none
FIM service account permission during linked mailbox provisioning RRS feed

  • Question

  • I have a FIM environment which provision a cross forest link mailbox.

    When using domain admin as destination FIM MA service account, provisioning works fine.

    However when using a FIM service account, provisioning failed with a corrupted mailbox.

    homeMDB is empty.

    A quick look into FIM event viewer shows the error: ExchangeGuid is mandatory on UserMailbox. Property Name: ExchangeGuid

    The service account has the following permission:

    Forest wide directory read only and replicating directory changes rights

    Full control for OUs involve in the provisioning

    Exchange Recipient management

    I tested logging in as the service account to create the link mailbox manually and it works.

    Only after adding built in domain\builtin administrators membership does the provision start to work again. However, customer requirement dictate that this is not allowed.

    May I know if I missed out any additional permission required for cross forest mailbox provisioning.

    Thanks in advance!


    • Edited by Viktor Lee Thursday, March 26, 2015 11:23 AM
    Thursday, March 26, 2015 11:23 AM

All replies

  • The permissions you outlined look right.Does this happen on all objects? Or only on objects in groups such as account operators or Domain Admins? If so then AdminSDHolder is your culprit. You will need to grant permissions to the AdminSDHolder object.

    If the issues is that the HomeMDB is empty after FIM provisions the object then the error could be in how you are generating that value in FIM. So double check the pending export -- is the value correct -- double check that you can navigate to it using ADSI edit. Normally, if the value is incorrect i.e. it points to semething that doesn't exist you will get an reference attributes error message on export.

    Another possibility is you are pointing the HomeMDB to an existing object but it is one that doesn't exist on the MsExchHomeServer that you have configured for that mailbox. At least initially these values must cooperate.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Wednesday, May 6, 2015 5:08 PM
  • Hi,

    Can you please confirm if you have set the required attributes as mentioned in article below.

    https://msdn.microsoft.com/en-us/library/ms696051

    If not it could be the culprit.

    Regards

    Dhaya


    -Dhayanandh

    • Proposed as answer by zdhayaz Tuesday, May 19, 2015 9:46 AM
    Tuesday, May 19, 2015 9:46 AM