Can't get Exchange provisioning to work
- I have still been unable to get ILM 2007, FP1 to fully provision a user with Exchange 2007 e-mail. It does create the user, but doesn't create a mailbox for them, which apparently also prevents them being supplied with an e-mail address.
My HR MA is configured to set the user up with a valid path to an Exchange Mailbox store, after which my provisioning code looks like this:
<pre lang="x-vbnet">If 0 = intConnectors Then 'modified for Exchange provisioning If mventry("homeMDB").IsPresent Then 'If IsEMailUser(mventry) Then Try If PROVISION_NEW_EXCH = True Then Dim nickName As String Dim mailboxMDB As String ' set the nickname or alias nickName = mventry("sAMAccountName").Value ' set the mailbox location mailboxMDB = mventry("homeMDB").StringValue csentry = ExchangeUtils.CreateMailbox(ManagementAgent, dn, nickName, mailboxMDB) Log("Mailbox " & mventry("homeMDB").StringValue & " created for " & _ dn.ToString & vbCrLf, True, 1) Else ' Add the new user object to the connector space. csentry = ManagementAgent.Connectors.StartNewConnector("user") ' set the Anchor value csentry.DN = dn End If ' Log and rethrow any exception Catch ex As Exception LogException(ex, "Provision", "Caught exception", False) Throw End Try Else 'no e-mail ' Add the new user object to the connector space. csentry = ManagementAgent.Connectors.StartNewConnector("user") ' set the Anchor value csentry.DN = dn End If ' set the sAMAccountName and UPN csentry("sAMAccountName").Values.Add(mventry("sAMAccountName").StringValue) csentry("userPrincipalName").Values.Add(mventry("sAMAccountName").StringValue & strChildUPN & ROOT_UPN_SUFFIX) ' Set the initial password If random_pw_enabled Then strInitialPwd = GenRandPw(password_length) End If csentry("unicodePwd").Values.Add(strInitialPwd) Log("Initial password set to: " & strInitialPwd, True, 1) ' force a password change at first logon csentry("pwdLastSet").Values.Add("0") ' new accounts expire in DAYS_TO_EXPIRE days If accounts_expire = True Then 'csentry("AccountExpires").Values.Add(CommonFunctions.DateToActiveDirectoryDate(Now.AddDays(days_to_expire))) End If ' Get the userAccountControl attribute If csentry("userAccountControl").IsPresent Then currentValue = csentry("userAccountControl").IntegerValue Else currentValue = ADS_UF_NORMAL_ACCOUNT End If Select Case mventry("employeeStatus").Value Case "Active" ' set a description csentry("Description").Values.Add(mventry("description").StringValue & " - Provisioned by MIIS, " & Now()) ' Set the userAccountControl attribute csentry("userAccountControl").Values.Add((currentValue Or ADS_UF_NORMAL_ACCOUNT) _ And (Not ADS_UF_ACCOUNTDISABLE)) Case "Inactive" ' set a description 'csentry("Description").Values.Add(mventry("description").StringValue & " - Account disabled by MIIS, " & Now()) csentry("Description").Values.Clear() csentry("Description").Values.Add("Account disabled by MIIS, " & Now()) ' Set the userAccountControl attribute csentry("userAccountControl").Values.Add(currentValue _ Or ADS_UF_ACCOUNTDISABLE _ Or ADS_UF_PASSWD_NOTREQD) End Select Try ' Commit the connector csentry.CommitNewConnector() Log("Committed new connector for: " & csentry.DN.ToString & _ "; uAC: " & csentry("userAccountControl").IntegerValue & _ "; Password: " & strInitialPwd & vbCrLf, True, 1) SendNewAcctEMail(csentry, mventry) SendNewPwdEMail(csentry, mventry, strInitialPwd) Catch ex As MissingParentObjectException ' Ignore, this will get straightened out later. Log("Missing parent for: " & csentry.DN.ToString & vbCrLf, True, 3) 'CreateParent(csentry.DN, ManagementAgent, mventry) Catch ex As ObjectAlreadyExistsException ' try appending the last 4 digits of the EID -- or 4 zeroes, if EID not present -- to the CN If mventry("employeeID").IsPresent Then rdn = rdn & " " & Right(mventry("employeeID").StringValue, 4) Else rdn = rdn & " 0000" End If dn = ManagementAgent.EscapeDNComponent(rdn).Concat(container) csentry.DN = dn Try csentry.CommitNewConnector() Log("Committed new connector for: " & csentry.DN.ToString & _ "; uAC: " & csentry("userAccountControl").IntegerValue & _ "; Password: " & strInitialPwd & vbCrLf, True, 1) SendNewAcctEMail(csentry, mventry) SendNewPwdEMail(csentry, mventry, strInitialPwd) Catch ex2 As ObjectAlreadyExistsException End Try Catch ex As NoSuchAttributeException ' Ignore if the attribute on the mventry object is not available at this time Catch ex As NoCompatiblePartitionFoundException ' not sure what to do with this one... it's a hangover from the dev work... Log("No compatible partition exception: " & csentry.DN.ToString, True, 3) Catch ex As Exception ' Log exception, with timestamp, at level 1 Log("Caught exception " & ex.Message & " on " & csentry.DN.ToString, True, 3) ' All other exceptions re-throw to rollback the object synchronization transaction and ' report the error to the run history Throw End Try ElseIf 1 = intConnectors Then
As you can see, I am using the ExchangeUtils.CreateMailbox function with the bare minimum parameters, expecting the Exchange rules to provide quotas and to assign an SMTP address.
I do notice that the code sample in the Developer Reference has an example of creating the DN:' Construct the distinguished name dn = adMA.EscapeDNComponent("CN=" + mventry("cn").Value).Concat("ou=mailboxes,dc=fabrikam,dc=com")
I do this earlier in my Provision sub, placing the ID in the same place they would be if they weren't an e-mail enabled user. So I'm assuming that's not my problem. I do have 'mailNickname', 'homeMDB' and 'msExchMailboxSecurityDescriptor' selected in my AD MA.
I have the Exchange 2007 MMC and PowerShell installed on my ILM server and my ILM Service Account is a member of the Exchange Org Admins group. There are no errors generated.
We are currently running a mixed Exchange 2003/2007 environment.
What am I missing???
Ed Bell - Specialist, Network Services, Convergys
Answers
Ed,
Which build/version of Exchange 2007 has been installed?Which options did you set on the ADMA config?
Did you already debug this part of the code?
Have you checked that the parameters are properly passed to the CreateMailbox function?
Pretty difficult to see on first sight, but are you sure the connection isn't created twice by the createMailbox and createNewConnector?
Small detail:
nickName = mventry("sAMAccountName").Value
Better use
nickName = mventry("sAMAccountName").StringValue
Kind regards,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
- As far as I'm concerned, you don't need that Exchange 2007 checkbox checked. But as I'm no authority on Exchange, you might want to ask around some Exchange forum whether the RUS correctly stamps mailboxes in your scenario (I do think it does). What may be missing as well is some rights in the Active Directory. As in my post above, could you please check by using ADSIEdit or LDP which attributes do get set and which don't? Have you tried mailbox enabling some accounts manually using the account ILM uses? Did you try using the debugger to step through your code to see whether everything is running the way you expect it?
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
To answer a couple of the questions being asked and implicitly asked here:
1. When provisioning into a mixed mode environment where the Exchange 2003 RUS is still being used to stamp recipient attributes on users, DO NOT USE the Exchange 2007 option in the AD MA.
2. When debugging provisioning code, please make sure that you've got data that covers all the cases required. For example, userAccountControl is not a multi-valued attribute, so the use of Values.Add in your code would indicate that the code has not been stepped through, or that you are already aware of an issue you need to address there. Please make sure you can step through all your code and verify the success and sequence of each instruction in your provisioning logic. That way, once the problem has been isolated, this group can help by making recommendations that are relevant to the issue you are observing. At this point, it is difficult for us to do anything more than guess as to what the problem might be.
For details on how to get maximum return on your forum question, please refer to Peter's Greatest Hit here: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/137f58cd-ce2c-4b2b-bc1d-1a6effbd85a0
AhmadAW- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
All Replies
Ed,
Which build/version of Exchange 2007 has been installed?Which options did you set on the ADMA config?
Did you already debug this part of the code?
Have you checked that the parameters are properly passed to the CreateMailbox function?
Pretty difficult to see on first sight, but are you sure the connection isn't created twice by the createMailbox and createNewConnector?
Small detail:
nickName = mventry("sAMAccountName").Value
Better use
nickName = mventry("sAMAccountName").StringValue
Kind regards,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
- We are on Exchange 2007, SP1. Honestly not sure of the exact build number as I don't work directly on Exchange.
I DO NOT have the "Enable Exchange 2007 provisioning" check box checked because I've been told conflicting things -- I've been told that since were in a mixed 2003/2007 environment, that we don't need it, but I've also been told we do need it.
I don't think there is any chance of both CreateMailbox and CreateNewConnector are being hit, but I will double check that. As for the parameters being passed, can I say that they should be correct? The data in two of them -- "dn" and "nickname" -- is essentially the same as that used to create regular users. For "homeMDB," I import all of our mailstores into the metaverse and select one from there, so they should be valid. And my exception catching isn't catching anything.
I've fixed the small detail. Thanks for catching that. :-)
Ed Bell - Specialist, Network Services, Convergys Are you sure about all your parameters? What is the value your supplying in your mailboxMDB? Did you have a look at the attributes that are getting set on your users (e.g. using ADSIEdit or ldp)?
BTW, as long as you have Exchange 2003, you have no need for powershell: the RUS on your Exchange 2003 still takes care of correctly stamping your mailboxes.
Paul Loonen (Avanade)- Does it make a difference that our environment uses two different Administrative Groups? Our 2003 servers are in one group while the 2007 servers are in another. (This is because our business requires some of our employees to be able to send e-mail out that appears to come from another business.) The users I am trying to provision mailboxes for are all on 2007 servers. Maybe I need to have the "Enable Exchange 2007 provisioning" box checked?
While I know that, long term, we intend to get ALL of our Exchange mail onto 2007 servers, that won't be until probably early next year and I'd really like to get our guys away from having to manually create mailboxes for new 2007 users.
Thanks.
Ed Bell - Specialist, Network Services, Convergys - As far as I'm concerned, you don't need that Exchange 2007 checkbox checked. But as I'm no authority on Exchange, you might want to ask around some Exchange forum whether the RUS correctly stamps mailboxes in your scenario (I do think it does). What may be missing as well is some rights in the Active Directory. As in my post above, could you please check by using ADSIEdit or LDP which attributes do get set and which don't? Have you tried mailbox enabling some accounts manually using the account ILM uses? Did you try using the debugger to step through your code to see whether everything is running the way you expect it?
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
To answer a couple of the questions being asked and implicitly asked here:
1. When provisioning into a mixed mode environment where the Exchange 2003 RUS is still being used to stamp recipient attributes on users, DO NOT USE the Exchange 2007 option in the AD MA.
2. When debugging provisioning code, please make sure that you've got data that covers all the cases required. For example, userAccountControl is not a multi-valued attribute, so the use of Values.Add in your code would indicate that the code has not been stepped through, or that you are already aware of an issue you need to address there. Please make sure you can step through all your code and verify the success and sequence of each instruction in your provisioning logic. That way, once the problem has been isolated, this group can help by making recommendations that are relevant to the issue you are observing. At this point, it is difficult for us to do anything more than guess as to what the problem might be.
For details on how to get maximum return on your forum question, please refer to Peter's Greatest Hit here: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/137f58cd-ce2c-4b2b-bc1d-1a6effbd85a0
AhmadAW- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:51 PM
