Bennett Adelson Technical Blog

Bennett Adelson Technical Blog

FIM 2010 with Exchange 2010 Configuration for provisioning


FIM 2010 with Exchange 2010 Configuration for provisioning

FIM 2010 can help provision users account while creating Exchange 2010 mail account. With this process below, we will see how FIM 2010 can create Exchange mailboxes when accounts are created in FIM 2010.

FIM Synchronization Service Manager:

In FIM 2010 Synchronization Service make sure to enable Exchange 2010 Rule Extension:

Select Tools > Options

Check the Enable metaverse rules extension

Select Browse and select Exch2010Extenstion.dll (See Below):

Then in the FIM AD MA make sure to configure the extension:

Select the Configure Extension

Select the drop down Provision for: and select Exchange 2010.

In the Exchange 2010 RPS URI put in : http://<the cas server name>/Powershell. Make sure the powershell web site is enabled for this extension to work.

Exchange 2010 Configuration:

After we have this configured, we need to make sure that an account can create mailboxes in Exchange. In exchange make sure the domain FIM sync account as the proper administrative rights to create mailboxes. Test the account by updating an account and providing them a mailbox. If the FIM sync account can’t create or update a mailbox then the permissions are incorrect.

FIM 2010 Service and Portal:

In the FIM Portal, the synchronization rule outbound will need to be configured for creating the mailbox in Exchange. We do this by updating the MS Exchange attributes in AD. Below is how we configure this rule.

Navigate to the FIM Portal

Select Administration > Synchronization Rules.

Select the outbound rule that has been created for users. If this is not created you must create an outbound rule for AD users.

On the AD Synchronization rule select the Outbound Attribute flow.

Create the five outbound attribute flows below with Initial Flow Only:

1. /o=/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=-> MSEXCHANGEHOMEServerName

2. CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com->  MSExchangeRBACPolicyLink

3. CN=<servername of home MDB>,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com ->HomeMDB

If you have multiple databases for HomeMDB you can create a random number to be created for each database. Lets say there are 8, in the attribute flow add the function for the HomeMDB: CN=RandomNum(1,8)

4.  .domainname-> userprincipalName
Example: tester.testdomain.org

5. true -> MDBUseDefaults

Additional attributes that need created for a user are the useraccountcontrol and UnicodePswd. These are needed to create an account in AD. If these attributes are not set please do them so you can get the account created in AD.

Final steps:

1. Create an account in the FIM 2010 Portal

2. Synchronize the FIM MA

3. Export the FIM AD MA

4. Check the attributes in AD

5. Logon with the new account in Outlook or Outlook Web.

Overview:

As you can see it is not difficult to configure FIM 2010 to create mail accounts in Exchange 2010. The process below can reduce administration in AD and Exchange by allowing FIM to control the account creation for AD and Exchange mail account.

Thanks,
Active Directory and Identity and Access Management Principal Engineer
Nathan Mertz | Bennett Adelson | Columbus

4 Comments

  1. Hi,
    Thanks for the article. One thing though – first step is not needed.

    You wrote to “Check the Enable metaverse rules extension, Select Browse and select Exch2010Extenstion.dll”. This is unnecessary and in fact does not have any meaning as Exch2010Extensioin.dll doesn’t include any class implementing IMVSynchronization interface. You can safely skip this step.

    So if you have your dll extending IMVSynchronization interface and want to provision to Exchange – don’t worry it will work all right without any changes in dll.

  2. Gnana

    User not getting provisioned to AD, pending export is there, even if i run Export on ADMA.
    CN missing attribute was there when validating, but when i define CN value, it disappears, but user not provisioned.

  3. Hei_G

    Hello,
    great article. I have multiple DB (MDB1. MDB2) How can I that with the random number set to?

  4. Shashidhar Joliholi

    i have tried above solution… but no luck

Leave a Reply or Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: