(2008-10-25) Exchange 2007 Rollup Package 4 Solves An Issue With ILM When Provisioning Mailboxes
Posted by Jorge on 2008-10-25
In most environments you have multiple DCs for any given AD domain and in addition to that you may be using Exchange 2007 as your mail system. To provision AD accounts and mailboxes you want to use ILM. That’s a great combination! However, to be able to provision mailboxes in Exchange 2007 you need to have at least: ILM 2007 FP1, Exchange 2007 with SP1 and you need to install PowerShell and the Exchange Management Console onto the ILM server. Last thing to do is to enable the checkbox called "Enable Exchange 2007 Provisioning" on the "Configure Extensions"page of the Active Directory Management Agent. Will that now automatically provision ALL users in AD? No not really. That just enables the provisioning of Exchange 2007 mailboxes, nothing more. For every user you need to AT LEAST specify the Exchange store (e.g. "homeMDB" attribute) where the mailbox will be hosted and a name related attribute (e.g. displayName, uPN, sAMAccountName, alias, etc.) (also see: http://technet.microsoft.com/en-us/library/bb738148(EXCHG.80).aspx) When all these conditions have been met, the AD account will be mailbox enable during the export to AD. Your code in your Metaverse Extension DLL when provisioning to AD could look like:
'##### CODE EXAMPLE ###### 'COMMENT: if mail is set to yes, then the object must be mailbox enabled. Manual precedence takes care of the attribute flow. The SMTP address will replace the ‘YES’ value during IAF as AD is precedence when the value contains a @ If mventry("mail").Value.ToLower = "yes" Then Dim strMailDomain As String Dim strMailStore As String 'COMMENT: read the SMTP mail domain from the XML configuration file strMailDomain = xmlRootNode.SelectSingleNode("AD-DS-Production/maildomain").InnerText 'COMMENT: read the Exchange 2007 mailbox store from the XML configuration file strMailStore = xmlRootNode.SelectSingleNode("AD-DS-Production/mailstore").InnerText 'COMMENT: specify the “mailNickname” attribute based upon the displayName AD_DS_Production_CsEntry("mailNickName").Value = Replace(mventry("displayName").Value, " ", ".") 'COMMENT: specify the “homeMDB” attribute (Exchange 2007 mailbox store) AD_DS_Production_CsEntry("homeMDB").Value = strMailStore 'COMMENT: specify the “mail” attribute based upon the displayName. NOT really required as Exchange will generate that based upon the “mailNickName” attribute AD_DS_Production_CsEntry("mail").Value = Replace(mventry("displayName").Value, " ", ".") & strMailDomain 'COMMENT: specify the primary SMTP address in “proxyAddresses” attribute based upon the displayName. NOT really required as Exchange will generate that based upon the “mailNickName” attribute AD_DS_Production_CsEntry("proxyAddresses").Values.Add("SMTP:" & Replace(mventry("displayName").Value, " ", ".") & strMailDomain) 'COMMENT: configure the user NOT to be hidden from the Address Lists. NOT really required because when not specified the default value is to NOT hide it from the Address Lists AD_DS_Production_CsEntry("msExchHideFromAddressLists").BooleanValue = False End If '##### CODE EXAMPLE ######
REMARK: this is just an example and not all code has been specified here!
Until now all sounds good! And it is good. However, sometimes it can happen that not the same DC is used to mailbox enable the AD account as the one that was used to create (provision) the AD account. Because of replication latency the provisioning of the mailbox fails. Now that’s a shame of course. That is not the fault of ILM but rather Exchange 2007’s fault. To solve that issue make sure to install the Exchange 2007 SP1 Rollup Package 4 on your Exchange 2007 box AND do not forget to update the ILM server as well!
More information about this can be found here:
- MS-KBQ949858_The provisioning process is unsuccessful when you use Identity Lifecycle Manager (ILM) 2007 to provision user objects to an Exchange Server 2007 resource forest
REMARK: This KB article talks about a Exchange 2007 Resource Forest scenario. However the same issue also occurs when the normal AD accounts and Exchange 2007 are in the same AD forest.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########