Provisioning Exch 2010 when you’ve stil got Exch 2007

At one of my customers we’ve started provisioning all new users directly to Exchange 2010, while the old users are being progressively migrated from Exchange 2007. I modified the provisioning code for Exchange 2010 (basically just adding the msExchHomeServerName attribute as explained in this doc) and new users and mailboxes were created just fine.

What I didn’t expect was that this would break password sync.

When you have the Exchange 2007 or Exchange 2010 provisioning option enabled on the AD MA, the Update-Recipient cmdlet is run after every export – apparently even when the update has nothing to do with mail attributes. When the user is still on Exchange 2007, but you’ve enabled Exchange 2010 provisioning, this cmdlet causes an error. Unfortunately if the AD is also a password sync target the behaviour is worse – it actually crashes the miiserver.exe process!

I have put the following workaround in place until all users are migrated to Exchange 2010:

  • I’ve left the provisioning code configured for Exchange 2010 provisioning – this populates the necessary attributes.
  • I’ve set the MA’s Exchange option to “No provisioning”.
  • I run the following powershell command from a scheduled task to complete the process of creating the mailboxes:

get-user -resultsize unlimited | where {$_.RecipientTypeDetails -eq 'LegacyMailbox'} | update-recipient

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*