Skip Ribbon Commands
Skip to main content
Mark E. Smith's Brain Dump > Posts > SP1 for Identity Lifecycle Manager 2007 Feature Pack 1 is now available.
January 30
SP1 for Identity Lifecycle Manager 2007 Feature Pack 1 is now available.

One of the main issues I had to deal with during the Exchange 2010 TAP and RTM (to date) was lack of support for MIIS, ILM, FIM (or whatever name du jour Microsoft's marketing folks have decided on this week ) to provision Exchange 2010 recipients. Many of the customers I work with, and our internal operations, use ILM for managing the lifecycle of user and Exchange recipient objects so some creative methods were used to get ILM to provision Exchange 2010 objects – until this week.

A little background…
In ILM there's an option on the "Configure Extensions" section on a given Active Directory Management Agent's properties called "Enable Exchange 2007 provisioning". If you're not aware of what this does, here's a brief history. As you're probably aware the Recipient Update Service (RUS), which was introduced in Exchange 2000, to find and provision recipient objects was removed in Exchange 2007. In Exchange 2000 & 2003, Recipient objects that were created in Active Directory Users and Computers were only partially provisioned. That is that a new recipient configured in ADUC had a few key attributes set but the rest of the Exchange specific attributes were stamped by the RUS once it noticed that a new recipient existed. In Exchange 2007 the RUS (the part that stamped the missing attributes) is removed and Recipient objects are fully provisioned as they’re created.

Once Exchange 2007 was released this presented a problem for ILM because most developers typically stamped the same key attributes on a recipient object that ADUC did, then ILM relied on the RUS to come along and stamp the rest. Enter the “Update-Recipient” powershell cmdlet. This cmdlet is effectively a “manual RUS”. If you really want to get your geek on, try this…  In ADUC, create a new user object.  Next open ADSIEDIT and add the following attributes:

            mailNickname (a.k.a. Exchange alias)
            homeMDB (the Distinguished Name to the Mailbox Database object in the config container where you want the mailbox to be provisioned).

Now open the Exchange Management Shell and enter “Update-Recipient {username}”. Go back into ADSIEDIT and you’ll see the rest of the Exchange attributes that are required to fully provision the recipient. See: for additional information.

So, the little check box on the AD MA “Enable Exchange 2007 provisioning” really just called the Update-Recipient cmdlet. Recall now that you need the Exchange 2007 32bit Management Tools installed on the ILM server in order for provisioning to work. The issue, of course, is that since ILM is only supported on a 32bit platform and Exchange 2010 no longer has ANY 32bit version, we couldn’t use ILM to provision Exchange 2010 recipients.

The work-around I used was to use the same ILM MA provisioning code that you would for an Exchange 2007 recipient but UNCHECK the “Enable Enable Exchange 2007 provisioning” box (so ILM wouldn’t try to call Update-Recipient). I would then flow another attribute “flag” to a property like extensionAttribute1. This would allow ILM to write the key attributes to the recipient and function like Exchange 2003 provisioning. Next, on a scheduled task, I would call a Powershell script on the Exchange 2010 server to get all user objects with the flag (extensionAttribute1=1) then pipe that to update-recipient and clear the flag.

ILM 2007 FP1 SP1 addresses the 32bit requirement of ILM and the 64bit only Exchange 2010 versions by Powershell 2.0 remoting. Specifically you’ll notice that this SP states:

PowerShell 2.0 must be installed on the ILM server. Additionally, PowerShell 2.0 must be installed and configured for remote access on Exchange Server 2010 Client Access Server (CAS).

Get the update here: and start testing your Exchange 2010 Provisioning with ILM 2007 FP1 SP1



There are no comments for this post.