Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-03-10) Provisioning Mailboxes In Exchange 2007/2010 By ILM/FIM

Posted by Jorge on 2010-03-10


MS-KBQ275636 explains which attributes are required (at a minimum) to provision a mailbox into an Exchange 2007 (E2K7) environment. For an Exchange 2010 (E2K10) environment the game is a little different. Let’s have a look at the HOW and WHY.

The mailbox needs an identifier and needs a location where it should be stored. The identifier can be split into two parts, being the "Alias" to identify the mailbox itself as a minimum to generate the mail address if no custom e-mail address policy has been specified, or when one has been specified to use the Alias AND to generate the legacyExchangeDN. For the GAL, the identifier of the mailbox is the "Display Name" and it is required by Exchange. It is not required by AD. When creating a user in AD, you only need to/must specify the Full Name (a.k.a. CN or RDN), but not the Display Name. If you use Active Directory Users and Computers the Display Name is derived from the Full Name. When creating a mailbox in Exchange whereas there is no Display Name, the Display Name will still be populated and is derived from the Full Name. With regards to the location you need to at least specify an Exchange Server and preferably a mailbox database on that Exchange Server. If you do not specify a mailbox database, Exchange will select a mailbox database randomly. In this case I personally do not like the random stuff, therefore I’d rather specify both the Exchange Server and the mailbox database. Other attributes such homeMTA and msExchHomeServerName are derived from the specified value for homeMDB. Let’s have a look at the small differences between E2K7 and E2K10.

Provisioning Exchange 2007 Mailboxes

When provisioning mailboxes in Exchange 2007 you need to at least (the minimum) specify the following attributes:

  • mailNickname
  • homeMDB (e.g.: CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2007 contains both the Mailbox Database Name and the Exchange Server Name (the bold parts)

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

image

PS.: I have no clue what the option "Exchange 2007 RUS Server" is used for. The weird thing is that there is no RUS anymore in Exchange 2007. The RUS existed in Exchange 2000/2003.

UPDATE 11-03-2010: According to my MVP friend, Brian Desmond, "Actually RUS still exists in Exchange 2007, it’s just a synchronous thing inside the System Attendant which the cmdlets make an RPC call to for it to do its’ work. SP2 added a parameter (the same as the optional option in the ADDS MA) to the various cmdlets to specify which Exchange server the cmdlet should call out to for RUS. I would leave it blank unless you have a good reason not to"

Exchange Server 2007 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

  • PowerShell v1.0 (or PowerShell v2.0) for the execution of local PowerShell CMDlets.
  • Exchange Management Console providing the required CMDlets

For Exchange Server 2007, in AD the attributes look like:
dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN= Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

Provisioning Exchange 2010 Mailboxes
When provisioning mailboxes in Exchange 2010 you need to at least (the minimum) specify the following attributes:

  • mailNickname
  • homeMDB (e.g.: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)
  • msExchHomeServerName (e.g. /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2010 only contains the Mailbox Database Name and NOT the Exchange Server Name. The Exchange Server Name is stored in the value for the attribute called msExchHomeServerName

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

image

PS.: For the option "Exchange 2010 RPS URI" you need to specify a URL in the form as shown of an Exchange Server that is hosting the "Client Access Server Role" so that the ILM/FIM server can use remote PowerShell CMDlets against it.

Exchange Server 2010 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

  • PowerShell v2.0 for the execution of remote PowerShell CMDlets.

REMARK: Provisioning of Exchange 2010 mailboxes does not require the Exchange Management Console to be installed on the ILM/FIM server as remote PowerShell CMDlets are used!

For Exchange Server 2010, in AD the attributes look like:
dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

UPDATE 11-03-2010: I had a discussion with my friend on the "darkside", Tomek, about the information above. We discussed that the flow of the attributes as mentioned is required when using the Synchronization Rules in the FIM Portal. However you can still use "the old fashioned" Export Attribute Flow in the ADDS MA if you want to. Another way to provision mailboxes is to use the function "ExchangeUtils.CreateMailbox" in a Rules Extension DLL. Whatever the case, you really need to be careful when just flowing attributes. For example, the flow of the Mailbox Database and Exchange Server should only occur initially, meaning at the moment when creating the mailbox. It should therefore not be flowed anymore _after_ the creation of the mailbox, unless you would like to have issues! Smile

Also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: