Exchange Server

  • Article

Exchange Provisioning using ILM 2007 and FIM 2010

Rob Ward, Aung Oo and Henna Kermani

Administrators often use Identity Lifecycle Manager 2007 (ILM 2007) for provisioning users, contacts and mailboxes in enterprise Active Directory (AD) and Exchange platforms. Leveraging of identity management tools such as ILM 2007 and Forefront Identity Manager 2010 (FIM 2010) can eliminate the error-prone manual tasks involved in creating accounts and mailboxes in AD and Exchange.

ILM 2007 and FIM 2010 can not only automate account and mailbox provisioning, they can also incorporate business logic. This enables capabilities such as creating mailboxes on specific servers depending on users’ business groups or physical locations; setting the initial mailbox size and limits based on the user’s role; and provisioning new users’ mailboxes in the mail store with the most available space. FIM 2010 allows for more-complex business logic that has approval workflows and advanced features like codeless provisioning.

The most common ILM 2007 implementations in Exchange environments are for synchronization of Global Address Lists (GALs) that reside in two different AD forests; provisioning and de-provisioning users’ mailboxes; and synchronization of directories in two enterprise Exchange environments during mail migration to a new Exchange version.

The implementation of ILM 2007 and FIM 2010 in provisioning scenarios may vary depending on the network infrastructure, security policies, and Exchange configurations. This article provides an overview of using the two products for provisioning in Exchange environments, but it also drills down into the key capabilities that facilitate provisioning with Exchange 2003, 2007, and 2010.

Architectural Overview

ILM 2007 and FIM 2010 can create mail-enabled objects in Exchange 2003, 2007 and 2010. Note, however, that not every version of Exchange supports all releases of ILM. This table shows the support breakdown:

(You’ll find extensive compatibility information in the Exchange Server Supportability Matrix.)

To enable Exchange provisioning, you must set up the provisioning process to create mail-enabled objects, and you must also configure an Active Directory Management Agent (ADMA) that interacts with Active Directory and Exchange to provision the mail-enabled objects.

Provisioning Process Overview

Exchange 2003

To complete the provisioning process with Exchange 2003, ILM 2007 and FIM 2010, rely on Exchange’s Recipient Update Service (RUS). During export, the ADMA connects to an available or preferred domain controller and adds the mail-enabled object (as determined by the provisioning configuration) directly to the directory.

RUS watches for changes to mail-enabled objects in the directory and completes the provisioning process for each mail-enabled object ILM 2007 and FIM 2010 create. Exchange writes each of these objects to the directory with the minimal set of attributes needed  to create the objects. RUS applies an Exchange policy to them and adds the remaining required attributes so that they support the full set of Exchange features.

When provisioning to Exchange 2003, ILM 2007 and FIM 2010 do not require a direct connection to an Exchange server, only to an Active Directory Domain Controller (ADDC). (See Figure 1.)

 

Figure 1 Exchange 2003 Provisioning

Exchange 2007

With Exchange 2007, ILM 2007 Feature Pack 1 (ILM 2007 FP1) and FIM 2010 rely on the Update-Recipient Windows PowerShell cmdlet (part of the Exchange 2007 Management Tools) to complete provisioning. During export, ADMA connects to an available or preferred domain controller and adds the mail-enabled object (as determined by the provisioning configuration) to the directory.

After provisioning the mail-enabled object to the directory, ILM 2007 and FIM 2010 invoke the Update-Recipient cmdlet on the ILM/FIM server.

 

Figure 2 Exchange 2007 Provisioning

Exchange 2007 provisioning (see Figure 2) requires ILM 2007 FP1 or greater or FIM 2010. In addition, the installation must meet the following requirements:

  • The ILM 2007/FIM 2010 synchronization service account must be a domain account.
  • The service account of ILM 2007 FP1management agent (MA) must be a member of the Exchange Recipient Administrators group.
  • The ILM 2007/FIM 2010 synchronization server must be domain-joined. It doesn’t, however, need to be joined to the domain to which Exchange provisioning will occur.
  • Windows PowerShell 1.0 must be installed on the ILM/FIM server.
  • The Exchange Management Tools must be installed on the ILM/FIM server.

Exchange 2010

For Exchange 2010, ILM 2007 Feature Pack 1 Service Pack 1 and FIM 2010, rely on the Update-Recipient cmdlet to complete the provisioning process. But unlike the Exchange 2007 process, in this one the cmdlet runs directly on the Exchange server using Windows PowerShell 2.0 and remote execution. (See Figure 3.)

 

Figure 3 Exchange 2010 Provisioning

Exchange 2010 provisioning requires ILM 2007 FP1 SP1 or greater or FIM 2010. In addition, the installation must meet the following requirements:

  • The ILM 2007/FIM 2010 synchronization service account must be a domain account.
  • The service account of ILM 2007 FP1 MA must be a member of the Exchange Recipient Administrators group.
  • The ILM 2007/FIM 2010 Synchronization Server must be domain-joined. It does not, however, need to be joined to the domain to which Exchange provisioning will occur.
  • Windows PowerShell 2.0 must be installed on the ILM/FIM server and must be installed and configured for remote access on an Exchange 2010 Client Access Server (CAS).

Provisioning

To enable Exchange provisioning, you must configure the process to create mail-enabled objects using either scripted provisioning or codeless provisioning. The following table shows which types of provisioning FIM 2010 and the various versions of ILM support:

Scripted Provisioning Using ExchangeUtils

The ExchangeUtils class provides a set of utility methods you can use to create new mail objects in the connector space. To make a mailbox you need, at a minimum, the following attributes on a user object:

  • **DN–**DN (distinguished names) attributes are string representations that uniquely identify objects in an AD server.
  • **mailNickname–**This attribute is an alias Exchange uses to identify mail-enabled objects.
  • **homeMDB–**The homeMDB property specifies the URL of the recipient’s mailbox store.

Here are examples of the attributes being used in Visual Basic .NET and Visual C# .NET:

Visual Basic .NET:

Public Sub Provision(ByVal mventry As MVEntry) _

    Implements IMVSynchronization.Provision



    Dim adMA As ConnectedMA

    Dim csentry As CSEntry

    Dim nickName, mailboxMDB As String

    Dim dn as ReferenceValue



    try

        adMA = mventry.ConnectedMAs("Fabrikam AD MA")



        nickName   = mventry("mailNickname").Value

        mailboxMDB = mventry("homeMDB").Value



        ' Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry("cn").Value).Concat("ou=mailboxes,dc=fabrikam,dc=com")



        If 0 = adMA.Connectors.Count then

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB)

        End If



        ' Handle any exceptions

        Catch ex As Exception

            '...

    End Try

End Sub

Visual C# .NET:

void IMVSynchronization.Provision (MVEntry mventry)

{

    ConnectedMA adMA;

    CSEntry csentry;

    String nickName, mailboxMDB;

    ReferenceValue dn;



    try

    {

        adMA = mventry.ConnectedMAs["Fabrikam AD MA"];



        nickName   = mventry["mailNickname"].Value;

        mailboxMDB = mventry["homeMDB"].Value;



        // Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry["cn"].Value).Concat("ou=mailboxes,dc=fabrikam,dc=com");



        if(0 == adMA.Connectors.Count)

        {

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB);

        }

    }



    // Handle any exceptions

    catch(Exception ex)

    {

        //...

    }

}

(You can find more information on ExchangeUtils class here. For examples of using ExchangeUtils, go here.

The scripted provisioning requirements for Exchange 2007 are the same as for Exchange 2003. Existing scripted provisioning for Exchange 2003 mail-enabled objects will work without making changes to the  Exchange 2007 provisioning process. With Exchange 2010, though, you’ll need to add an attribute flow for the msExchHomeServerName attribute, which we’ll cover in the section of this article on Exchange 2010 and msExchHomeServerName.

CustomScripted Provisioning

While ExchangeUtils provides a simple method for creating a mail-enabled object, you may require more control over the provisioning process. All ExchangeUtils methods return a CSEntry object, which allows you to set additional attributes on an object. We recommend you allow ExchangeUtils to create the mail-enabled object and use the returned CSEntry object to specify additional attributes.

To create a mailbox-enabled user who has a default password and can log in, you’d use ExchangeUtils to generate the mailbox, then add the unicodepwd and userAccountControl attributes using the returned CSEntry object, as shown in these examples for Visual Basic .NET and Visual C# .NET:

Visual Basic .NET:

Public Sub Provision(ByVal mventry As MVEntry) _

    Implements IMVSynchronization.Provision



    Dim adMA As ConnectedMA

    Dim csentry As CSEntry

    Dim nickName, mailboxMDB As String

    Dim dn as ReferenceValue



    try

        adMA = mventry.ConnectedMAs("Fabrikam AD MA")



        nickName   = mventry("mailNickname").Value

        mailboxMDB = mventry("homeMDB").Value



        ' Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry("cn").Value).Concat("ou=mailboxes,dc=fabrikam,dc=com")



        If 0 = adMA.Connectors.Count then

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB)

            csentry("unicodepwd").Values.Add("p@ssword1")

            csentry("userAccountControl").IntegerValue = 512

        End If



        ' Handle any exceptions

        Catch ex As Exception

            '...

    End Try

End Sub

Visual C# .NET:

void IMVSynchronization.Provision (MVEntry mventry)

{

    ConnectedMA adMA;

    CSEntry csentry;

    String nickName, mailboxMDB;

    ReferenceValue dn;



    try

    {

        adMA = mventry.ConnectedMAs["Fabrikam AD MA"];



        nickName   = mventry["mailNickname"].Value;

        mailboxMDB = mventry["homeMDB"].Value;



        // Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry["cn"].Value).Concat("ou=mailboxes,dc=fabrikam,dc=com");



        if(0 == adMA.Connectors.Count)

        {

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB);

            csentry["unicodepwd"].Values.Add("p@ssword1");

            csentry["userAccountControl"].IntegerValue = 512;

        }

    }



    // Handle any exceptions

    catch(Exception ex)

    {

        //...

    }

}

Codeless Provisioning

If you’re using FIM 2010, you have the option of using codeless provisioning, which allows you to specify the attributes added to an object during provisioning of it without writing VB or C# code. To create a mailbox, you’d configure a synchronization rule with, at minimum, the following initial attributes flows:

  • **DN–**DN(distinguished names) attributes are string representations that uniquely identify objects in an AD server.
  • **mailNickname–**This attribute is an alias Exchange uses to identify mail-enabled objects.
  • **homeMDB–**The HomeMDB property specifies the URL of the recipient’s mailbox store.

To create a mailbox-enabled user who has a default password and can log in, you’d also provide initial attribute flows for unicodepwd and userAccountControl as shown in Figure 4.

 

Figure 4 Outbound Attribute-Flow Configuration

Exchange 2010 and msExchHomeServerName

For provisioning to Exchange 2010, creating a mail-enabled user object requires an additional attribute—msExchHomeServerName—that you must supply in your provisioning code. Exchange uses this attribute to determine where to deliver mail for the mail-enabled object.

To supply msExchHomeServerName in provisioning that uses either ExchangeUtils or that you have developed yourself, you need to add the  line of code shown after the comments "// Add msExchHomeServerName" in the following examples:

Visual Basic .NET:

Public Sub Provision(ByVal mventry As MVEntry) _

    Implements IMVSynchronization.Provision



    Dim adMA As ConnectedMA

    Dim csentry As CSEntry

    Dim nickName, mailboxMDB As String

    Dim dn as ReferenceValue



    try

        adMA = mventry.ConnectedMAs("Fabrikam AD MA")



        nickName   = mventry("mailNickname").Value

        mailboxMDB = mventry("homeMDB").Value



        ' Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry("cn").Value).Concat("ou=mailboxes,dc=fabrikam,dc=com")



        If 0 = adMA.Connectors.Count then

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB)



    ' Add msExchHomeServerName

csentry("msExchHomeServerName").Value = "<value of msExchHomeServerName>"

        End If



        ' Handle any exceptions

        Catch ex As Exception

            '...

    End Try

End Sub

Visual C# .NET:

void IMVSynchronization.Provision (MVEntry mventry)

{

    ConnectedMA adMA;

    CSEntry csentry;

    String nickName, mailboxMDB;

    ReferenceValue dn;



    try

    {

        adMA = mventry.ConnectedMAs["Fabrikam AD MA"];



        nickName   = mventry["mailNickname"].Value;

        mailboxMDB = mventry["homeMDB"].Value;



        // Construct the distinguished name

        dn = adMA.EscapeDNComponent("CN=" + mventry["cn"].Value).Concat("ou=mailboxes,dc=fabrikam,dc=com");



        if(0 == adMA.Connectors.Count)

        {

            csentry = ExchangeUtils.CreateMailbox(adMA, dn, nickName, mailboxMDB);



// Add msExchHomeServerName

csentry["msExchHomeServerName"].Value = "<value of msExchHomeServerName>";



        }

    }



    // Handle any exceptions

    catch(Exception ex)

    {

        //...

    }

}

To supply msExchHomeServerName in a synchronization rule, add the initial attribute flow shown in Figure 5.

 

Figure 5 Outbound Initial Attribute-Flow Configuration

Management Agent Configuration

To properly provision the mail-enabled objects, an Active Directory Management Agent must interact with AD and Exchange. This requires that you configure the Exchange provisioning option (which you do in the right-hand pane of the Create Management Agent dialog after selecting Configure Extensions, as illustrated in Figure 6).

 

Figure 6: Configuring Rules Extensions

You must also make sure to choose Select Attributes from the Management Agent Designer pane, then pick the required attributes in the right pane of the dialog. For guidance on what to pick, we’ve included a chart showing attributes for the various object types.

 

 

Upgrading from Exchange 2003 to 2007: ILM 2007 FP1

ILM 2007 FP1 added the ability to provision Exchange 2007 mail-enabled objects. As shown in Figure 7, you can enable provisioning for Exchange 2007 GAL management agents by selecting Configure Extensions from the left pane of the Create Management Agent dialog, then marking the appropriate checkbox in the right pane.

 

Figure 7 Creating Custom Management Agents

This will cause ILM 2007 FP1 to locally invoke the Update-Recipient cmdlet on export, completing the provisioning process. No other configuration is necessary.

Upgrading from Exchange 2003 to 2007: ILM 2007 FP1 SP1 / FIM 2010

Besides enabling you to provision Exchange 2007 mail-enabled objects, ILM 2007 FP1 SP1 and FIM 2010 let you explicitly specify an Exchange 2007 server on which to perform the provisioning. The Configure Extensions pane of the Create Management Agent dialog contains a drop-down menu for selecting the Exchange version.

If you choose Exchange 2007, you’ll get a text box in which you may enter the name of an Exchange 2007 server (see Figure 8). This additional configuration exists for those who, for example, are using firewalls and require finer control of network traffic. Leaving the server name blank causes the cmdlet to locate an Exchange server. Note that the cmdlet will fail with an error if it can’t contact the server you specify.

 

Figure 8 Choosing the Exchange Version Using the Drop-Down List in Configure Extensions

Upgrading from Exchange 2003 or 2007 to 2010

As noted earlier, ILM 2007 FP1 SP1 and FIM 2010 let you provision Exchange 2010 mail-enabled objects. Because the process uses remote execution via Windows PowerShell (as noted earlier in the Exchange 2010 subsection of the “Provisioning Process Overview” discussion), you must supply a server name. As shown in Figure 9, you can select the Exchange version for provisioning from a drop-down menu in the right pane after clicking on Configure Extensions on the left side of the Create Management Agent dialog.

Select Exchange 2010, and in the text box that appears (see Figure 9), enter the URI of an Exchange 2010 remote PowerShell (RPS) server. Note that you can’t leave this field blank. This value should be in the format https://<cas server>/powershell.

 

Figure 9 Upgrading from Exchange 2003/2007 to 2010

Exchange 2007 and Upgrading ILM 2007 FP1 to SP1

Existing management agents in ILM 2007 FP1 deployments will remain fully functional after you upgrade to ILM 2007 FP1 SP1—no additional configuration or extra steps are required. If desired, you may specify a server name  in Configure Extensions to control which Exchange server the Update-Recipient cmdlet contacts, but this isn’t necessary.

The Export Process

Once you’ve properly configured them for Exchange provisioning, ILM 2007 and FIM 2010 will connect to Active Directory and Exchange during export to create mail-enabled objects. The process works a bit differently for each version of Exchange.

Exchange 2003

For Exchange 2003, ILM 2007 and FIM 2010 rely on the RUS feature of Exchange 2003 to complete the provisioning process. During export, ADMA connects to an available domain controller and adds the mail-enabled object (as determined by the provisioning configuration) to the directory.

As mentioned earlier, RUS watches for changes to mail-enabled objects in the directory and completes the provisioning process for each object created by ILM 2007and FIM 2010. And once again, Exchange writes each of these objects to the directory with the minimal set of attributes needed to create the objects. Because of this, RUS applies an Exchange Policy to them and adds the remaining required attributes so that they support the full set of Exchange features.

Finally, as before, when provisioning to Exchange 2003, ILM 2007 and FIM 2010 need only connect to an ADDC; neither require a direct connection to an Exchange server.

Exchange 2007

The information here is virtually the same as that covered in the “Exchange 2007” subsection under the “Provisioning Process Overview,” but for convenience, we repeat it. With Exchange 2007, ILM 2007 FP1 and FIM 2010 rely on the Update-Recipient cmdlet to complete provisioning. During export, ADMA connects to an available or preferred domain controller and adds the mail-enabled object (as determined by the provisioning configuration) to the directory.

After provisioning the mail-enabled object to the directory, ILM 2007 and FIM 2010 invoke the Update-Recipient PowerShell cmdlet on the ILM/FIM server using the command line:

Update-Recipient -Identity "<ExportedDN>"-Credential <PSCredential> -DomainController <Fqdn>

where the angle-bracketed placeholders are replaced as shown in this list:

ExportedDN–This is the Distinguished Name of the recently exported object.

PSCredential–This is replaced with a PowerShell Credential object constructed using the domain, username and password configured for the ADMA.

Fqdn–The actual value for this parameter is the fully qualified domain name of the domain controller to which the recently exported object was written.

In addition, ILM 2007 FP1 SP1 and FIM 2010 support the *–*Server parameter of Update-Recipient. If the MA has been configured with a Server value, ILM 2007 FP1 SP1 and FIM 2010 will invoke the Update-Recipient cmdlet on the ILM/FIM server using the command line:

Update-Recipient -Identity "<ExportedDN >" -Credential <PSCredential> -

DomainController <Fqdn> -Server <ServerIdParameter>

where the angle-bracketed placeholders are replaced as shown in the previous list, with this addition:

  • ServerIdParameter–The name of the server entered in the Management Agent configuration dialog is put in place of this parameter.

Any errors that occur when initializing or running the PowerShell cmdlet will set the result of the run profile and will be noted in the Application Event Log. For details on specific errors, see the Troubleshooting section further on in this article.

You can find complete details on theUpdate-Recipient cmdlet for Exchange 2007 in the Microsoft TechNet Exchange Server TechCenter.

Exchange 2010

As explained in the “Exchange 2010” subsection of the “Provisioning Process Overview,” for Exchange 2010, ILM 2007 FP1 SP1 and FIM 2010 rely on the Update-Recipient cmdlet to complete the provisioning process. But unlike the Exchange 2007 process, in this one the cmdlet runs directly on the Exchange server using Windows PowerShell 2.0 and remote execution.

After provisioning the mail-enabled object to the directory, ILM 2007 FP1 SP1 and FIM 2010 will remotely invoke the Update-Recipient cmdlet on the Exchange 2010 server using the command line (with the same substitutions discussed earlier for the items in angle brackets):

  Update-Recipient -Identity "<ExportedDN>" -DomainController <Fqdn>

The credentials configured in the ADMA are used when opening the remote connection to the Exchange server, thus they aren’t necessary on the command line.

Any errors that occur when initializing or running the cmdlet will set the result of the run profile and will be put into the Application Event Log. For details on specific errors, see theTroubleshooting section that follows this one.

You can find complete details on theUpdate-Recipient cmdlet for Exchange 2010  in the Microsoft TechNet Exchange Server TechCenter.

Troubleshooting

Any errors that occur when initializing or running the PowerShell cmdlet will set the result of the run profile and will be noted in the application event log. In this section we cover the most frequent errors that occur during export.

Common Errors

In this and the other troubleshooting examples that follow, the italicized text shows a part or parts of an error message that the event log records during export. The roman (non-italicized) text that follows the error message gives the possible cause or causes.

Message:

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
.
.
.
Description: The extensible extension returned an unsupported error in MIIS. The stack trace is: Microsoft.MetadirectoryServices.ExtensionException: ExternalEmailAddress is mandatory on MailUser.The mail contact and mail user must have a valid external e-mail address. at Exch2007Extension.Exch2007ExtensionClass.AfterExportEntryToCd....

Causes:

This is the most common error reported during export. The Update-Recipient cmdlet attempts to mail-enable the object with the specified DN. The cmdlet works with a variety of mail-enabled objects by inspecting their attributes. It will attempt, as a final step, to convert the object to a MailUser. A user object with missing or invalid mail attributes will usually return this error because Update-Recipient wasn’t able to convert the object into a mailbox-enabled user. This error may also occur when the MA and Update-Recipient communicate with different domain controllers.

One of these issues is most likely the cause of this error:

  • You may have exported a missing or invalid homeMDB value. Ensure that the homeMDB value for the object being exported is present and points to a valid mailbox database.
  • If you see this error with Exchange 2010 and homeMDB is correct, then msExchHomeServerName is probably missing or invalid. Check that the msExchHomeServerName value for the object being exported exists and indicates a valid Exchange server.
  • You may get this message with Exchange 2007 if you don’t have Exchange 2007 Management Tools SP2 or greater installed on the ILM/FIM server. For details, see KB article 963679.
  • You may also see this error with Exchange 2007 if Exchange 2007 Management Tools Rollup 4 or greater isn’t installed on the ILM/FIM server. For details, see KB article 949858.

Exchange 2007 and ILM 2007 FP1 Errors

Message:

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
.
.
.
Description: The extensible extension returned an unsupported error. The stack trace is:
Microsoft.MetadirectoryServices.ExtensionException: System.IO.FileNotFoundException: Could not load file or assembly 'System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified....

Cause:

This indicates that the Exchange 2007 Management Tools aren’t installed on the ILM 2007 FP1 server. ILM 2007 FP1 attempted to load the Update-Recipient cmdlet and PowerShell was unable to find it.

Exchange 2007, FIM 2010 and ILM 2007 FP1 SP1 Errors

Message:

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
.
.
.
Description: The extensible extension returned an unsupported error. The stack trace is: Microsoft.MetadirectoryServices.ExtensionException: Windows PowerShell snap-in Microsoft.Exchange.Management.PowerShell.Admin is not installed on the machine....

Cause:

This message appears when you haven’t installed the Exchange 2007 Management Tools on the ILM 2007 FP1 SP1 server. ILM 2007 FP1 SP1 attempted to load the Update-Recipient cmdlet and PowerShell was unable to find it. Microsoft made a minor change to the loading processing, which is why, for the same condition, ILM 2007 FP1 SP1 and FIM 2010 return a slightly different error than ILM 2007.

Exchange 2010

Message:

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
.
.
.
Description: The extensible extension returned an unsupported error. The stack trace is:Microsoft.MetadirectoryServices.ExtensionException: Could not load type 'System.Management.Automation.Runspaces.WSManConnectionInfo' from assembly 'System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=....

Cause:

You’ll receive a message like this if Windows PowerShell 2.0 isn’t installed on the ILM 2007 FP1 SP1 server. ILM 2007 FP1 SP1 attempted to load execute the Update-Recipient cmdlet remotely and ILM 207 FP1 SP1 was unable to open a PowerShell session that supports remote execution.

Message:

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
Description: The extensible extension returned an unsupported error. The stack trace is:Microsoft.MetadirectoryServices.ExtensionException:Microsoft.MetadirectoryServices.ExtensionException: Invalid URI: The format of the URI could not be determined....
at Exch2010Extension.Exch2010ExtensionClass.BeginExportToCd(String connectTo, String domain, String server, String user, String password)

Cause:

The CAS server value entered in the ILM 2007 FP1 SP1 Configure Extensions dialog is in the incorrect format. The correct format is https://<cas server>/powershell.

Message:

Event Category: Server
Event ID: 6801
Description: The extensible extension returned an unsupported error. The stack trace is:Microsoft.MetadirectoryServices.ExtensionException:Microsoft.MetadirectoryServices.ExtensionException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

Causes:

  • You’ve specified an invalid username or password.
  • You’ve used Kerberos without specifying an authentication method or username.
  • Kerberos accepts domain usernames, but not local usernames, and you’ve supplied the latter.
  • The Service Principal Name for the remote computer name and port doesn’t exist.
  • The client and remote computers are in different domains and no trust exists between the two domains.

After checking for the issues just mentioned, try:

  • Checking the event viewer for events related to authentication
  • Changing the authentication method and adding the destination computer to the WinRM TrustedHosts configuration setting or using HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated. For more help with WinRM configuration, run the command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

You’ll see this error if the the CAS server value you entered in the ILM 2007 FP1 SP1 Configure Extensions dialog is incorrect or you haven’t configured the CAS server for remote PowerShell execution. ILM 2007 FP1 SP1 attempted to load execute the Update-Recipient cmdlet remotely and ILM 207 FP1 SP1 was unable to connect to a remote PowerShell session on the CAS server.

Considerations

ILM 2007 and FIM 2010

Exchange provisioning is a key feature of ILM 2007 and FIM 2010 and ADMA. With minimal configuration, you can easily provision mail-enabled objects to Exchange 2003, 2007 and 2010. You do need to be aware that if a firewall exists between the ILM or FIM server and Exchange, you may have to do additional configuration that may not be acceptable for your deployment.

For instance, a firewall implementation between Exchange server and the ILM is especially common in an Exchange resource-forest implementation. This setup requires users to log into the account forest, and exchange servers must be hosted in the resource forest (a different AD forest).

In this scenario, you usually implement ILM server in the account forest. Thus provisioning mail-enabled or mailbox-enabled objects in Exchange requires that you open firewall ports in addition to those required to provision AD user accounts.

Communication Protocols and Ports

ILM requires the ports shown in the table that follows to provision accounts to AD, but it expects additional ports to provision mail-enabled or mailbox-enabled user objects in the AD/Exchange 2007 environment.

Exchange 2007

As stated earlier in the article, ILM 2007 FP1 leverages the Update-Recipient PowerShell cmdlet to complete the provisioning process, and the cmdlet executes on the ILM server to mail-enabled or mailbox-enabled accounts in Exchange 2007. The cmdlet requires a connection to the Global Catalog (GC) and Exchange RUS server in addition to the connection to the AD domain controller. The scenario is further complicated because Update-Recipient, when used by ILM 2007 FP1, has a RUS selection algorithm that can end up selecting any RUS server in the environment. This requires opening a range of RUS ports to all Exchange RUS servers. (See Figure 10.)

 

Figure 10 Exchange 2007 Provisioning with a Firewall

This table shows the ports required to be opened on the firewall to provision mail- or mailbox-enabled accounts in the Exchange 2007 environment.

To the DC/GC with DNS:

 

To RUS (Mailbox Server):

Exchange 2010

As stated earlier in the article, ILM 2007 FP1 leverages the Update-Recipient PowerShell cmdlet to complete the provisioning process, and the cmdlet executes on the ILM to mail- or mailbox-enabled accounts in Exchange 2010. In this version of Exchange, all cmdlets execute remotely using PowerShell’s remote execution capability. This means that the ports required for this scenario are limited to PowerShell’s remote execution requirements, as illustrated in Figure 11.

 

Figure 11 Exchange 2010 Provisioning with a Firewall

These tables show the firewall ports that must be open to provision mail- or mailbox enabled accounts in the Exchange 2010 environment.

To the DC/GC with DNS:

 

To CAS (Mailbox Server):

Custom PowerShell Scripting

In a bit we’ll look at a PowerShell script that finds user accounts in the specified domain that aren’t currently mailbox-enabled, and mailbox-enables them. The script needs to run on the AD domain controller, and you can use the task scheduler to set when it will run. As you can see from Figure 12, ILM 2007 FP1 can still provision user accounts to the AD domain controller, and it leverages the PowerShell script to mail-enable the user account.

 

Figure 12 Exchange 2007/2010 Provisioning Manual Scripting

Note that while you can use this script to enable mailboxes for users provisioned by ILM, the script will work only with objects that don’t contain a homeMDBor mailNickname attribute.

$domain = "LDAP://" + "DC=Fabrikam,DC=Com"



# Open a connection object to AD

$root = New-Object System.DirectoryServices.DirectoryEntry($domain)



# Create a query object 

$query = new-Object System.DirectoryServices.DirectorySearcher($root) 



# Construct a filter string to retrive all objects which are not mailenabled or mailbox-#enabled

$filter = "(&(objectClass=user)(!(legacyExchangeDN=*)))"



# Define filter in the query object

$query.filter = $filter

    

#Retrive objects which met the filter property

$objects = $query.findAll()





foreach($usr in $objects)

{       

    $properties = $usr.Properties 

    $DN = $properties.distinguishedname[0]

    $dbLoc = "Fabrikam\First Storage group\Mailbox Database"

    Enable-Mailbox -identity $DN -database $dbLoc



    #more informaton on Enable-mailbox here at 

    #https://technet.microsoft.com/enus/library/aa998251(EXCHG.80).aspx

        

}

To create users without a homeMDB value or mailNickname, you can either

  1. Use Scripted Provisioning: Employ the StartNewConnector() method object of the management agents Connectors property instead of ExchangeUtils.CreateMailbox().
  2. Use Codeless Provisioning: Don’t include initial attribute flows in the synchronization rule.

Optionally, to complete provisioning, you can enforce the e-mail address policy on some or all of the objects in the Exchange organization. This short script will enforce all e-mail address policies on all objects in your organization:

Get- EmailAddressPolicy | Update-EmailAddressPolicy

Unfortunately, this is a costly update and can take several minutes, depending on the complexity of your environment. You can use this script instead (replacing AddressPolicy01 with the identity of a particular e-mail address policy) to enforce a particular e-mail address policy on all objects in your organization:

Update-EmailAddressPolicy -Identity AddressPolicy01

If you are provisioning Distribution Groups, additional scripting is required to update the address books in the organization. The following script will update all address books in your organization:

Get- AddressList | Update-AddressList

Get- GlobalAddressList  | Update-GlobalAddressList

But this, too, is a costly update that, again, can take several minutes depending on the complexity of your environment. As an alternative, you can use:

Update-AddressList -Identity "All Contacts\AddressList01"

Update-GlobalAddressList -Identity "My Global Address List"

This script will update only a particular address book in your organization. To use the script, for All Contacts\AddressList01, substitute the identity of the address book you want to update, and replace My Global Address List, with the identity of the global address book you wish to update.

Leveraging Exchange 2003 server

We recommend using ILM 2007 or FIM 2010 and Exchange PowerShell to enable Exchange provisioning, but the organization’s security requirements may not allow the required communication through the firewall. In this case, you can complete Exchange provisioning using an Exchange 2003 server.

For an Exchange 2007 deployment, you can run an Exchange 2003 server alongside Exchange 2007, with the Exchange 2003 server providing the RUS functionality for the domain in which it resides. By doing this, ILM 2007 and FIM 2010 can provision to Exchange using the Exchange 2003 provisioning model. (See Figure 13.)

 

Figure 13 Exchange 2007 Provisioning Using RUS

RUS will identify and complete provisioning for any mail-enabled object exported by ILM and FIM, as it did in the Exchange 2003 provisioning model. RUS will enable mail-enabled contacts and users for both Exchange 2007 and 2003. It will also complete provisioning for mailboxes, and if homeMDBpoints toward the Exchange 2003 server, RUS will provision an Exchange 2003 mailbox. If you require only Exchange 2003 mailboxes along with mail-enabled users and contacts, and assuming the other methods we’ve covered won’t work for your deployment, you may consider using Exchange 2003.

Note, however, that if you do so, provisioning of Exchange 2007 mailboxes will be incomplete. If homeMDBpoints towards an Exchange 2007 mailbox, the mailbox will be provisioned but will not contain all the attributes required for Exchange 2007. You must provision Exchange 2007 mailboxes using an Exchange 2007 provisioning mechanism. If your solution requires you to provisioning Exchange 2007 mailboxes, consider using ILM or custom PowerShell scripting.

You can learn more about Exchange 2003 and Exchange 2007 coexistence in the TechNet article “How to Install Exchange 2007 in an Existing Exchange Server 2003 Organization.”

Recommendations

If the environment has ILM 2007 FP1 or FIM 2010, leverage it for mailbox provisioning, since it can not only reduce manual administrative tasks but can boost end-user productivity and enhance security. As noted, though, if your particular scenario requires a firewall between Exchange 2007 and the ILM 2007 FP1 server, you may require external processes to augment the capabilities of ILM 2007 FP1 or FIM 2010 and Exchange 2007. You may choose to use ILM 2007 FP1 to provision user or contact objects in AD, then leverage the PowerShell script to mail- or mailbox-enable the objects that ILM has provisioned. The PowerShell script can help in situations where, for example, the organization’s policy doesn’t allow granting Exchange Recipient Administrator privileges to the service account ILM 2007 or FIM 2010 leverages.

* ***Henna Kermani  **is a developer in the Identity and Security Division at Microsoft. She lives in Seattle, 1000 miles away from her cat, who declined to move with her.

Aung Oo is an architect with the Microsoft Public Sector, civilian practice.  Aung lives in Leesburg, VA with his wife, Mya.

Rob Ward is a Developer in the Identity and Security Division at Microsoft.  He loves the drizzly weather of the northwest.

Related Content