The article covers various management tasks you can acheive with the standard AD MA, including provisioning and updating of users, mailboxes, contacts and distribution groups. There are quite a few code samples as well.<\/p>\n
Managing Exchange 2000\/2003\/2007 with ILM 2007<\/h2>\n
This article covers the management of Exchange-enabled objects using the native Active Directory Management Agent that is included with ILM 2007 FP1.<\/p>\n
The managed object types discussed are Users, Contacts, Groups and Dynamic Distribution Lists. The article also covers the special cases of adding mailboxes to existing accounts, and supporting a Resource Forest. Where extra steps are required for Exchange 2007 this has been highlighted.<\/p>\n
It is assumed that the reader is comfortable with the concepts of Provisioning code and Advanced attribute flow rules.<\/p>\n
Permissions<\/h2>\n
The service account used in the connection properties of the Management Agent must have sufficient rights to execute the required changes in AD.<\/p>\n
Typically a Domain Admin account will be used, but if this is not permitted in your environment you will need to do some testing. The minimum permissions required are:<\/p>\n
- \n
- Replicate Directory Changes<\/a><\/li>\n
- Rights to create\/delete\/modify objects in the specific OUs<\/li>\n
- Exchange Administrator (2003) or Exchange Recipient Administrator (2007)<\/li>\n<\/ul>\n
\u00c2\u00a0<\/p>\n
Users<\/h2>\n
Provisioning Mail Users<\/h3>\n
Exchange 2000\/2003<\/h4>\n
Provisioning a mail user is most simply done using the CreateMailbox<\/a> method of the ExchangeUtils<\/a> class. This method will create a new user account, and populate the necessary mail attributes for you.<\/p>\n
See the code sample Create a User with a Mailbox<\/span> at the end of this document for an example of the provisioning code.<\/p>\n
Mixed Exchange 2003 and 2007<\/h4>\n
In a mixed environment the RUS still runs so Exchange 2003 methods may be used. Make sure that you do not<\/strong> tick the \u00e2\u20ac\u0153Enable Exchange 2007 provisioning\u00e2\u20ac\u009d box in the Management Agent configuration.<\/p>\n
Exchange 2007<\/h4>\n
The same code will work when provisioning to Exchange 2007, however there are some extra requirements for the ILM server:<\/p>\n
- \n
- ILM 2007 FP1 or later<\/li>\n
- Powershell<\/li>\n
- Exchange 2007 Management Tools<\/li>\n
- Latest rollup packs on Exchange and ILM servers<\/li>\n<\/ul>\n
In addition you must tick Enable Exchange 2007 provisioning on the Extensions tab of the Management Agent.<\/p>\n
Adding a Mailbox to an existing User<\/h4>\n
Sometimes you may need to create a mailbox for an existing account. As the account already exists this is not actually a provisioning task, and is therefore handled with export flow rules.<\/p>\n
All you need to do is to populate the following attributes, in addition to the basic user attributes:<\/p>\n
- \n
- displayName \u00e2\u20ac\u201c if not already set<\/li>\n
- mailNickname \u00e2\u20ac\u201c with the local part of the email address (the bit before the \u00e2\u20ac\u0153@\u00e2\u20ac\u009d)<\/li>\n
- homeMDB \u00e2\u20ac\u201c with the DN of the mail store<\/li>\n
- mDBUseDefaults \u00e2\u20ac\u201c set to \u00e2\u20ac\u0153True\u00e2\u20ac\u009d to use the default quota settings<\/li>\n<\/ul>\n
\u00c2\u00a0<\/p>\n
Special Mailbox Types<\/h3>\n
Exchange 2007 includes some extra mailbox types:<\/p>\n
- \n
- Room Mailbox,<\/li>\n
- Equipment Mailbox,<\/li>\n
- Linked Mailbox.<\/li>\n<\/ul>\n
The Linked Mailbox is covered in the Resource Forest<\/span> section below.<\/p>\n
The Room and Equipment mailboxes are currently not supported by ILM 2007 provisioning. The only reliable method is to create a User Mailbox using ILM 2007, and then use the set-mailbox cmdlet to change the mailbox type.<\/p>\n
Troubleshooting<\/h4>\n
Export Errors<\/h5>\n
The most common problems with provisioning Exchange users will relate to permissions. Make sure that the account used by the MA to connect to AD has permission to create Exchange users. Also make sure you have the latest service packs and rollups on the Exchange and ILM servers \u00e2\u20ac\u201c at least SP1 RU9.<\/p>\n
Where\u00e2\u20ac\u2122s the Mailbox?<\/h5>\n
Exchange does not create the actual mailbox until it is opened or something is sent to it, therefore it is completely normal for no new mailboxes to be listed directly after the ILM export.<\/p>\n
To confirm if the user is really mail-enabled:<\/p>\n
- \n
- In Exchange 2003, check that the user\u00e2\u20ac\u2122s Exchange tabs have appeared in the Exchange-enhanced version of AD Users & Computers.<\/li>\n
- In Exchange 2007, use the get-user cmdlet to confirm the user\u00e2\u20ac\u2122s object type is \u00e2\u20ac\u0153UserMailbox\u00e2\u20ac\u009d, or check that they appear as a Recipient in the Management Console.<\/li>\n<\/ul>\n
\u00c2\u00a0<\/p>\n
Exchange 2007 and Global Catalog targeting<\/h5>\n
There is a known problem with Exchange 2007 provisioning and AD replication delays. On the MA\u00e2\u20ac\u2122s Configure Directory Partitions tab you can hard-code the name of a preferred domain controller. Enter the name of the nearest Global Catalog to ensure that both the user creation and the mailbox creation are performed in the same place.<\/p>\n
![\"note\"](\"http:\/\/apfhrw.bay.livefilestore.com\/y1pCed6u9dxDV3LOdzgtYt8xFaDWmIf_thMiOiFb3SmUARdxwIei5b6sPCHGruZWYphrJEU8j2BZEd51ZoAkp_ONkG8moMODvLC\/Note.gif\")
Note<\/th>\n<\/tr>\n