Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-10-25) Exchange 2007 Rollup Package 4 Solves An Issue With ILM When Provisioning Mailboxes

Posted by Jorge on 2008-10-25


In most environments you have multiple DCs for any given AD domain and in addition to that you may be using Exchange 2007 as your mail system. To provision AD accounts and mailboxes you want to use ILM. That’s a great combination! However, to be able to provision mailboxes in Exchange 2007 you need to have at least: ILM 2007 FP1, Exchange 2007 with SP1 and you need to install PowerShell and the Exchange Management Console onto the ILM server. Last thing to do is to enable the checkbox called "Enable Exchange 2007 Provisioning" on the "Configure Extensions"page of the Active Directory Management Agent. Will that now automatically provision ALL users in AD? No not really. That just enables the provisioning of Exchange 2007 mailboxes, nothing more. For every user you need to AT LEAST specify the Exchange store (e.g. "homeMDB" attribute) where the mailbox will be hosted and a name related attribute (e.g. displayName, uPN, sAMAccountName, alias, etc.) (also see: http://technet.microsoft.com/en-us/library/bb738148(EXCHG.80).aspx) When all these conditions have been met, the AD account will be mailbox enable during the export to AD. Your code in your Metaverse Extension DLL when provisioning to AD could look like:

'##### CODE EXAMPLE ###### 'COMMENT: if mail is set to yes, then the object must be mailbox enabled. Manual precedence takes care of the attribute flow. The SMTP address will replace the ‘YES’ value during IAF as AD is precedence when the value contains a @ If mventry("mail").Value.ToLower = "yes" Then Dim strMailDomain As String Dim strMailStore As String 'COMMENT: read the SMTP mail domain from the XML configuration file strMailDomain = xmlRootNode.SelectSingleNode("AD-DS-Production/maildomain").InnerText 'COMMENT: read the Exchange 2007 mailbox store from the XML configuration file strMailStore = xmlRootNode.SelectSingleNode("AD-DS-Production/mailstore").InnerText 'COMMENT: specify the “mailNickname” attribute based upon the displayName AD_DS_Production_CsEntry("mailNickName").Value = Replace(mventry("displayName").Value, " ", ".") 'COMMENT: specify the “homeMDB” attribute (Exchange 2007 mailbox store) AD_DS_Production_CsEntry("homeMDB").Value = strMailStore 'COMMENT: specify the “mail” attribute based upon the displayName. NOT really required as Exchange will generate that based upon the “mailNickName” attribute AD_DS_Production_CsEntry("mail").Value = Replace(mventry("displayName").Value, " ", ".") & strMailDomain 'COMMENT: specify the primary SMTP address in “proxyAddresses” attribute based upon the displayName. NOT really required as Exchange will generate that based upon the “mailNickName” attribute AD_DS_Production_CsEntry("proxyAddresses").Values.Add("SMTP:" & Replace(mventry("displayName").Value, " ", ".") & strMailDomain) 'COMMENT: configure the user NOT to be hidden from the Address Lists. NOT really required because when not specified the default value is to NOT hide it from the Address Lists AD_DS_Production_CsEntry("msExchHideFromAddressLists").BooleanValue = False End If '##### CODE EXAMPLE ######

REMARK: this is just an example and not all code has been specified here!

Until now all sounds good! And it is good. However, sometimes it can happen that not the same DC is used to mailbox enable the AD account as the one that was used to create (provision) the AD account. Because of replication latency the provisioning of the mailbox fails. Now that’s a shame of course. That is not the fault of ILM but rather Exchange 2007’s fault. To solve that issue make sure to install the Exchange 2007 SP1 Rollup Package 4 on your Exchange 2007 box AND do not forget to update the ILM server as well!

More information about this can be found here:

REMARK: This KB article talks about a Exchange 2007 Resource Forest scenario. However the same issue also occurs when the normal AD accounts and Exchange 2007 are in the same AD forest.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: