locked
Exchange 2010 selective mailbox provisioning RRS feed

  • General discussion

  • Here I am again :): I can succesfully provision mailboxes using FIM2010 to Exchange 2010 with the "provision for exchange 2010" option on the AD MA. Using the FIM Portal I flow the required attributes (mailnickname, homemdb and msExchHomeServerName). Now I want to give some accounts a mailbox, and some not.

    Am I correct that I will have to implement this logic in custom code? Using the "csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB)" alike code in the "provision" function of the AD MA?

    Thanks in advance,

    Regards,

    Thomas


    http://setspn.blogspot.com
    Tuesday, June 29, 2010 12:02 PM

All replies

  • How did you configure your setup right now? Setting some attributes (with initial flow) for AD user accounts in outbound sync rule, correct?
    And how far do you want to go?

    Do you just want to give a mailbox to some accounts, but not all?
    Or do you wish to make it more complex (different stores, ...)?

    Do you have a clear condition on which you make the decision?
    Do you want to provision mailboxes only for newly provisioned users or for existing users too?

    Why not using an IIF statement in the portal? And just filling the Exchange attributes or not, based on the iif statement?
    Which is a minor change against your current scenario...

    HTH,
    Peter


    Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be)

    [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]
    Tuesday, June 29, 2010 12:57 PM
  • Not necessarly

    If I were you, I will use two different "AD User provisioning Sync Rule":

    - one with the mailbox attributes provisionned : mailNickname, homeMDB, msDBUseDefaults and msExchHomeServerName

    - one with no attributes for mailbox (in this case the sync engine will not create a mailbox for the user)

     

    I dont't know what is the logic you want to implement to consider who have a milbox and who not, but... Admit you want to create AD account for both "Full Time Employee" and "Contractor" but create mailbox only for "Full Time Employee"

    In this case you create two workflow : "AD Users provisioning with Mailbox Workflow" and "AD Users provisioning without Mailbox Workflow"

    The first one call the Sync Rule "AD User provisionning with mailbox Outbound Sync Rule" and the second one call the Sync Rule "AD User provisionning without mailbox Outbound Sync Rule"

    The last thing to do is to create the two MPR of transition for the Set "Full Time Employee" and "Contractor" and call the correct workflow in both cases.

     

    Hope it make sense

    Fabrice.

    Tuesday, June 29, 2010 1:02 PM
  • I want to provision Users and Administrative Accounts from the FIM Portal. The latter should not get a mailbox. I do have different SR's, which do not flow the Exchange Attributes for the Admin Accounts.

    So I was hoping that the sync engine indeed would not try to provision a mailbox like Fabrice suggest in "- one with no attributes for mailbox (in this case the sync engine will not create a mailbox for the user)"

    The FIM part is ok (the sync engine does not throw any errors), but on the HUB/CAS server I see an error at the same time the export is occuring.

    The error:

    (PID 4572, Thread 46) Task Update-Recipient writing error when processing record of index 0. Error: Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: domain.com/admins/admin03 wasn't found. Please make sure you've typed it correctly. ---> Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'domain.com/admins/admin03' couldn't be found on 'dc01.domain.com'.
       at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, OptionalIdentityData optionalData, Nullable`1 notFoundError, Nullable`1 multipleFoundError)
       at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, Nullable`1 notFoundError, Nullable`1 multipleFoundError)
       at Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient.ResolveDataObject()
       --- End of inner exception stack trace ---

    The EAF only mentions the following attributes (as configured in my SR): description, displayName, givenName, sAMAccountName, sn, userAccountControl, UserPrincipalName


    http://setspn.blogspot.com
    Tuesday, June 29, 2010 1:28 PM
  • No more feedback?

    Is there anyone who can confirm if the "provision for ****" option on the AD MA safely ignores provisioning adds when no exchange attributes are flowed in that provisioning add?

    thanks in advance,
    regards,

    Thomas


    http://setspn.blogspot.com
    Monday, July 5, 2010 4:21 PM
  • Thomas,

    Digging up an old thread here...

    I'm looking to do the same thing that you were trying to do. My experience so far has been that if you use MV code and skip the steps where you set the Exchange specific attribs and don't call ExcangeUtils.CreateMailbox(), you get a mail contact or some other exchange object created. It looks like if you have the provisioning option set in the MA config, something gets created. Haven't tried it with declarative yet, but i'm thinking i'll get a similar result.

    I'm looking at creating a MA for provisioning exchange, which will trigger off a custom attrib that indicates if an exchange emailbox is needed.

    What did you end up doing?

    -Frank

    Sunday, February 27, 2011 3:44 PM
  • My deployment uses declarative provisioning. I've got several account types, some require a mailbox some don't. For thsoe that don't require a mailbox, I don't flow the mailnickname,... attributes. I just have several OSR's and WF/MPRs.

    It is to my understanding that whenever you have the "provision for Exchange 20xx" configured in your AD MA, each provisioning Add (on the AD MA), will also trigger an update-recipient during the export on the AD MA. Regardless whether you flow exchange attributes or not.

    This will log some warnings/errors in your Exchange CAS server for objects which don't have any relevant exchange attributes set. I've logged a PSS case for this and the answer was "by design". So those errors are purely a cosmetic thing...

    Is the above clear? I can explain further if You want to.


    http://setspn.blogspot.com
    Sunday, February 27, 2011 6:24 PM
  • Thomas,

    Yes, I was seeing the update-recipient running. For some reason, it was provisioning a mail contact instead of a Mailbox and I was getting MA errors. Which attribs did you not flow? perhaps I left something in there that was enough to provisioning 'something'.

    I was thinking of adding a new boolean attrib in the FIM Service for "exchange/no exchange" and building sets, wf's and SR that include or exclude the exchange attributes. Is that how you designed your setup?

    Thanks

    Frank

    Monday, February 28, 2011 3:54 PM
  • Thomas,

    Yes, I was seeing the update-recipient running. For some reason, it was provisioning a mail contact instead of a Mailbox and I was getting MA errors. Which attribs did you not flow? perhaps I left something in there that was enough to provisioning 'something'.

    I was thinking of adding a new boolean attrib in the FIM Service for "exchange/no exchange" and building sets, wf's and SR that include or exclude the exchange attributes. Is that how you designed your setup?

    Thanks

    Frank


    mailNickname and targetAddress get you a contact/mail enabled user

    mailNickname, homeMdb, and msExchHomeServerName will get you a mailbox.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Monday, February 28, 2011 4:57 PM
  • What Brian says is spot on. I think the msExchHomeServerName wasn't required for Exchange 2007 provisioning, but it's definately required for Exchange 2010.

    I myself also flow the msExchRBACPolicyLink check: FIM 2010: Exchange 2010 Mailbox Provisioning & OWA Options Panel

    Regarding the mailbox/no mailbox you could perfectly use a checkbox orso and then use the value of this checkbox in your initial flow only attribute flows for the Exchange related attributes. Like IIF(checkBox,mailNickname_value,Null())

    Or a dropdown mailbox/no mailbox. Whatever suits your requirements. I myself have accounts without a mailbox, accounts with a mailbox and also mail-enabled accounts.


    http://setspn.blogspot.com
    Monday, February 28, 2011 7:30 PM