There are several good resources on how to provision mailboxes for Exchange 2010 using FIM 2010. For starters the following attributes have to be set (export attribute flow) during the user creation phase:
Secondly the AD MA should be configured to "provision for Exchange 2010" and the RSP URI should be provided as well. The URL should looke like http(s)://casarray.yourdomain.tld/Powershell.
Following these steps FIM will create a mailbox-enabled account when provisioning accounts in Active Directory. An issue which I came upon is the options panel in Exchange 2010 Outlook Web Access (OWA). All my FIM provisioned users can successfully logon to OWA, but when clicking the options button they received the following error:
I verified the application event log of the Exchange CAS server around the time I did my tests and came upon the following error:
A copy paste of the error:
(Process w3wp.exe, PID 3104) "RBAC authorization returns Access Denied for user firstname.lastname@example.org. Reason: No role assignments associated with the specified user were found on Domain Controller CORP-DC-01.corp.contoso.com"
Using the Exchange Management Shell I was able to verify the RoleAssignmentPolicy of the users. I could clearly see that all users created using the Exchange Management Console had the "Default Role Assignment Policy" assigned and that the users provisioned from within FIM had no policy assigned. Verifying the RoleAssignmentPolicy can be done as follows:
- for a specific user: get-mailbox accountname | ft name,roleassignmentpolicy
- for all users: get-mailbox | ft name,roleassignmentpolicy
Using the update-recipient cmdlet I could actually reproduce this behavior without FIM in the picture. It looks like the new-mailbox cmdlet sets the default policy, but the update-recipient cmdlet which can convert a legacy mailbox to a mailbox does not set this policy. Guess what FIM is using…
If you'd want to fix this, you could issue the following command:
- get-mailbox | set-mailbox –RoleAssignmentPolicy "default role assignment policy"
A colleague of me pointed me out to the msExchRBACPolicyLink attribute of a mailbox-enabled user account in AD. This attributes holds the RoleAssignmentPolicy and looks like CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=MAIL,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CORP,DC=CONTOSO,DC=COM. When I add this attribute to the list of attributes I initially mentioned all goes well. Mailbox created, RoleAssignmentPolicy in place and Exchange Control Panel (options) available!
A possibility to find out which setting is managed by which attribute in AD is to leverage the repadmin command with the showobjmeta option:
- repadmin /showobjmeta name_of_dc dn_of_userobject
The name_of_dc can be one specific domain controller, or you can use a wildcard (*) in your name to target multiple DC’s. Following the DC you can provide the DN of your test user. Now just change a setting (like in this case the RoleAssignmentPolicy) using PowerShell, and then execute the repadmin command. That way you can find out which attribute was changed seconds ago and hence is very likely to represent the setting you can control with FIM. As a (not related) example I got the output of a useraccount which I just disabled in AD. You can clearly see that this is controlled by the “userAccountControl” attribute:
So to conclude I think as a bare minimum the following attributes should be exported when provisioning mailboxes for Exchange 2010:
I got this solution from a colleague, so: thanks Adam for providing me the answer!
A nice article about Exchange mailbox provisioning using FIM: http://technet.microsoft.com/en-us/magazine/ff472471.aspx