none
Infrastructure design consideration - FimServiceAccount exchange mailbox domain RRS feed

  • Question

  • Hi all, just wondering if any of you tried this. MS Support is pretty evasive when we ask.

    We have a domain where FIM is installed, Exchange is in the same domain, but because of a restriction in FIM 2010 R2, the FIM service account needs to be in another domain. 

    Now, the FIM service account needs exchange attributes for the approval buttons to work when using the outlook 2010 add-in.

    The question is, could theese approval buttons / group management work, if the FIM service account is in another domain than the FIM installation?

    There is full forrest trust between the two domains.

    Have any of you tried this? FIM installed in a domain where exchange does exist, but the user account used for FIMService is in another forrest?


    /Frederik Leed

    Thursday, June 20, 2013 1:20 PM

All replies

  • "but because of a restriction in FIM 2010 R2, the FIM service account needs to be in another domain. "

    I'm not aware of this restriction, can you clarify?


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Thursday, June 20, 2013 11:06 PM
  • Yes, most people are not since it' pretty rare use case.

     FIM2010 R2 does not allow domain NETBIOS name to contain a "."  (DOT).  FIM 2010 has no problem with this, but this was changed from 2010 to R2.

    Example:
    fqdn: net.domain.com
    NETBIOS: domain.dom

    Our domain has been around since NT4 where the DOT was allowed. It has not been allowed since 2000 domain.


    /Frederik Leed

    Friday, June 21, 2013 8:47 AM
  • Ugh, what a pain!

    "The question is, could theese approval buttons / group management work, if the FIM service account is in another domain than the FIM installation?"

    If the FIM Service service account is able to access the Exchange Web Services (EWS) then you should be in the clear.  I've use PowerShell to call EWS from the FIM Service computer to validate this before, since this is just what FIM does.  That validates a lot of the infrastructure used by FIM (network, firewall, EWS permissions for the FIM Service service account, etc).  You could also just install it and look for the EWS errors in the Event Log (FIM is quite vocal when EWS can't be contacted).


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Friday, June 21, 2013 4:38 PM