FIM 2010 with Exchange 2010 Configuration for provisioning

FIM 2010 with Exchange 2010 Configuration for provisioning

FIM 2010 can help provision users account while creating Exchange 2010 mail account. With this process below, we will see how FIM 2010 can create Exchange mailboxes when accounts are created in FIM 2010.

FIM Synchronization Service Manager:

In FIM 2010 Synchronization Service make sure to enable Exchange 2010 Rule Extension:

Select Tools > Options

Check the Enable metaverse rules extension

Select Browse and select Exch2010Extenstion.dll (See Below):

Then in the FIM AD MA make sure to configure the extension:

Select the Configure Extension

Select the drop down Provision for: and select Exchange 2010.

In the Exchange 2010 RPS URI put in : http://<the cas server name>/Powershell. Make sure the powershell web site is enabled for this extension to work.

Exchange 2010 Configuration:

After we have this configured, we need to make sure that an account can create mailboxes in Exchange. In exchange make sure the domain FIM sync account as the proper administrative rights to create mailboxes. Test the account by updating an account and providing them a mailbox. If the FIM sync account can’t create or update a mailbox then the permissions are incorrect.

FIM 2010 Service and Portal:

In the FIM Portal, the synchronization rule outbound will need to be configured for creating the mailbox in Exchange. We do this by updating the MS Exchange attributes in AD. Below is how we configure this rule.

Navigate to the FIM Portal

Select Administration > Synchronization Rules.

Select the outbound rule that has been created for users. If this is not created you must create an outbound rule for AD users.

On the AD Synchronization rule select the Outbound Attribute flow.

Create the five outbound attribute flows below with Initial Flow Only:

1. /o=/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=-> MSEXCHANGEHOMEServerName

2. CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com->  MSExchangeRBACPolicyLink

3. CN=<servername of home MDB>,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com ->HomeMDB

If you have multiple databases for HomeMDB you can create a random number to be created for each database. Lets say there are 8, in the attribute flow add the function for the HomeMDB: CN=RandomNum(1,8)

4.  .domainname-> userprincipalName
Example: tester.testdomain.org

5. true -> MDBUseDefaults

Additional attributes that need created for a user are the useraccountcontrol and UnicodePswd. These are needed to create an account in AD. If these attributes are not set please do them so you can get the account created in AD.

Final steps:

1. Create an account in the FIM 2010 Portal

2. Synchronize the FIM MA

3. Export the FIM AD MA

4. Check the attributes in AD

5. Logon with the new account in Outlook or Outlook Web.

Overview:

As you can see it is not difficult to configure FIM 2010 to create mail accounts in Exchange 2010. The process below can reduce administration in AD and Exchange by allowing FIM to control the account creation for AD and Exchange mail account.

Thanks,
Active Directory and Identity and Access Management Principal Engineer
Nathan Mertz | Bennett Adelson | Columbus