Managing Exchange 2000/2003/2007 with ILM 2007 RRS feed

All replies

  • Good work Carol.
    Thank you for your guide!
    Monday, November 9, 2009 5:12 PM
  • Hi,

    I need to Check the ckeck box "Manager can update membership list" of the DL and Security Group.

    Currently i am updating the "managedby" attribute in the AD export flow. How can i update the ntsecurityDescriptor to enable the check box "Manager can update membership list".




    Friday, April 16, 2010 3:05 AM
  • In the euphoria that follows a bit of a breakthrough, I thought I'd post the following which led me to success with provisioning to Exchange 2010 using ILM 2007 SP1 (version 3.3.1139.2):

    1. This TechNet article entitled Deploy Exchange 2010 in a Cross-Forest Topology
    2. Knowledge that in addition to the normal AD cs attributes you need to set on provisioning (userPrincipalName, sAMAccountName, etc.) I needed to specify the following (do NOT use ExchangeUtils.CreateMailbox() etc!!!):
      • mailNickname (e.g. john.smith)
      • msExchHomeServerName (to determine what this should be follow the instructions on the above link and grab the string value returned from the Powershell script under ServerLegacyDN .. e.g. /o=MyDomain/ou=Exchange Administrative Group (XYZXYZXY99XYZXY)/cn=Configuration/cn=Servers/cn=MyExchangeServerBiosName)
      • homeMDB (the distinguished name of the database object from your AD configuration partition, e.g. CN=MyDatabaseName,CN=Databases,CN=Exchange Administrative Group (XYZXYZXY99XYZXY),CN=Administrative Groups,CN=MyExchangeServerBiosName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com)
    3. Note that the above list of attributes was what I used - looking at Carol's article she didn't specify msExchHomeServerName but did also specify mDBUseDefaults .. I had this commented out in my code, so I don't know if this would have made specifying the server name redundant (???)
    4. Knowledge that despite the list of prerequisites outlined in the above TechNet article, in particular "Make sure Windows PowerShell v1.0 isn't installed on this computer ...", I was still able to get provisioning working (and test the powershell connection) using Powershell 1.0 on the local ILM machine, but Powershell 2.0 (presumably) on the server specified in the URI of an Exchange 2010 Client Access server (i.e. http://CAS_Server_FQDN/Powershell)
    5. Ignoring (at least for now) the "Microsoft Identity Integration Server has detected a Microsoft Exchange version different from the one you have selected. Do you want to continue? If you believe this is in error, please re-enter forest credentials to run detection again." error I was getting in the AD MA configuration's "Configure Extensions" tab ... this appears to be pointing to another issue, and the KB981574 remedy, which I can indeed confirm (despite it seeming unrelated) fixes the high CPU usage problem I witnessed on a FIM 2010 Sync Server where Exchange 2010 provisioning was also happening.  I do intend to get this KB installed, but it doesn't prevent the mailbox provisioning from succeeding.

    Hopefully this helps someone else ... paricularly the bit about the confusing warning in #5 above.

    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Tuesday, March 8, 2011 5:09 AM
  • Bob - have you seen this article? http://technet.microsoft.com/en-us/magazine/ff472471.aspx It includes the extra attributes needed for Exch 2010. My article only dealt with versions up to 2007 so that's why the homeServer attribute was missing - it's a new requirement.

    One thing the article doesn't mention is that it could be better to do the udate-recipient part outside of ILM/FIM if you're in the porcess of migrating and have users on both Exch 2010 and earlier versions. In this case this simple powershell cmdlet, run after and export to AD, can pick up the newly created Exch 2010 users that need a mailbox:

    get-user -resultsize unlimited | where {$_.RecipientTypeDetails -eq 'LegacyMailbox'} | update-recipient

    Tuesday, March 8, 2011 10:45 AM
  • Yes Carol - I did see that article thanks, but note that it uses the ExchangeUtils ... and I have always been told you don't really need this, and that's proven to be the case.  It would be nice to have a consolidated article on all versions, but then you'd be rewriting these forever wouldn't you :).  I realized your article was only up to 2007, but wasn't aware of the changed minimum requirements (considering that the ExchangeUtils doco in ILM2007 FP1 SP1 hasn't changed on my server) ... I should read the above article more thoroughly shouldn't I? ("... you’ll need to add an attribute flow for the msExchHomeServerName attribute ...")
    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Tuesday, March 8, 2011 2:09 PM