FIM Reference: Configuring Exchange 2010 Provisioning
Overview
The purpose or goal of this document is to provide guidance on setting up, configuring a Global Address List Synchronization (GalSync) solution where you will be provisioning mail-enabled contact objects to a Microsoft Exchange 2010 Forest. There are some key prerequisites that we need to ensure that we have in place prior to configuring our GALSync Solution to ensure that we are able to work with the Microsoft Exchange 2010 Forest.
Please note, that while this document focuses on a Global Address List Synchronization (GalSync) Solution, these prerequisites are needed for a solution where you are using an Active Directory Management Agent to export to Microsoft Exchange 2010 to create and update mail-boxes, or mail-enabled users, or mail-enabled contacts.
Which Identity Product do you have installed?
The first thing is to understand which Identity Management product that you have currently installed. This is important, as there are certain Identity Management products that are designed to work with Microsoft Exchange 2010 out of the box (OOB).
IIFP / MIIS 2003 / ILM 2007 RTM
These products all came out prior to the release of Microsoft Exchange Server 2010. They were not designed to work with Microsoft Exchange 2010 Out of the Box (OOB). You may be able to customize the management agents and get them to at-least export the mail-enabled contact object to Active Directory. However, you will not be able to see it in the GAL.
You may consider reviewing the following Microsoft Knowledge Base Article where we discuss using these products to export to Microsoft Exchange 2007. The PowerShell CMDLETs exist on Microsoft Exchange 2010, and you may be able to utilize them to help.
ILM 2007 Feature Pack 1
This product is not designed to work with Microsoft Exchange 2010 Out of the Box (OOB). You will need to upgrade to Identity Lifecycle Manager 2007 Feature Pack 1 Service Pack 1 (3.3.1139.2).
ILM 2007 FP1 SP1 / FIM 2010 / FIM 2010 R2
These products have been designed to work with Microsoft Exchange 2010 Out of the Box (OOB). On the Configure Extensions Tab of the Management Agent properties, you will see a drop down to determine the type of Exchange Provisioning. In that drop down, you will have the option to select Exchange 2010.
You will be required to enter the URI. The URI is the path to the Exchange 2010 Client Access Server (CAS) where the Exchange PowerShell CMDLETs are installed.
Prerequisites
Windows Powershell v2
Windows PowerShell v2 is required to be installed on the Synchronization Service Machine.
Microsoft Exchange 2003 contained a service known as Recipient Update Services (RUS). In Microsoft Exchange 2007 the RUS went away, remained that way in Microsoft Exchange 2010. An Exchange PowerShell CMDLET called Update-Recipient was created by the Exchange Product Group to update the objects exported with all necessary Exchange related attributes. For Exchange 2010 Provisioning in a GALSync Solution, we call Update-Recipient remotely using WinRM. You can download Windows PowerShell v2 and WinRM from here.
GALSync User Permissions
The GALSync User account will require some special permissions for Exchange 2010 provisioning.
For Exchange 2010 Provisioning, the GALSync User will need to be a member of the Exchange Organization Administrators Group.For additional information on permissions, review the Permissions for GALSync User MA User Account document on the GALSync Resource Wiki.
URI to Client Access Server (CAS)
This is not really a prerequisite, as much as it is a requirement for Exchange 2010 Provisioning. I have it listed as a prerequisite because it would be good to know this information up front before the creation of your Exchange 2010 GALSync Management Agent.
In the GALSync Management Agent Properties, on the Configure Extensions tab, there is a dropdown to select the type of provisioning. There you will select Exchange 2010.
You will notice a text box appears looking for a URI. The URI is a HTTP path to the Exchange 2010 Client Access Server (CAS).
Follow the steps outlined here to get the information for the URI. If you do not know this information prior to creating the GALSync Management Agent, you will need it once you select Exchange 2010 for the Provisioning For dropdown.
Possible Issues
Export Issues
In most cases, we have seen problems with exporting to Microsoft Exchange 2010. You could see things like:
- ma-extension-error
- Troubleshooting, or looking for more information on this errror message, can be found in the Application Event Log.
- slow export to exchange 2010
- We have seen this on occasion. This normally has to do with a .NET Framework issue, and we should be able to resolve the issue with the following wiki.
- timeout issue
- You may experience a timeout issue when exporting to Exchange 2010. Here are some ideas for troubleshooting:
See Also
GALSync
- Permissions for GALSync User MA User Account
- Wiki page that discusses the permissions needed for a GALSync User
- GALSync Solution involving Microsoft Exchange 2007 and Microsoft Exchange 2010
- If your Synchronization Service Engine is installed in the Exchange 2010 forest and you do not have the Exchange 2007 Prerequisites installed.
- GALSync Resource Wiki
- Exchange 2007 Provisioning Wiki