus is set to the policy

name in the hierarchy tree on the left hand side.

• The OPERATION STATUS displays the progress. After execution click CLOSE.

Now you should see the synchronized mail-enabled objects in the folder

of the mailbox contacts.

co

nta

ctS

ync 7

.6 M

an

ua

l

28

Deployment Guide

Introduction

This chapter will help you to plan your contactSync installation. To simplify

the description of each scenario below.

You can create a limitless number of policies. Multiple policies must be

scheduled for execution – no concurrent executions are possible. Policies

are kept in a queue and will be run sequentially.

Exchange 2010-2019 -> Mailbox Contacts

If your environment is based on Exchange 2010*, 2013, 2016 or 2019

and you want to sync into a folder of mailbox contacts, which are located

on the Exchange 2010*, 2013, 2016 or 2019 please use contactSync to

synchronize directory objects.

You have to install an instance of contactSync on a domain member

computer in Exchange 2010*, 2013, 2016 or 2019 forest.

NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO CONTACTSYNC POLICIES.

ONE CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED

ON AN ON-PREMISE EXCHANGE SERVER.

THE OTHER CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE

LOCATED ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.

co

nta

ctS

ync 7

.6 M

an

ua

l

29

Exchange Online -> Mailbox Contacts

If your environment is based on Exchange Online and you want to sync

into a folder of mailbox contacts, which are located on the Exchange

Online please use contactSync to synchronize directory objects.

To get access to an Exchange Online (cloud only) environment you can

also use a standalone server.

NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO CONTACTSYNC POLICIES.

ONE CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED

ON AN ON-PREMISE EXCHANGE SERVER.

THE OTHER CONTACTSYNC POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE

LOCATED ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.

You can also use the contactSync software on the machine you installed in

Exchange 2010*, 2013, 2016 or 2019 forest to access Exchange Online,

so you can import the directory objects into a folder of mailbox contacts,

which are located on the Exchange Online. But in this case, you need a

mailbox user in the Office 365 tenant, which has the full access permission

to the mailboxes, which are located on Exchange Online.

co

nta

ctS

ync 7

.6 M

an

ua

l

30

Technical Guide

System Requirements

* MICROSOFT STOPPED SUPPORTING EXCHANGE 2010 ON THE 13TH OCTOBER 2020 AND

EXCHANGE 2007 ON THE 11TH APRIL 2017. MICROSOFT ALSO STOPPED SUPPORTING WINDOWS

2008 R2 AND WINDOWS 7 PROFESSIONAL ON THE 14TH JANUARY 2020.

AS MUCH AS WE WOULD LIKE TO KEEP UP COMPATIBILITY FOR ALL VERSIONS, WE CANNOT SUPPORT

AN ENVIRONMENT WHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER.

Components Required

OS (64Bit) Windows 2008* R2 SP1 Server

Windows 2012 Server

Windows 2012 R2 Server

Windows 2016

Windows 2019

In small environments or for testing purposes you can also install contactSync on a

client computer running Windows 7* Professional or Windows 10 Professional.

Hardware Processor: minimum dual core

RAM: minimum 2GB

Software .NET Framework 4.7.1

PowerShell 3.0 and later

Recommendations Exchange On-Premises: We recommend to install contactSync on a member server

within the domain (e.g. dedicated contactSync server, file server or backup server). The

machine should be uncritical (e.g. may be restarted without complications). The

contactSync server must have a high bandwidth connection to the DC/GC.

Exchange Online: See recommendations for on-premise; but you can also use a

standalone computer.

Supported

Exchange

Versions*

Exchange 2010* SP1 and later

Exchange 2013 and later



Exchange Online (Office 365)

co

nta

ctS

ync 7

.6 M

an

ua

l

31

Prerequisites

Service Account

If you run contactSync in the context of a domain then create a service

account which will be owner of the contactSync service.

• The service account must be a domain user in the same domain, the

contactSync server is also a member.

• Make sure that the service account is a member of the LOCAL

ADMINISTRATORS group.

• The service account needs the local right to RUN AS A SERVICE (this right

is added to the service account during the installation).

• Make sure you can logon as the service account. It is likely that the

user requires membership in the Remote Desktop Users group.

• In order to install contactSync you need administrative permission.

Setup will also install the contactSync Service on the computer you

install contactSync on.

NOTE: WE STRONGLY RECOMMEND LOGGING ON AS THE SERVICE ACCOUNT TO RUN THE

CONTACTSYNC GUI.

IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE DOMAIN SERVICE ACCOUNT IN

THE CONTACTSYNC GUI USING EXCHANGE ON-PREMISES, IT WILL BE NECESSARY USE THE FORMAT

DOMAIN\USERNAME.

If you run contactSync on a standalone machine (this is only valid in an

Exchange Online cloud-only scenario), please create a local account for

contactSync.

Please use the local account to configure and run the contactSync Service

and the contactSync GUI in the credentials of this local account.

The local account needs the same local permissions as a domain user as

described above.

The local account will be required to use Modern Authentication for Office

365 Exchange Online. The contactSync Service Account of the Office 365

Exchange Online tenant is independent of this local account.

For example: “contactsync” is a local account on the “standalone” server.

Please also run the contactSync GUI in the credentials of this local

account.

IMPORTANT: IF YOU CONFIGURE THE LOGON INFORMATION FOR THE LOCAL SERVICE ACCOUNT IN THE

CONTACTSYNC GUI, IT WILL BE NECESSARY USE THE FORMAT COMPUTERNAME\USERNAME.

co

nta

ctS

ync 7

.6 M

an

ua

l

32

Mailbox

At the Exchange on-premises side create an Exchange Mailbox, which will

run all contactSync policies from now on. If you are in a domain then this

mailbox should be owned by the contactSync service account. The mailbox

cannot be hidden from Exchange address lists.

At the Exchange Online side create an Exchange Mailbox, which will be

used from all contactSync policies. The mailbox user must be member of

the EXCHANGE ADMINISTRATOR role or GLOBAL ADMINISTRATOR role.

NOTE: BY DEFAULT, THE EXCHANGE ONLINE PASSWORD HAS TO BE CHANGED WITHIN 30

DAYS. TO ENSURE, THAT CONTACTSYNC WORKS PROPERLY, YOU HAVE TO CONFIGURE USER

PASSWORDS TO NEVER EXPIRE. TO CONFIGURE YOUR PASSWORD PLEASE FOLLOW THE STEPS

DESCRIBED IN THE FOLLOWING ARTICLE:

https://support.office.com/en-us/article/Set-a-user-s-password-expiration-policy-

0f54736f-eb22-414c-8273-498a0918678f

• contactSync must have direct access to the user mailbox via Exchange

Web Services.

NOTE: DIRECT ACCESS TO KIOSK USER MAILBOXES VIA EXCHANGE WEB SERVICES IS NOT

PERMITTED. SEE http://community.office365.com/en-us/forums/158/t/62635.aspx

AND http://social.msdn.microsoft.com/Forums/en-

US/exchangesvrdevelopment/thread/1758d5f8-be86-4dc9-b53c-d6eb38d2d7d2

• Ensure that the mailbox is accessible (e.g. by Outlook Web Access).

• Ensure that the mailbox can send to and receive mails from the other

organization.

• Ensure that incoming mails from the other organization do not get

caught by your spam filter or firewall.

https://support.office.com/en-us/article/Set-a-user-s-password-expiration-policy-0f54736f-eb22-414c-8273-498a0918678f

https://support.office.com/en-us/article/Set-a-user-s-password-expiration-policy-0f54736f-eb22-414c-8273-498a0918678f

http://community.office365.com/en-us/forums/158/t/62635.aspx



co

nta

ctS

ync 7

.6 M

an

ua

l

33

Modern Authentication OAuth2 for Exchange Web Services (EWS) to access Exchange

Online

The contactSync service account of an Office 365 tenant needs access to

its own mailbox, therefor the Modern Authentication OAuth 2.0 for

Exchange Web Services (EWS) can be configured.

Please note, that Microsoft will stop supporting and fully decommission the

Basic Authentication for Exchange Web Services (EWS) to access

Exchange Online on 13th October 2020.

Please check first, that the contactSync GUI is running in the credentials

of the local contactSync service account, otherwise contactSync cannot

decrypt the token later.

You can check this on the information bar at the bottom of the

contactSync GUI.

“User consent” or “Admin consent request” required in Azure Active Directory Enterprise

Applications to register NETsec contactSync as Enterprise Application

Please note, that contactSync cannot request the necessary “User

consent“ for a non admin user with restricted settings “Consent and

permissions” for Modern Authentication OAuth 2.0 for Exchange Web

Services (EWS) of Exchange Online.

Azure Active Directory admin center -> Enterprise applications -> Consent

and permissions

co

nta

ctS

ync 7

.6 M

an

ua

l

34

You have two options, if you do not want to use permantly the “Allow user

consent for apps” option.

1. User consent: Set the “Allow user consent for apps” option temporary for the first

login.

2. Admin consent request

User consent

You switch temporary to the “Allow user for apps” option


and permissions

After that you proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of Exchange Online with your contactSync Service Account

successfully.

co

nta

ctS

ync 7

.6 M

an

ua

l

35

PLEASE NOTE, THAT THE USER-ID AND THE E-MAIL ADDRESS CAN BE DIFFERENT FOR AN

EXCHANGE ONLINE MAILBOX USER. THIS DEPENDS ON YOUR OFFICE 365 EXCHANGE

ONLINE TENANT.

Insert the credentials of the contactSync service account,

select the OAuth 2.0 authentication method for Exchange Web Services

(EWS) of the Office 365 tenant and click the “Login” button.

co

nta

ctS

ync 7

.6 M

an

ua

l

36

Select the same contactSync service account, which you have used in the

“Exchange Online Credential” dialog before.

co

nta

ctS

ync 7

.6 M

an

ua

l

37

Insert the password of the contactSync service account.

co

nta

ctS

ync 7

.6 M

an

ua

l

38

NETsec contactSync needs the requested permissions.

co

nta

ctS

ync 7

.6 M

an

ua

l

39

After you accepted the requested permissions, NETsec contactSync gets a

token for the OAuth2 authentication.

contactSync can now use OAuth tokens for authentication to access the

Exchange Web Services (EWS) for your Exchange Online during the policy

runs.

You can test the Login and to send an e-mail on the “Status notification

emails” tab of a policy, e.g. to yourself.

Please have also a look at the TROUBLESHOOTING AND SUPPORT GUIDE chapter

12010 - Error getting Exchange Online connection

62003 – Current user cannot decrypt the token.

co

nta

ctS

ync 7

.6 M

an

ua

l

40

NETsec contactSync has an entry in ENTERPRISE APPLICATIONS of your Office

365 AZURE ACTIVE DIRECTORY ADMIN CENTER, where you can also check and

manage the permissions.

NETsec contactSync has the token and the required delegated permissions

at the “User consent”:

co

nta

ctS

ync 7

.6 M

an

ua

l

41

After that, you can switch back to your preferred settings, if you do not

want to use the “Allow user consent for apps” permantly.

After that, test the Login again and you can test to send an email e.g. to

yourself again.

co

nta

ctS

ync 7

.6 M

an

ua

l

42

Admin consent request

The “Consent and permissions” settings of the “Enterprise applications”

are restricted:


and permissions

co

nta

ctS

ync 7

.6 M

an

ua

l

43

Enable the “User can request admin consent to apps they are unable to

consent to” option in “User settings” of the “Enterprise applications”.

co

nta

ctS

ync 7

.6 M

an

ua

l

44

Select an administrator account for the consent request

“Select admin consent request reviewers”

After that save the “User Settings”

co

nta

ctS

ync 7

.6 M

an

ua

l

45

You proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of

Exchange Online with your contactSync Service Account.

PLEASE NOTE, THAT THE USER-ID AND THE E-MAIL ADDRESS CAN BE DIFFERENT FOR AN

EXCHANGE ONLINE MAILBOX USER. THIS DEPENDS ON YOUR OFFICE 365 EXCHANGE

ONLINE TENANT.

Insert the credentials of the contactSync service account,

select the OAuth 2.0 authentication method for Exchange Web Services

(EWS) of the Office 365 tenant and click the “Login” button.

co

nta

ctS

ync 7

.6 M

an

ua

l

46

Select the same contactSync service account, which you have used in the

“Exchange Online Credential” dialog before.

co

nta

ctS

ync 7

.6 M

an

ua

l

47

Insert the password of the contactSync service account.

co

nta

ctS

ync 7

.6 M

an

ua

l

48

NETsec contactSync needs the requested permissions.

co

nta

ctS

ync 7

.6 M

an

ua

l

49

co

nta

ctS

ync 7

.6 M

an

ua

l

50

The OAuth2 authentication will be failed.

Now you will have a pending requests in “Admin consent requests” of the

“Enterprise applications”.

Please “Review permissions and consent” with the administrator account

and “Accept” it.

co

nta

ctS

ync 7

.6 M

an

ua

l

51

After that NETsec contactSync has an entry in the “Enterprise application”

list

The “Admin consent” of “Permissions” for NETsec contactSync

co

nta

ctS

ync 7

.6 M

an

ua

l

52

You proceed the Login for OAuth 2.0 for Exchange Web Services (EWS) of

Exchange Online with your contactSync Service Account again.

The login will be successful now.

contactSync can now use OAuth tokens for authentication to access the

Exchange Web Services (EWS) for your Exchange Online during the policy

runs.

co

nta

ctS

ync 7

.6 M

an

ua

l

53

You can test the Login and to send an e-mail on the “Status notification

emails” tab of a policy, e.g. to yourself.

Please have also a look at the TROUBLESHOOTING AND SUPPORT GUIDE chapter



co

nta

ctS

ync 7

.6 M

an

ua

l

54

Permission to access the mailboxes (Mailbox contacts)

The service account needs EXCHANGE IMPERSONATION or the FULL ACCESS

PERMISSIONS for the mailboxes where you want to import into the mailbox

contacts.

Please have a look at the chapters:

• How to configure Exchange Impersonation?

• How to grant full access to the user mailboxes?

NOTE: IN A HYBRID EXCHANGE ENVIRONMENT YOU NEED TWO IMPORT POLICIES.

ONE IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED ON AN

ON-PREMISES EXCHANGE SERVER.

THE OTHER IMPORT POLICY, WHICH IMPORTS INTO THE MAILBOXES, WHICH ARE LOCATED

ON EXCHANGE ONLINE OF THE OFFICE 365 TENANT.

On-premises Exchange:

co

nta

ctS

ync 7

.6 M

an

ua

l

55

Exchange Online:

Use impersonation for access to mailboxes

The contactSync service account needs the EXCHANGE IMPERSONATION to get

access to the mailboxes, where you want to import the mail-enabled

objects as contacts.

Use full access for access to mailboxes

The contactSync service account needs FULL ACCESS PERMISSIONS for each

mailbox to get access to the mailboxes, where you want to import the

mail-enabled objects as contacts.

co

nta

ctS

ync 7

.6 M

an

ua

l

56

Count of concurrent mailboxes getting the contacts

The contactSync service account can synchronize the contacts into

multiple mailboxes concurrently.

If EXCHANGE IMPERSONATION is configured, maximum 5 mailboxes


If FULL ACCESS is configured in an on-premises Exchange environment and

the server-side EWS Throttling is disabled, maximum 5 mailboxes


NOTE: IT DEPENDS ON THE EXCHANGE ENVIRONMENT HOW MANY MAILBOXES GETTING THE

CONTACTS TO BE SYNCHRONIZED AT THE SAME TIME.

Execution Policy (Exchange online)

If you configure a policy which needs the parameter EXECUTIONPOLICY to be

set to REMOTESIGNED, a message is displayed requiring your confirmation.

The reason for this is a security setting built into Windows PowerShell,

called execution policy. Execution Policy determines how (or if) PowerShell

runs scripts. By default, PowerShell’s execution policy is set to Restricted;

this means that scripts will not run. contactSync requires that scripts are

allowed to execute.

GET-EXECUTIONPOLICY

http://technet.microsoft.com/en-us/library/hh849821.aspx

SET-EXECUTIONPOLICY REMOTESIGNED

https://technet.microsoft.com/en-us/library/hh849812.aspx

http://technet.microsoft.com/en-us/library/hh849821.aspx

https://technet.microsoft.com/en-us/library/hh849812.aspx

co

nta

ctS

ync 7

.6 M

an

ua

l

57

Some notes to the remote PowerShell management for Office 365 tenants

Since contactSync 7.2.0, contactSync has a redesigned remote PowerShell

management for Office 365 tenants.

contactSync will now try to reconnect broken remote PowerShell sessions

to the Office 365 tenant during a policy run.

If a PowerShell connection to the Office 365 tenant is broken, then

contactSync will try to reconnect to the Office 365 tenant, but it may

happen, that some data are not completely synchronized due to the

broken connection.

In this case contactSync will try to complete it in the next synchronization

run.

In the worst case it can happened, that some existing contacts in the

target mailboxes of the synchronization will be deleted and that after they

have been re-created, NDR issues in the target environment can occur.

co

nta

ctS

ync 7

.6 M

an

ua

l

58

Running contactSync policies via command line

Start a contactSync policy with the following command:

Syntax:

<contactSync program folder>\NETsec contactSync\

<CommonApplicationDataPath>\contactSync\policies\<policy file>

Example:

cd "C:\Program Files\NETsec contactSync\"

NETsecPolicyExecuter.exe "C:\ProgramData\NETsec GmbH & Co.

KG\contactSync\policies\policyname.xml"

You can find the COMMONAPPLICATIONDATA path one level up from the log file

folder which you can find on the STATUS tab.

co

nta

ctS

ync 7

.6 M

an

ua

l

59

contactSync components

Files

The executables are stored by default in C:\PROGRAM FILES\NETSEC

CONTACTSYNC, but you may change this during setup routine. This folder

will be removed if you uninstall the software.

Files containing your configured policies, created encryption keys, log files

and so on are placed in folder

%PROGRAMDATA%\NETSEC GMBH & CO. KG\CONTACTSYNC.

NOTE: THE FOLDER %PROGRAMDATA% USUALLY IS HIDDEN. YOU MAY ACTIVATE THE

OPTION ‘SHOW HIDDEN FILES, FOLDERS, AND DRIVES’ IN FOLDER ‘OPTIONS’ OF THE

WINDOWS EXPLORER.

Policy

Policies are the core logical component. A policy defines

• which data you want to share,

(filter the objects of your own directory),

• to which mailboxes you want to send the data included in this policy,

• to which email address you want to send an administrative report,

• at what times you want the policy to be executed automatically.

GUI

The Graphical User Interface is used to configure policies. You can also

test and execute policies manually.

NOTE: IF YOU RUN A POLICY USING THE GUI THE POLICY RUNS IN THE CONTEXT OF THE

USER THAT IS LOGGED IN. THEREFORE IT IS RECOMMENDED TO LOG IN WITH THE SAME

ACCOUNT WHICH IS CONFIGURED FOR THE CONTACTSYNC SERVICE.

The GUI is executed as process named CONTACTSYNC.EXE.

co

nta

ctS

ync 7

.6 M

an

ua

l

60

Policy Wizard

The contactSync Console also provides Wizards for simplifying the tasks of

creating policies. The Wizards walk you through each step-in order to

create a usable policy that you can run manually or scheduled. If you go

through the wizard contactSync provides you with different information

Indicates a positive validation

Indicates that some conditions in this step have not been

validated yet

Feature is not used

Indicates a configuration process

Service

The contactSync Service is only used to execute the scheduled policies.

The contactSync Service checks once a minute if there are enabled

policies to be executed. These policies will be added to the execution

queue and run sequentially.

The service is executed as a process named CONTACTSYNCSERVICE.EXE.

Every scheduled policy runs in the context of the user that is used by the

contactSync Service.

co

nta

ctS

ync 7

.6 M

an

ua

l

61

Internal Marks



value NOCONTACTSYNC in any of the custom attributes (on-premise:





If you do not want to import into a special mailbox, you may insert the

value NOMAILBOXSYNC in any of the custom attributes (on-premise:





co

nta

ctS

ync 7

.6 M

an

ua

l

62

Global Settings

The Global Settings are available if you click the CONTACTSYNC node in the

left hierarchy tree. The content pane now displays the TABs SETTINGS,

EXCHANGE, POLICIES, STATUS and HELP.

Settings Tab

Here you can configure general settings used in all policies.

Status file directory.

contactSync stores the log files in the application data of the program for

all users. If the log files are stored somewhere else the suitable directory

path can be put down here.

co

nta

ctS

ync 7

.6 M

an

ua

l

63

Use LDAP over SSL (LDAPS)

Use LDAP over SSL (LDAPS) to connect an on-premises Active Directory.

If you have configured LDAP over SSL (LDAPS) in your on-premises Active

Directory, contactSync can use LDAP over SSL (LDAPS) to communicate

with your on-premises Active Directory.

NOTE: THE ACTIVE DIRECTORY SCHEMA PARTITION IS ONLY READ USING LDAP.

You can get more information about "LDAP over SSL (LDAPS)" in the

Microsoft TechNet Wiki article LDAP over SSL (LDAPS) Certificate

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-

over-ssl-ldaps-certificate.aspx

You can check if LDAP over SSL (LDAPS) works at your

environment/machine with Microsoft ldp.exe tool.

Exchange Tab

Here you can configure general Exchange settings used in all policies

Exchange On-Premises

If you work with Exchange On-Premises you can choose USE AUTODISCOVER

to find the EXCHANGE WEB SERVICE (EWS). If Autodiscover does not work

you may set the value for EXCHANGE WEB SERVICES (EWS) manually. If you

click the SEARCH icon then contactSync tries to discover the Autodiscover

settings.

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx



co

nta

ctS

ync 7

.6 M

an

ua

l

64

Policies Tab

The POLICIES tab lists all existing contactSync policies. Select a listed policy

to see or modify configuration. After initial setup, if there is no policy

created yet, so this list is empty.

Please run the contactSync GUI and the policy in the credentials of your

contactSync service account.

You can check this in the information bar the bottom.

co

nta

ctS

ync 7

.6 M

an

ua

l

65

Status Tab

The STATUS tab shows quick reports about the status of reports that were

executed during the log retention timespan.

For support purposes you may export the status files (see menu ACTION

EXPORT STATUS).

NOTE: IF A POLICY JUST IS RUNNING ACCESS TO THE STATUS FILE MAY NOT BE POSSIBLE.

THE STATUS FILE WILL BE DISPLAYED AT THE TOP OF THE LIST AND IS INDICATED WITH

“ERROR”.

Retain status information

Here you can configure how long status information (log files) is stored on

your machine. Logs older than the specified number of days will be

deleted. You will find a link to the folder where the log files are stored.

Please keep in mind that windows explorer usually hides this folder by

default. If you do not see this link, please open the window symbol at the

bottom on the right.

NETsec LogViewer

Please have a look at the NETsec LogViewer manual

https://www.netsec.de/fileadmin/download/LogViewer/NETsec_LogViewer

_manual.pdf

http://www.dict.cc/englisch-deutsch/at+the+bottom+on+the+right.html

http://www.dict.cc/englisch-deutsch/at+the+bottom+on+the+right.html

https://www.netsec.de/fileadmin/download/LogViewer/NETsec_LogViewer_manual.pdf

https://www.netsec.de/fileadmin/download/LogViewer/NETsec_LogViewer_manual.pdf

co

nta

ctS

ync 7

.6 M

an

ua

l

66

Open and export log files

For support purposes you may open or export the status files / log files.

Open log file.

1. You can double-click an entry of the status table and the log file will

open in the NETsec LogViewer.

•

2. After you select an entry of the status table, you can right-click to

open the context-menu and “Open the log file” will open it in the

NETsec LogViewer.

Export log file

Exports only the one log file, which is selected, to a zip file.

Export all log files

1. Exports all filtered log files of the status table to a zip file.

E.g. all log files of the last week or all log files of a selected policy.

•

2. The menu ACTION EXPORT STATUS exports all log files to a zip file.

co

nta

ctS

ync 7

.6 M

an

ua

l

67

Help Tab

The HELP tab provides you with a hyperlink for downloading the latest

manual as well as mail-addresses and phone numbers for support and

sales.

co

nta

ctS

ync 7

.6 M

an

ua

l

68

Filter mailboxes

In the Mailboxes TAB of contactSync policies for mailbox contacts you

select the directory objects, which have mailbox objects. Search scope is a

single object type all over the domain or selected organizational units in

the local domain. You may also remove a selected entry from the list.


If you do not want import into a special mailbox, you may insert the value

NOMAILBOXSYNC in any of the custom attributes (on-premises:





Choose mailboxes (On-premises)

Here you may tick a dedicated Organizational Unit in the listed domains.

An active directory tree with all domains and organizational units will be

listed.

In forests with multiple domains all domains are displayed.

co

nta

ctS

ync 7

.6 M

an

ua

l

69

Group Option

Only this OU

All mailbox objects included in the selected OU will be recognized for

synchronization at runtime.

Only Sub-OUs

All mailbox objects included in one of the sub-OUs of the selected OU will

be recognized for synchronization at runtime.

OU + Sub-OUs

All mailbox objects included in a selected OU and all nested OUs will be

recognized for synchronization at runtime.

Include group memberships

All mailbox objects, which are members of a group, will be recognized for

synchronization at runtime, if the group is in a selected OU.

Include nested groups + memberships

Nested groups and their members will be also resolved for synchronization

at runtime.

co

nta

ctS

ync 7

.6 M

an

ua

l

70

Exportable RecipientTypeDetails

contactSync synchronizes objects which have one of the

RECPIENTTYPEDETAILS set in the MSEXCHRECIPIENTTYPEDETAILS /

RECIPIENTTYPEDETAILS property or the MSEXCHRECIPIENTTYPEDETAILS /

RECIPIENTTYPEDETAILS property has not been set.

The list of RECPIENTTYPEDETAILS can be modified with “Add/Remove

RecipientTypeDetails …”.

NOTE: IN THE CASE OF RECIPIENTTYPEDETAILS, THAT ARE NOT PRESENT IN THE

EXPORTABLE RECIPIENTTYPEDETAILS LIST BY DEFAULT, CONTACTSYNC DOES NOT CHECK

WHETHER THEY ARE PRESENT OR USEFUL IN YOUR ENVIRONMENT. WE LEAVE THE

VERIFICATION TO THE RESPONSIBLE ADMINISTRATOR TO SUPPORT AS MANY SCENARIOS AS

POSSIBLE. A DISADVANTAGE IS THAT THE ADMINISTRATOR CAN CONFIGURE NONSENSE.

co

nta

ctS

ync 7

.6 M

an

ua

l

71

Choose mailboxes (Exchange Online)

Here you may pick all USERMAILBOX objects.

co

nta

ctS

ync 7

.6 M

an

ua

l

72













co

nta

ctS

ync 7

.6 M

an

ua

l

73

Search mailboxes (On-premises)

You can search an object by inserting an expression. Uncheck all object

types you do not want to have as a result.

NOTE: THE SCOPE OF THE QUERY IS THE FOREST.

The result listed contains all objects found. Select certain or all objects to

be gathered for import and press Apply.

With * you can find all objects which you want to have as a result.

User

You can search for user objects with a mailbox and select dedicated

mailboxes for import matching the inserted expression.

RECOMMENDATION: SELECT DEDICATED MAILBOX USERS ONLY IF YOU ARE SURE THEY WILL

NEVER BE DELETED FROM ACTIVE DIRECTORY. CONSIDER TO TAKE OBJECTS WITH ‘DYNAMIC’

MEMBERS AS OUS, GROUPS ETC.

Container

You can search for container objects to get all objects with a mailbox in

this container matching the inserted expression.

co

nta

ctS

ync 7

.6 M

an

ua

l

74

OU

You can search for Organizational Units to get all objects with a mailbox in

this OU matching the inserted expression.

Dynamic Distribution Group

DYNAMIC DISTRIBUTION GROUP (formerly QUERY-BASED GROUP) provides a type

of Distribution Group with a flexible method to dynamically define the

membership to this type of group. It is not a static membership like

regular groups.

Search for DYNAMIC DISTRIBUTION GROUPS matching the inserted expression

and select if you want to get all members with a mailbox of this group.

Groups

Search for LOCAL, GLOBAL and UNIVERSAL groups of type SECURITY GROUP or

DISTRIBUTION GROUP.

If you check SETTING FOR ALL GROUPS the configuration will be applied to all

listed and selected groups. Otherwise you will be asked for every selected

group.

co

nta

ctS

ync 7

.6 M

an

ua

l

75

Search mailboxes (Exchange Online)

Here you may pick either all objects or specify a filter by ticking recipient

types you want to choose. With * you can find all objects which you want

to have as a result. For example, you tick only

MAILUNIVERSALDISTRIBUTIONGROUP and you will have all

MailUniversalDistributionGroups as a result.


be gathered for import and press APPLY. It is very important that you

change this option if you want to get more than 500 objects.

You can limit the results which you want to be get.

NOTE: THE DEFAULT 500 IS SET TO PREVENT YOU FROM A LONG-TIME SEARCH. IF YOUR

RESULT IS LARGER THAN THE GIVEN VALUE, THE NOT LISTED OBJECTS ARE NOT INCLUDED IN

THE POLICY!

co

nta

ctS

ync 7

.6 M

an

ua

l

76

Directory Tab

In the Directory tab of contactSync policies for mailbox contacts you select

mail-enabled objects, which will synchronize as contacts into user’s

mailboxes. You may also remove a selected entry from the list.



value NOCONTACTSYNC in any of the custom attributes (on-premises:




co

nta

ctS

ync 7

.6 M

an

ua

l

77

Choose (On-premises)

Here you may tick a dedicated Organizational Unit in the listed domains.

An active directory tree with all domains and organizational units will be

listed. All mail-enabled objects (users, contacts and groups) included in a

selected OU (and all nested OUs) will be recognized for import at runtime.

In forests with multiple domains all domains are displayed.

co

nta

ctS

ync 7

.6 M

an

ua

l

78

Group Option

Only this OU

All mail-enabled objects, included in the selected OU will be recognized for

synchronization at runtime.

Only Sub-OUs

All mail-enabled objects included in one of the sub-OUs of the selected OU

will be recognized for synchronization at runtime.

OU + Sub-OUs

All mail-enabled objects included in a selected OU and all nested OUs will

be recognized for synchronization at runtime.

Include group memberships

All mail-enabled objects, which are members of a group, will be

recognized for synchronization at runtime, if the group is in a selected OU.

Include nested groups + memberships

Nested groups and their members will be also resolved for synchronization

at runtime.

co

nta

ctS

ync 7

.6 M

an

ua

l

79













co

nta

ctS

ync 7

.6 M

an

ua

l

80

Add/Remove RecipientTypeDetails…

Show a dialog, where you can modify the list of RECIPIENTTYPEDETAILS,

which are allow for synchronization.

NOTE: IF THE MSEXCHRECIPIENTTYPEDETAILS / RECIPIENTTYPEDETAILS PROPERTY IS

NOT SET, THE OBJECT WILL BE SYNCHRONIZED.

co

nta

ctS

ync 7

.6 M

an

ua

l

81

Add value for export

contactSync adds a value to an attribute of a synchronized object during

the synchronization. This value is only added to the synchronized object,

but not to the source object.

co

nta

ctS

ync 7

.6 M

an

ua

l

82

Choose (Exchange Online)

Here you may tick either all objects or specify a filter by ticking recipient

types you want to choose.

After that you define the list of RECIPIENTTYPEDETAILS for each recipient

type, which will be recognized for synchronization at runtime.

co

nta

ctS

ync 7

.6 M

an

ua

l

83

Search (On-premises)

You can search an object by inserting an expression. Uncheck all object

types you do not want to have as a result.

NOTE: THE SCOPE OF THE QUERY IS THE FOREST.


be gathered for import and press Apply.

With * you can find all objects which you want to have as a result.

co

nta

ctS

ync 7

.6 M

an

ua

l

84

Search (Exchange Online)

Here you may tick either all objects or specify a filter by choosing recipient

types you want to choose. With * you can find all objects which you want

to have as a result. For example, you check only

MAILUNIVERSALDISTRIBUTIONGROUP and you will have all

MAILUNIVERSALDISTRIBUTIONGROUPS as a result.


be gathered for import and press APPLY. It is very important that you

change this option if you want to get more than 500 objects.

You can limit the results which you want to be get.

NOTE: THE DEFAULT 500 IS SET TO PREVENT YOU FROM A LONG-TIME SEARCH. IF YOUR

RESULT IS LARGER THAN THE GIVEN VALUE, THE NOT LISTED OBJECTS ARE NOT INCLUDED IN

THE POLICY!

co

nta

ctS

ync 7

.6 M

an

ua

l

85

Group Option

Only group

Synchronize the selected group object.

Only Membership

Synchronize the members of the selected group object

Group + Membership

Synchronize the group object and the members.

Include nested groups

Synchronize also the nested group objects and the members.

co

nta

ctS

ync 7

.6 M

an

ua

l

86













co

nta

ctS

ync 7

.6 M

an

ua

l

87

Add value for export

contactSync adds a value to a property during the synchronization.

co

nta

ctS

ync 7

.6 M

an

ua

l

88

Special options for contactSync

You can configure some optional SETTINGS on the DIRECTORY tab

Exchange On-Premises

co

nta

ctS

ync 7

.6 M

an

ua

l

89

Exchange Online

co

nta

ctS

ync 7

.6 M

an

ua

l

90

Maximum errors to transfer data file

In the DIRECTORY SETTINGS of a contactSync policy you can set a limit how

many errors may occur when creating a data file before importing. If this

limit of errors is exceeded, the effected data file will not be imported into

the mailboxes.

Minimum objects to transfer data file

In the DIRECTORY SETTINGS of a contactSync policy you can define a

minimum number of objects to be written to the data file before importing

into the mailboxes. As long as the data file contains less objects it will not

be imported into the mailboxes.

For example, if you expect to export over 1000 objects, you can set a

minimum of number of objects to 1000. Assuming that a network error

occurs at runtime and contactSync identifies only 600 objects for export

(because of unavailability of your domain controller). The data file will not

be importing into the mailboxes. Otherwise, in the mailboxes the missing

number of contacts would have been deleted even though they still exist

in the environment.

Include hidden objects (On-Premises only)

If this option in the DIRECTORY SETTINGS of a contactSync policy is selected

the objects, which are hidden from the GAL, are also synchronized.

Export ‘MasteredOnPremise’ objects (Exchange Online only)

Allow you to export objects from Exchange Online (Office 365), which are

synchronized with Microsoft Directory Synchronization tool. Microsoft

Directory synchronization allows identities to be mastered on-premises

and all updates to that identity are synchronized to Office 365.

NOTE: BY DEFAULT CONTACTSYNC EXPORTS ONLY OBJECTS FROM EXCHANGE ONLINE

(OFFICE365) WHICH ARE NOT STAMPED WITH “MASTEREDONPREMISE”.

Mark synchronized contacts as private

Allow you to mark the imported contacts as "private" in the user´s

mailboxes. Private contacts are not visible to other people, if the Microsoft

Exchange account contacts are shared.

NOTE: A PERSON WITH DELEGATE ACCESS OR PERMISSION TO READ YOUR SHARED FOLDERS

COULD VIEW THE CONTENTS OF YOUR PRIVATE CONTACTS AND EVENTS BY USING OTHER

APPLICATIONS.

co

nta

ctS

ync 7

.6 M

an

ua

l

91

Synchronize Picture (On-Premises)

If this option in the DIRECTORY SETTINGS of a contactSync policy is selected

the user’s photos stored in the source directory are exported as well.

Photos usually are stored in attribute THUMBNAILPHOTO. This option is only

available in an on-premise environment.

NOTE: IMPORTING THUMBNAILPHOTO INTO MAILBOXES IS VERY SLOWLY.

THE EXCHANGE ENVIRONMENT NEEDS SOME DAYS TO UPDATE THE THUMBNAILPHOTO OF THE

IMPORTED CONTACTS IN THE MAILBOXES, BEFORE YOU CAN SEE THE THUMBNAILPHOTO IN

THE OUTLOOK CLIENTS.

Modify or delete existing contacts with source domain

Please be careful with this option.

You can add a further source domain, which is not contain in the

synchronization.

This means that contacts in the mailboxes have been synchronized with

GALsync or contactSync, whose source domain is no longer included in the

synchronization, then these contacts can be synchronized.

To do this, the old source domain, as it is in the log file, must be entered

in the field. E.g. the source domain is DC=forestB,DC=com

After that all existing contacts with this source domain will be also

modified or deleted.

This can be helpful e.g. after a migration.

Object Filter

Exclude all objects of the synchronization, which has one of the

conditions. This feature allows you to exclude objects from the

synchronize process. If you enable this feature inside your policy

configuration dialog, you may add conditions containing a name of the

property of which value is compared to the given value using your chosen

comparison operator. During an export every object will be analyzed, if

one or more properties matches these conditions. If at least one condition

is fulfilled, the object will neither be synchronized."

co

nta

ctS

ync 7

.6 M

an

ua

l

92

Filter and Modify objects for import into mailboxes

Configure all mailbox contact folder settings.

Choose (Mailbox contacts)

Add a new folder, where you want to store the imported directory

information in and select it.

Please select a folder for contact synchronization.

All folders displayed by this control are for selecting purpose.

Adding and deleting folders inside this dialog will not result in physically

removing or adding this folder inside a mailbox.

By selecting a folder this folder will be used on target mailboxes as folder

to be filled with contacts. If the chosen folder does not exist in a target

mailbox, this folder will be created during the next import.

Selected Folder

The selected folder will be used as target folder inside mailboxes during

imports so that contacts will only be created inside this folder.

co

nta

ctS

ync 7

.6 M

an

ua

l

93

Allow synchronization into the well-known contact folder of the mailboxes.

This option allows contactSync to create and synchronize the contacts into

the well-known contact folder of the mailboxes. Please be careful with this

option because it allows you to directly change and delete contacts that

your employees have created. This could also confuse some of your

employees.

We recommend to create and synchronize an additional contact for each

existing contact which was not created by contactSync.

Do not touch untagged contacts, these contacts will not be synchronized

All existing contacts will not be touched, unless they were created by

contactSync.

contactSync does not create and synchronize a contact if there is already

an existing contact which was not created by contactSync.

Synchronize untagged contacts with contactSync

Please be very careful with this option.

All existing contacts are synchronized, even if they were not created by

contactSync. This means that if contacts have been created by your

employees below the selected contact folder, contactSync will also

synchronize and possibly delete them, which could cause your employees

to lose information.

Synchronize an additional contact for each untagged contact

contactSync creates and synchronizes an additional contact for each

existing contact which was not created by contactSync.

co

nta

ctS

ync 7

.6 M

an

ua

l

94

Create folder

You can create a new folder, into which contactSync creates and

synchronizes the contacts. This option gives you the possibility to separate

the contacts, which have been created by your employees, from the

contacts, which have been created by contactSync.

Please keep in mind that the name of the folder should be unique and

should not exist in the mailbox of your employees, otherwise contactSync

will use the existing folder with the same name below the well-known

contact folder of the mailbox for the synchronization.

RECOMMENDATION: THE CONTACTSYNC SERVICE ACCOUNT CAN ONLY CREATE A SUB FOLDER

FOR IMPORT, IF THE CONTACTSYNC SERVICE ACCOUNT HAS FULL ACCESS PERMISSION TO ALL

MAILBOXES, WHICH SHOULD GET THE DIRECTORY INFORMATION.

PLEASE GRANT FULL ACCESS TO THE USER MAILBOXES FOR THE CONACTSYNC SERVICE

ACCOUNT.

PLEASE HAVE A LOOK AT THE CHAPTER ‘HOW TO GRANT FULL ACCESS TO THE USER

MAILBOXES?’

Remove folder

This option removes a folder inside this dialog but will not remove a folder

inside a mailbox. Please select the folder, which you want to remove.

co

nta

ctS

ync 7

.6 M

an

ua

l

95

Properties (Mailbox contacts)

Modify the values for the contactSync policy. The modified objects are

prioritized during the import.

Usually in your import list, there are different classes of objects (e.g. USER,

CONTACT and GROUP). Because these classes have different attributes rules

are apply related to the object class. E.g. the attribute FILEAS, DISPLAYNAME

the first rule displayed in the screenshot will be apply only to users and

contacts, because a group does not have an attribute GIVENNAME.

PLEASE NOTE THAT PUBLIC FOLDER MEANS THE OLD OBJECT CLASS OF EXCHANGE 2003

TECHNOLOGY AND NOT THE CURRENT PUBLIC FOLDER MAILBOX TECHNOLOGY.

The property INITIALS can be ignored for all object classes, because you

cannot see the imported value in the Outlook clients.

Property to modify

These attributes can be modified before import:

CompanyName, Department, Body, FileAs, BusinessFax, GivenName, HomePhone,

Initials, BusinessPhone, BusinessAddressCity, MobilePhone, Pager, OfficeLocation,

BusinessAddressPostalCode, Surname, BusinessAddressState, BusinessAddressStreet,

PrimaryPhone, JobTitle, BusinessHomePage, NickName

NOTE: SOME PROPERTIES ARE NOT SHOWN IN OUTLOOK, E.G. INITIALS.

co

nta

ctS

ync 7

.6 M

an

ua

l

96

We support this matrix to transform the property between Exchange On-

Premise / Exchange Online and the Outlook Contact:

Active Directory

(Exchange On-Premise)

Active Directory

(Exchange Online)

Outlook Contact

(Exchange Mailbox)

C BusinessAddressCountryOrRegion

Company Company CompanyName

Department Department Department

Description Body

DisplayName DisplayName FileAs

FacsimileTelephoneNumber Fax BusinessFax

GivenName FirstName GivenName

HomePhone HomePhone HomePhone

Initials Initials *

L City BusinessAddressCity

Mail EmailAddress3

Mobile MobilePhone MobilePhone

OtherFacsimileTelephone

Number OtherFax OtherFax

IpPhone BusinessPhone2

OtherMobile CarPhone

OtherTelephone OtherTelephone OtherTelephone

Pager Pager Pager

PhysicalDeliveryOfficeName Office OfficeLocation

PostalCode PostalCode BusinessAddressPostalCode

ProxyAddresses

(primary SMTP)

EmailAddresses

(primary SMTP) EmailAddress2

Sn LastName Surname

St StateOrProvince BusinessAddressState

StreetAddress StreetAddress BusinessAddressStreet

TargetAddress ExternalEmailAddress EmailAddress1

TelephoneNumber Phone BusinessPhone

ThumbnailPhoto Photo

Title Title JobTitle

WWWHomePage WebPage BusinessHomePage

*Outlook will not show the synchronized property value,

Outlook generate its own value and show it.

co

nta

ctS

ync 7

.6 M

an

ua

l

97

Add Value

You can add a text to a property. Choose the property that you want to

add a value to, and then choose the option ADD VALUE.

You then have the option to add your value before the property (PREFIX) or

after it (SUFFIX).

co

nta

ctS

ync 7

.6 M

an

ua

l

98

Find and Replace

You can replace a specific string with a new value. Choose the property,

select FIND AND REPLACE.

In the find textbox insert the text which you wish to replace and in the

replace textbox insert the new text.

co

nta

ctS

ync 7

.6 M

an

ua

l

99

Build Property

You can create values by concatenating other property values. Choose the

property and select the option BUILD PROPERTY.

In the textbox BUILD PROPERTY, add a string, how the property value should

be built. Via the ADD PROPERTY button, you can choose which properties are

used.

For Example, you want to generate the property, FILEAS from the last

name, and first name comma separated. Choose the property SURNAME

and the property GIVENNAME and insert a comma and space between them

in the textbox BUILD PROPERTY.

Thereafter, all values in property FILEAS will be created from a comma

separated SURNAME and GIVENNAME.

Please keep in mind, that only users and contacts have given name and

surname, so the rule should be only valid for objects, which are users or

contacts in the on-premise environment or Office 365 tenant.

co

nta

ctS

ync 7

.6 M

an

ua

l

100

Ignore this Property

If you do not want to import a specific property, then you can select

IGNORE THIS PROPERTY.

NOTE: VALUES WHICH ARE ALREADY ASSIGNED TO THE OBJECTS PROPERTY WILL NOT BE

MODIFIED BY CONTACTSYNC.

TIP: YOU EXPORT A PROPERTY AND YOU WANT TO IMPORT A DIFFERENT PROPERTY IN THE

TARGET ENVIRONMENT. BY COMBINING THE OPTIONS ‘BUILD PROPERTY’ AND ‘IGNORE THIS

PROPERTY’ YOU CAN EITHER COPY OR MOVE A PROPERTY VALUE TO A DIFFERENT PROPERTY.

Copy Property

You can copy a property by choosing the end property and selecting the

option BUILD PROPERTY. Then choose the property you wish to copy via the

ADD PROPERTY dialog. Add the rule with the button ADD.

Move Property

You can move a property by doing the following:

1. Choose the end property and selecting the option BUILD PROPERTY. Then

choose the property you wish to copy via the ADD PROPERTY dialog. Add the

rule with the button ADD.

2. Choose the initial property and select the option IGNORE THIS PROPERTY

and add the rule by clicking the ADD button.

Ergo the property value moved from the initial property to the end

property.

co

nta

ctS

ync 7

.6 M

an

ua

l

101

Status notification

contactSync can send status notification emails to inform you about errors

that may have occurred. Status notification is a component of each policy.

If you leave this option unselected no notification email will be sent.

Subject: The email header

Send to: The SMTP-address of the person who will receive the

administrative report

Test: contactSync will send an email to the specified email address.

Send only on error: contactSync will only send status notification mails if

at least one error occurred during a running policy.

NOTE: CONTACTSYNC DOES NOT SEND A STATUS NOTIFICATION MAIL IF A POLICY HAS NOT

BEEN STARTED DUE TO AN ERROR.

co

nta

ctS

ync 7

.6 M

an

ua

l

102

Schedule Service

contactSync can perform the synchronization of policies automatically. You

can schedule weekly or monthly, on different days, the synchronization

should be carried out. Furthermore, they can decide between what times

and how many times a day the scheduler service works. Here, it is

possible to synchronize the scheduler service every 15 minutes, every

hour or once a day. We recommend to schedule the policies once a day.

Using start time and end time option contactSync starts only in the

defined period. The synchronization itself may take a longer time.

co

nta

ctS

ync 7

.6 M

an

ua

l

103

How to

How to configure Exchange Impersonation?

contactSync needs a service account, which has the Exchange

Impersonation.

Exchange Impersonation enables a caller to impersonate a given user

account. This enables the caller to perform operations by using the

permissions that are associated with the impersonated account, instead of

the permissions that are associated with the caller's account.

For more information, see

Impersonation and EWS in Exchange1

MSDN Library - Configuring Exchange Impersonation2

Exchange Impersonation in Exchange 2010, 2013, 2016, 2019 and Exchange Online

(Mailbox contacts)

How you can check existing management role for Exchange Impersonation

and how you can create a management role for Exchange Impersonation?

For on-premises Exchange:

Please log in on the on-premises Exchange Server with an Exchange

Administrator account and open the Exchange Management Shell.

For Office 365 Exchange Online:

Please connect via remote PowerShell to the Office 365 tenant with an

Exchange Administrator account.

Check existing Exchange Impersonation:

Please check, if you have a ROLE GROUP for APPLICATIONIMPERSONATION exists.

You can check the existing Exchange Impersonation via PowerShell:

GET-MANAGEMENTROLEASSIGNMENT -ROLE APPLICATIONIMPERSONATION

1 https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-

services/impersonation-and-ews-in-exchange

2 http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx

https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange

http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx



http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx

co

nta

ctS

ync 7

.6 M

an

ua

l

104

You can find an existing ROLE GROUP in the EXCHANGE ADMIN CENTER under

PERMISSIONS as ADMIN ROLES.

E.g. The IMPERSONATION ROLE to manage the APPLICATIONIMPERSONATION

co

nta

ctS

ync 7

.6 M

an

ua

l

105

Create an Impersonation Role Group for ApplicationImpersonation via PowerShell

You can create a new ROLE GROUP to manage the APPLICATIONIMPERSONATION

and add your contactSync service account as member to the ROLE GROUP.

This example creates a ROLE GROUP called IMPERSONATION ROLE:

NEW-ROLEGROUP -NAME "IMPERSONATION ROLE" -ROLES

"APPLICATIONIMPERSONATION" -MEMBERS [email protected]

The IMPERSONATION ROLE is also available in the EXCHANGE ADMIN CENTER

under PERMISSIONS as ADMIN ROLES.

co

nta

ctS

ync 7

.6 M

an

ua

l

106

Create an Impersonation Role for ApplicationImpersonation via Exchange Admin Center

You can create a new ROLE GROUP in the EXCHANGE ADMIN CENTER under

PERMISSIONS as ADMIN ROLES.

Add new admin role:

co

nta

ctS

ync 7

.6 M

an

ua

l

107

The new role group dialog:

• Add the name “Impersonation Role”

• Add “ApplicationImpersonation” to the Roles

• Add your contactSync service account to the Members

co

nta

ctS

ync 7

.6 M

an

ua

l

108

After that the new IMPERSONATION ROLE is available as ADMIN ROLE.

You can check the ASSIGNED ROLES and the MEMBERS of the IMPERSONATION

ROLE.

co

nta

ctS

ync 7

.6 M

an

ua

l

109

How to grant full access to the user mailboxes?

contactSync needs a service account, which has the FULL ACCESS PERMISSION

to these user mailboxes.

Exchange 2010

The following article MANAGE FULL ACCESS PERMISSIONS describes for

Exchange 2010, how to grant Full Access permissions to mailboxes

https://technet.microsoft.com/en-

us/library/bb676551%28v=exchg.141%29.aspx

We recommend to grant the service account for contactSync FULL ACCESS

PERMISSIONS to mailboxes and to disable the auto-mapping feature.

This example is the command for the Exchange Management Shell to

grant the contactSync service account FULL ACCESS PERMISSIONS to John

Doe’s mailbox:

ADD-MAILBOXPERMISSION -IDENTITY 'JOHN DOE' -USER 'CONTACTSYNC' -

ACCESSRIGHTS FULLACCESS -INHERITANCETYPE ALL -AUTOMAPPING $FALSE

You can assign the FULL ACCESS PERMISSION for a user mailbox by using the

Exchange 2010 Management Console, but you cannot bulk assign

permissions for multiple mailboxes.

Exchange 2013, 2016, 2019 and Exchange Online

The following article MANAGE FULL ACCESS PERMISSIONS describes for

Exchange 2013, 2016, 2019 and Exchange Online how to grant Full Access

permissions to mailboxes


us/library/jj919240%28v=exchg.160%29.aspx

We recommend to grant the service account for contactSync FULL ACCESS

PERMISSIONS to mailboxes and to disable the auto-mapping feature.


grant the contactSync service account FULL ACCESS PERMISSIONS to John

Doe’s mailbox:

ADD-MAILBOXPERMISSION -IDENTITY 'JOHN DOE' -USER 'CONTACTSYNC' -

ACCESSRIGHTS FULLACCESS -INHERITANCETYPE ALL -AUTOMAPPING $FALSE

Using the Exchange Admin Center (EAC)

https://technet.microsoft.com/en-us/library/bb676551%28v=exchg.141%29.aspx


https://technet.microsoft.com/en-us/library/jj919240%28v=exchg.160%29.aspx

https://technet.microsoft.com/en-us/library/jj919240%28v=exchg.160%29.aspx

co

nta

ctS

ync 7

.6 M

an

ua

l

110

How to bulk assign full access permissions to multiple user mailboxes

You can bulk assign the FULL ACCESS PERMISSION for multiple user mailboxes

with the PowerShell cmdlet at the Exchange Management Shell.

You can use the parameter –FILTER of Get-Mailbox to add the FULL ACCESS

permissions to multiple mailboxes.


grant the contactSync service account FULL ACCESS PERMISSIONS to all user

mailboxes:

GET-MAILBOX -RESULTSIZE UNLIMITED -FILTER {(RECIPIENTTYPEDETAILS -EQ

'USERMAILBOX') -AND (ALIAS -NE 'CONTACTSYNC')} | ADD-MAILBOXPERMISSION -

USER [email protected] -ACCESSRIGHTS FULLACCESS -INHERITANCETYPE

ALL -AUTOMAPPING $FALSE


us/library/bb124097%28v=exchg.160%29.aspx



co

nta

ctS

ync 7

.6 M

an

ua

l

111

Since Exchange 2013 you can bulk assign permissions for multiple user

mailboxes by using the Exchange admin center (EAC)

Click MAILBOX DELEGATION -> ADD

co

nta

ctS

ync 7

.6 M

an

ua

l

112

How to disable EWS Throttling for the contactSync account?

Exchange 2010

Open the Microsoft Exchange Management Shell (EMS) or connect via

remote PowerShell.

NEW-THROTTLINGPOLICY CONTACTSYNCPOLICY;

SET-THROTTLINGPOLICY CONTACTSYNCPOLICY -RCAMAXCONCURRENCY $NULL -

RCAPERCENTTIMEINAD $NULL -RCAPERCENTTIMEINCAS $NULL -

RCAPERCENTTIMEINMAILBOXRPC $NULL -EWSMAXCONCURRENCY $NULL -

EWSPERCENTTIMEINAD $NULL -EWSPERCENTTIMEINCAS $NULL -

EWSPERCENTTIMEINMAILBOXRPC $NULL -EWSMAXSUBSCRIPTIONS $NULL -

EWSFASTSEARCHTIMEOUTINSECONDS $NULL -EWSFINDCOUNTLIMIT $NULL -

CPAMAXCONCURRENCY $NULL -CPAPERCENTTIMEINCAS $NULL -

CPAPERCENTTIMEINMAILBOXRPC $NULL -CPUSTARTPERCENT $NULL;

SET-MAILBOX "CONTACTSYNCACCOUNT" -THROTTLINGPOLICY CONTACTSYNCPOLICY;

Exchange 2013, Exchange 2016 and Exchange 2019

Open the Microsoft Exchange Management Shell (EMS) or connect via

remote PowerShell.

NEW-THROTTLINGPOLICY CONTACTSYNCPOLICY;

SET-THROTTLINGPOLICY CONTACTSYNCPOLICY -RCAMAXCONCURRENCY UNLIMITED -

EWSMAXCONCURRENCY UNLIMITED -EWSMAXSUBSCRIPTIONS UNLIMITED -

CPAMAXCONCURRENCY UNLIMITED -EWSCUTOFFBALANCE UNLIMITED -EWSMAXBURST

UNLIMITED -EWSRECHARGERATE UNLIMITED;

SET-MAILBOX "CONTACTSYNCACCOUNT" -THROTTLINGPOLICY CONTACTSYNCPOLICY;

co

nta

ctS

ync 7

.6 M

an

ua

l

113

How to check the PowerShell version on the contactSync server?

Please log in on the contactSync server with your contactSync service

account.

Open the WINDOWS POWERSHELL and check the result of the following two

PowerShell cmdlets:

GET-HOST

and

$PSVERSIONTABLE

co

nta

ctS

ync 7

.6 M

an

ua

l

114

Troubleshooting and Support Guide

Issue with Exchange Online connection

The Autodiscover service returned an error

Please ensure, that the server, where you run contactSync, can resolve

the DNS of MICROSOFT OFFICE 365 and you can find/connect the

Autodiscover to resolve the EXCHANGE WEB SERVICES URL.

Please do the following steps from the contactSync server:

First go to the website MICROSOFT REMOTE CONNECTIVITY ANALYZER

https://testconnectivity.microsoft.com/

Select the tab OFFICE 365, scroll to MICROSOFT OFFICE OUTLOOK CONNECTIVITY

TESTS and choose OUTLOOK AUTODISCOVER

Please run the test.

Make sure that this test is successful and that contactSync can retrieve

the correct URL for the EXCHANGE WEB SERVICES.

https://testconnectivity.microsoft.com/

co

nta

ctS

ync 7

.6 M

an

ua

l

115

11021 - LegacyExchangeDN of the contactSync service account is in the old

syntax. Please update this by re-mailenabling the service account or create a

new contactSync service account.

Your current contactSync service account is migrated from an Exchange

2003 environment. The LEGACYEXCHANGEDN of the contactSync service

account is in the old syntax, which was used up to Exchange 2003,

however contactSync need a service account with a mailbox which has the

new LEGACYEXCHANGEDN syntax which is used by Exchange 2007 and later.

Please create a new contactSync service account with a new mailbox and

the same permissions like the old one.

After that log on with the new contactSync service account, run the

contactSync GUI with the new contactSync service account and change

the contactSync service to the new contactSync service account.

Use CONFIGURE SERVICE to start the wizard for changing the service account

of the contactSync service.

co

nta

ctS

ync 7

.6 M

an

ua

l

116

Could not load file or assembly 'netstandard, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system

cannot find the file specified.

contactSync needs the .NET Framework 4.7.1 or later,

otherwise you will get errors and contactSync does not work.

Error message:

Could not load file or assembly 'netstandard, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system cannot find

the file specified.

You can download the Microsoft .NET Framework 4.7.1 here:

https://www.microsoft.com/en-us/download/details.aspx?id=56116

https://www.microsoft.com/en-us/download/details.aspx?id=56116

co

nta

ctS

ync 7

.6 M

an

ua

l

117



This error occurs, if the policy was configured with the credentials of a

different user as the policy was executed.

Please run the policy in the credentials of the user, who configured the

policy. We recommend to run the contactSync GUI in the credentials of

the local contactSync service account.

You can encrypt the token for Modern Authentication OAuth 2.0 for

Exchange Web Services (EWS) again, if you click the Login button for

OAuth 2.0 and delete the token cache.

Please have also a look at the chapter Modern Authentication OAuth2 for

Exchange Web Services (EWS) to access Exchange Online

co

nta

ctS

ync 7

.6 M

an

ua

l

118

Support: What to do when I notice an error / bug?

We always try to provide a very responsive, solution orientated and

effective support. Should you encounter any issue, bug or inconvenience

please do not hesitate to contact us.

To enable us providing you the best quality support, please provide us

with the following information:

• Environment Overview

o contactSync Installations (Planned and Implemented)

▪ Domain Infrastructure (e.g.: Single Domain “dom.local”)

▪ Exchange Version (e.g.: Exchange 2013)

▪ Windows Version of contactSync Machine (e.g.: Windows

Server 2012 R2)

▪ contactSync Version (e.g.: 7.6.x)

▪ Does the contactSync Service Account have an Exchange

Mailbox?

▪ Did you log on to the contactSync Machine using that

Service Account to configure the policies?

▪ Is the contactSyncService logging on using the Service

Account?

• Please describe your issue/bug/inconvenience thoroughly, in detail,

what you wanted to achieve and what you were doing as it occurred.

• A screenshot of the issue often helps us to understand

• We also require the configuration and the logs, preferably zipped.

In menu Action -> Export Configuration you can zip the policies.

In menu Action -> Export Status you can zip the log files.

Do you have more questions or need further support than please do not

hesitate to contact the contactSync Support Team.

contactSync Support Team

By phone +49 2421 998 78 20 or via e-mail [email protected]

mailto:[email protected]

contactsync 7.6 manual - netsec

Documents