Saturday, February 27, 2010

FIM 2010 - Exchange 2010 provisioning made easy with RC1 update 3!

One month ago, FIM RC1 - update 3 was released. Among its various improvements, there is now an official capability for Exchange 2010 provisioning. Before this update, an easy method only did exist for Exchange 2007 mailbox provisioning. Sure with some tricks and a lot of patience, it was also possible to provision Exchange 2010 mailboxes, but it was not really straight forward.

In that post we will see how to provision Exchange 2010 user mailboxes. And we will discover how easy it actually is!



1/ Management tools
When we wanted to provision Exchange 2007 mailboxes, we had to install Exchange 2007 Management Tools on the FIM Sync server. A nice surprise is that there is no such need for Exchange 2010, since the interfacing between the FIM Sync service and the Exchange servers are made using powershell calls over https.

2/ FIM Sync server settings

- launch the Synchronization Service Manager program
- Tools > Options
- then configure the options as shown on the following picture:

- then on the Active Directory Management Agent which will be used for Exchange 2010 provisionning, go to Configure Extensions.

- set "Provision for:" as "Exchange 2010"
- below enter the exchange 2010 RPS URI (something like http://FQDN/powershell )

- then validate


3/ Exchange servers settings
-
the AD user account used for the AD management account which you want to use to provision mailboxes has to own some priviledges on the Exchange infrastructure.
- navigate to the exchange control panel (ECP): http://FQDN/ecp
- Admin Role Groups > Organization Management
- Add the FIM ADDS MA to the "Organization Management Group" (a group with less permissions could also work, but don't have time to check this out, since I am no Exchange 2010 expert. I guess just the permission to create mailbox would be enough)

4/ Synchronization rule
For the sync rule used to initially create or to update AD users, you have to define an Outbound flow for the following AD objects attributes:
- MailNickName
- msExchHomeServerName
- homeMDB

Please note the last two values depends on the exchange 2010 server and database to which you want to create the user mailbox.
If you don't feel comfortable with this, I advise you to get some informations from the Exchange 2007 provisioning with FIM 2010 RC0 webpage.


5/ Done!
-
in order to check if your MPR, Workflow, and sync rule related to provisioning Exchange 2010 user mailboxes works, do the necessary stuff in order for the previously configured sync rule to apply.
- Then after the synchronization process you defined is done, logon as the user you just created
- open Outlook


3 comments:

  1. Good tutorial, Fabien.
    Did you test if these configurations for provisioning (new) mailbox will also work for enabling (attaching) mailbox to an existing AD account? And, what's your take on "calculating" database name to find home for the new mailbox in Exchange 2010, wonder if one should use provisioning rules or do it up front with some type of lookup/webservice utility.
    -Anu Melkote

    ReplyDelete
  2. Hi anu, in my environment there was only one Exchange 2010 server.
    That's why the choice of the mailbox database and home was not hard: i just checked the values of already provisioned AD user accounts (using the mmc snapin "Active Directory Users and Computers" > View > Advanced features. Right click on a provisioned user > properties > attributes)

    If you have several mb databases, the dataflow for the homeMDB and msExchHomeServerName of your synchronization rule could be an IF based on a condition you would have to define.

    I did test that rule for:
    - new users
    - already existing users.

    Concerning your very last question about wether to use the synchronization rules capabilities or something else, I believe synchronization rules are a way easier. Plus nothing prevents you from triggering a synchronization rule execution from a program on your own, communicating with the FIM engine thanks to web-services.
    But it is a good start to use the FIM portal to check this out.

    Cheers.

    ReplyDelete
  3. Fabien,
    This is a great article, do you think its possible to use fim to create a linked mailbox ?

    Thanks

    ReplyDelete