MIIS/ILM Tricks - Breakdown of Exchange Provisioning and Other Changes in ILM 2007 FP1

MIIS/ILM Tricks - Breakdown of Exchange Provisioning and Other Changes in ILM 2007 FP1

  • Comments 2
  • Likes

I use a lot of acronyms for this post, so I wanted to build a “key” so I wouldn’t get confused

 

o   Microsoft Identity Integration Server 2003 Service Pack 2  (later abbreviated as MIIS 2003 SP2, MIIS SP2 or MIIS) + Certificate Lifecycle Manager (CLM)  = Identity Lifecycle Manager (abbreviated as ILM 2007 or ILM)

o   Identity Lifecycle Manager 2007 Feature Pack 1 (abbreviated as ILM 2007 FP1 or ILM FP1) = ILM 2007 + Vista client support for CLM and other CLM enhancements + Exchange 2007 support in the identity engine + Cumulative updates since ILM 2007/MIIS SP2         

o   MIIS and ILM (no FP) refer to binary versions 3.2.559-3.2.10xx

o   ILM FP1 refers to binary versions 3.3.118 and later

 

 

One of the more frequently asked questions regarding ILM 2007 FP1 is, “What does ILM 2007 FP1 offer me above and beyond ILM 2007 or MIIS 2003 SP2 with regard to the metadirectory engine?” 

 

There are many improvements to CLM.   But for the metadirectory engine, or the beast formerly known as MIIS, there are a few fixes beyond ILM 2007/MIIS 2003 SP2 described in the ILM FP1 release notes:

 

·         Run profiles listed in the Run Profile dialog box are automatically sorted alphabetically.

 

·         The versioning for the CLMUtils class has been corrected. The CLMUtils class can now be used with Visual Basic .NET. (side note: fixed in 3.2.1005, see http://support.microsoft.com/?id=937561 )

 

·         Any management agent for Lotus Notes created with ILM 2007 FP1 will be configured to run out of process by default. This is to allow for memory issues with the IBM Notes 7 client.  (side note: fixed in 3.2.1001)

 

·         When the ILM 2007/MIIS 2003 server was busy and the Run History information was refreshed, a false out-of-memory status could be generated. This feature pack corrects this condition. (side note: fixed in 3.2.1001)

 

 

Again, I am talking specifically about the metadirectory engine.  Looking at the release notes I see this information:

 

·         The management agent for Active Directory Global Address List (GAL) now supports Microsoft® Exchange Server 2007.

 

·         The management agent for Active Directory now supports Microsoft Exchange Server 2007 Mailboxes, Mail Users, Mail Contacts and Distribution Lists.

 

With regard to Exchange 2007 Provisioning, I decided to dig deeper

 

In the Active Directory Management Agent (AD MA) and in the Active Directory Global Address List Management Agent (GalSync MA) there is a new checkbox in the “Configure Extensions” dialog:

 

                “Enable Exchange 2007 Provisioning”

 

I thought to myself – what does this checkbox provide to us that MIIS SP2 or ILM does not provide? 

 

In checking the box we activate functionality in a new DLL, Exch2007Extension.dll,  that is added to the Extensions directory that runs the Powershell cmdlet Update-Recipient (http://technet.microsoft.com/en-us/library/bb738148.aspx)

 

Where specific to ILM FP1, the parameters passed to the cmdlet are as follows:

 

·         Identity is the DN of the object

·         Confirm is false

·         Credential is the account running the MA (creating the new objects)

·         DomainController is either the DC name acquired by using standard DC discovery (dsgetdc) or hardcoded into the MA, depending on MA settings

·         Server is not set

·         Whatif is not set

 

The Update-Recipient cmdlet was added in Exchange 2007 SP1 specifically for use with MIIS or ILM.  Since the Recipient Update Service (RUS) was discontinued in Exchange 2007, a process is still needed to “stamp” the object to become mail-enabled.  According to the details for Update-Recipient,

“The version of the GAL synchronization management agent that was included in Microsoft Identity Integration Server (MIIS) 2003 was designed to work with Exchange Server 2003 and relied on the Recipient Update Service (RUS). Because RUS is a deprecated feature and is no longer required for Exchange 2007, the new GAL synchronization management agent that is included in ILM 2007 is designed to function without RUS.”

 

For the MIIS SP2 or ILM admin who is looking for a workaround, consider that  ILM FP1 performs the Update-Recipient operation per-object after an export using the credentials of the principal that the MA is running under.  If you wanted to work around having MIIS SP2 or ILM 2007 you would have to identify the newly-created objects and run a process out-of-band from MIIS/ILM with proper credentials to replace the functionality that is enabled with the “Enable Exchange 2007 Provisioning”  checkbox.  For GalSync, the procedure to work around not having ILM FP1 is similar to the MIIS procedure outlined in How to Deploy Exchange 2007 in a Cross-Forest Topology (http://technet.microsoft.com/en-us/library/aa998597.aspx )

 

Of course this document states:

 

“Synchronizing Exchange 2007 GALs by using MIIS 2003 is supported only as a custom solution. The recommended solution for synchronizing Exchange 2007 GALs is to use Exchange 2007 Service Pack 1 (SP1) and Identity Lifecycle Manager (ILM) 2007 Feature Pack 1”

 

To me, using ILM FP1 is an easy choice.  A checkbox is much easier than writing a custom out-of-band script.

 

--Shawn

 

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

Comments
  • Shawn,

    Do you have an example of how to hard code the DomainController in your MA and not use dsgetdc?  I am trying to provision contacts into a domain other than the one my ILM server is in.

    Thanks for the post.

    ---Don

  • Hey Don!

    Regardless of whether or not ILM is in the same domain, different domain, different forest or even in a workgroup, you can set a static entry for a DC in an Active Directory management agent.  

    In the Configure Directory Partitions dialog in the Active Directory management agent, in the "Select directory partitions" box, highlight the partition corresponding with the domain you want to configure a static DC.  Below the selection box there is a checkbox "Only use preferred domain controllers" and a button entitled "Configure." Hit Configure to enter the static DC name, enter the name, click OK and check the Only use preferred domain controllers box.

    If you are looking to connect to a DC in a different forest than the forest configured in the Active Directory management agent you are using, you will need to create a new management agent.

    --Shawn

    This posting is provided "AS IS" with no warranties, and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment