Thursday, July 24, 2008

Exchange 2007 Provisioning Issue with ILM 2007 FP1

I've been meaning to post on this for a while, but have been pretty busy.

A few months ago I did a project which included Exchange 2007 provisioning with ILM. When running a small development environment (single DC, very important), everything ran fine. But when it got to production I noticed that when the new connector space object is exported to AD, the mailbox is a "Legacy Mailbox" in Exchange because it does not have all of the required Exchange 2007 attributes. I also noticed that when any type of update for that user is exported to the AD MA, the mailbox is then updated to be a standard Exchange 2007 mailbox. From Shawn's blog post, I learned the ILM code is simply using the Update-Recipient cmdlet under the covers to do the update. In Exchange 2003, the Recipient Update Service handled the stamping of the remaining Exchange specific object on the user object and completing the set up of the mailbox. In Exchange 2007, the RUS has been removed, so the Update-Recipient cmdlet was specifically added to address this type of situation. Update-Recipient is called by ILM every time there is an export for that object, and is supposed to use the same DC that the AD MA is using. Key word: supposed.

Turns out there is a bug in the Update-Recipient cmdlet. It does NOT consistently use the same DC as the MA, so while you are exporting your object to one DC, Update-Recipient goes off to another DC where the object does not exist yet. Best of all, when it does, it silently errors out.

After much poking around, I developed a suitable, fairly simple workaround - trigger a second export for any provision action to AD. The workaround goes like this:

  1. Extend the Metaverse schema to include an attribute for the AD SID (we'll call it ad_sid for this).
  2. Create an inbound flow rule to place the user SID from your AD MA to the Metaverse ad_sid attribute.
  3. Find a relatively insignificant attribute that flows from the Metaverse to all users in your AD MA (we'll use title for this).
  4. Create an export flow rule using a Rules Extension to only flow the title attribute from the Metaverse to the AD MA if ad_sid is present in the Metaverse (you'll need to send both the title and ad_sid attributes to the AD MA title attribute).

Now, when a new user is provisioned into AD, a confirming import will bring the user's SID into the Metaverse. The user won't have a title, but the import of the SID will trigger the new export flow rule and generate a pending export of the title. Ensure a suitable amount of time passes to allow AD replication to occur so that the new user is present on all DCs, and then when this second change is exported, Update-Recipient will be called again. Regardless of what DC it uses, it will then be successful and the user will go from "Legacy Mailbox" to "Exchange Mailbox".

Here is a sample bit of code for the Export Flow Rule:

Select Case FlowRuleName
Case "set_cs.title"
If mventry("ad_sid").IsPresent Then
csentry("title").Value = mventry("title").Value
End If
Case else
Throw New EntryPointNotImplementedException()

End Select

In terms of a fix, it is important to remember this is actually an Exchange issue, not an ILM issue. For someone within MS I was able learn that supposedly the KB article behind this is KB949858, but it is not publicly released. The fix was initially slated for Exchange 2007 SP1 Rollup 3, but it didn't make it in and should in Rollup 4 - the release of which, I learned from Aaron's post today, is imminent. Looks there are some issues with the links to the download though; I imagine they will be straightened out shortly.

2 comments:

Anonymous said...

Hi

i have the following problem>

customer is using ILM 2007 FP1
using the same DC/GC
E12/SP1/RU4
they have 2 EAPs (Default and one called UserPolicy with highest priority)

first time when the user is created with MIIS, the object gets the Default Policy and the Type is shown as mail users" instead of "user mailboxes". This happens when "Update-Recipient" is automatically triggered for the first time.
Second time "Update-Recipient" has to be manually run to get the UserPolicy stamped and to see the type as user mailboxes.

Even we wait for days this doesn’t change unless we run Update-Recipient command manually.

Another workaround is to edit the policy to stamp users with external mail addresses, then the correct policy is applied and also the type is shown as user mailboxes immediate upon creating the user with MIIS, and Update-Recipient command is automatically triggered.

What can be going on here, it has nothing to do with the fix in RU4 but something else. do you know what..

Many thanks
Miky

Keith Crosby said...

Sounds like Exchange 2007 provisioning is not enabled. Make sure the box is checked within the AD Management Agent to enable Exchange 2007 provisioning. That's what tells ILM to run the Update-Recipient cmdlet.