ILM2 RC0 – Provisioning Exchange 2007 Users

This post builds on yesterday’s which should be read first.  Following are the extra Sync Rule and MA configurations that I made which added the Exchange 2007 support.

Workflow

I have changed yesterday’s Workflow a little so that it now uses “Based on attribute value” as the Action selection. This seems to give me more control over where the sync rule is applied.

Synchronization Rule

The following table shows the configuration of my sync rule.

Destination Source Initial Existance
sAMAccountName accountName    
userPrincipalName accountName
+ “@mydomain.local”
   
givenName firstName    
sn lastName    
department department    
displayName displayName    
mailNickname mailNickname    
dn “CN=”
+ accountName
+ “,OU=Users,OU=MyOrg,dc=mydomain,dc=local”
yes  
employeeID employeeID yes yes
unicodePwd “Password01” yes  
userAccountControl 512 yes  
homeMDB “CN=”
+ mailDatabase
+ “,CN=”
+ mailStorageGroup
+ “,CN=InformationStore,CN=”
+ mailServer
+ “,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local”
yes  

Note that I have used a number of custom attributes to construct the homeMDB. Apart from this being a more flexible approach, I actually got an “unexpected-error” in MIIS when I hard-coded the entire homeMDB string. For the RC0 documentation on modifying the schema see here.

MA Configuration

The configuration of the ILM MA is as I covered yesterday – you just need to make sure you have all the import flow rules in place to get the necessary data into the metaverse – not forgetting the ExpectedRulesList.

The AD MA should not need any classic flow rules, as you’ve configured everything you need in the Sychronization Rule object. You do need to tick “Enable Exchange 2007 provisioning” on the Extensions page.

Exchange Management Tools

And, just like with ILM 2007, you need to have installed the Exchange Management Tools on the ILM server.

Here’s one I prepared earlier

Here’s what a provisioned user looked like just prior to exporting him from the AD MA.

Immediately after exporting I was able to login as this user, open Outlook, and send an email. Hooray!

Another nice surprise: as I had gone through the Password Reset and Registration configuration, and had already installed the ILM client on this workstation, the user was immediately prompted to register for password reset! Now that I do like.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


9 thoughts on “ILM2 RC0 – Provisioning Exchange 2007 Users”

  1. Carol,
    I have ILM “2” RC and out-of-the-box AD User and Exchange 2007 provisioning work fine. Sometime I have new users whose mailbox must be created on Exchange 2003. With the existing set up, the AD User account still gets created but mailbox creation (of course) fails.

    How should I proceed to add mailbox to these newly created AD Users who’re missing Exchange 2003 mailboxes? Do I need an extensible MA to incorporate your “Adding Exchange 2003 Mailboxes to Existing Accounts”? Please advise.

    Thanks.
    Anu

  2. Hi Anu,

    this is not actually something I’ve done, but whatever the answer is, it is likely to be the same as for ILM 2007. I am guessing you would need a seperate MA to provision the Exch 2003 users, but a normal AD MA should be fine – just don’t tick the Exch 2007 support.

    As long as you can make two distinct sets that differentiate between the two types of users you should be ok. Good luck.

  3. How did you provision the userPrincipalName with the rule above? I keep getting an unexpected error when I try to import and synchronize an outbound synchronization rule comparable to what you have above with the following outbound attribute flow:

    accountName+ “@mydomain.local”=userPrincipalName

  4. Exactly like that, though you don’t use the quotes when you enter the string – which I’m sure you’ve figured out.

    Are you certain it is that rule that is causing the error? What other rules have you got? One way to get started is to make a sync rule that doesn’t do any provisioning and add one rule at a time. Then when that is working properly tick the “Create in connected system” option and choose your Initial atttributes. DN has to be an initial attribute, but userPrincipalName doesn’t.

    These unextected errors are a complete pain – I hope RC1 will be better.

  5. Hi,

    Since I’m newbie with this product (RC1), would it be possible to explain to me step-by-step how to setup e.g. mailDatabase extended attribute. I’d really like to enable exchange 2007 provisioning to FIM RC1 and I can’t find any reasonable instructions how to build custom attributes so they are available when I’m creating New Attribute Flow.

    I’ve been managed to create attributes and bind them, but those attributes are not available.

  6. Hi Carol,
    thanks for helping me last time, I am back again with 2 questions:
    – If I want to use glasync in FIM 2010, are there any guide or shall I Configure it the way we did in ILM 2007.
    – I have asked on the forums for provisioning a shared folder for the user, How we can do that in ILM, do you have any clues, I am thinking about used extension rule (don’t know if it will be a metaverse or MA –can you explain for me the difference– that will be executed after the export is completed) do you have any guidelines.

  7. Thanks carol,
    After googling found your post, we are implementing the code and we will see how things goes.

Comments are closed.