IIFP, GALSync and Exchange 2007

Claymoore · 04-02-2009, 02:05 PM

I'm working on a GAL Synchronization between 2 forests and Exchange 2007 organizations as a proof of concept for a client and I have gotten myself stuck and need your help. So you don't have to read the whole post, here is the issue I believe is stopping me - the IIFP Management Agents I create identify the Exchange version as 2003 NOT 2007. Any idea why?

Lab Setup - 3 servers per forest
AD (2003 R2)
SQL (2005 SP3)/Exchange (2007 SP1)
IIFP (SP2) w/ EMC and Powershell

In both domains I created an OU for native accounts, populated it and created an OU for the synchronized accounts. I set up a Management Agent in IIFP for each organization that identifies the source and destination OUs. When I run a Full Sync, the accounts from both domains are read and entered into the IIFP Metabase, but the accounts are not created in the destination OUs. I can't provision the accounts with a powershell sript and set up the availability service if the accounts are never created in the first place. I have used different accounts in the management agent from accounts with very specific delegated permissions to full enterprise admins with no luck. Auditing and event logs didn't offer me any clues.

What really troubles me is that the IIFP is detecting Exchange 2003 and not 2007. All the documentation that I have found either shows or mentions Exchange 2007 options and checkboxes that I don't have. I know that ILM is the preferred method of connecting Exchange 2007 organizations, but IIFP is free and the extra provisioning step requiring a powershell script doesn't worry me.

I have already done plenty of research on this, so to save you the troble of linking to Technet articles, here are the sites I used:
GAL Access on a separate forest
How to Deploy Exchange 2007 in a Cross-Forest Topology
Management Agent for Active Directory
Management Agent for Active Directory Global Address List (GAL)
Global Address List Synchronization Walkthrough: Implementation Steps
How to set up IIFP GAL Sync using least privilege > ActiveDir.org
GAL Sync with the Identity Integration Feature Pack (IIFP)

Any ideas would be appreciated.

HeroPsycho · 04-02-2009, 03:00 PM

I don't know of any version of IIFP that has E2K7 options in it.

Where are you seeing this?

Also, what is the functional level of your E2K7 org?

Claymoore · 04-02-2009, 03:26 PM

All domain and forest functional levels are Server 2003

Exchange 2007 as a detected version is shown in the screen shot at the bottom of this page here:
How to Deploy Exchange 2007 in a Cross-Forest Topology
Exhange 2007 options are mentioned here:
Management Agent for Active Directory

Quote:

If you are connecting to a Microsoft Exchange Server 2007, the following requirements must be met:

In Identity Manager, in Properties, select Enable Exchange 2007 provisioning on the Configure Extensions page.

Important Do not select Enable Exchange 2007 provisioning if there are no Exchange 2007 servers in the target forest. An error will be returned for every object being exported.

The MIIS 2003 service account must be a domain account

The server running MIIS 2003 must be joined to a domain.

Windows Powershell 1.0 and the Exchange 2007 SP1 Management Console must be installed.

Note You will receive an extension-dll-exception error if you attempt to synchronize to Active Directory without Powershell 1.0 and the Exchange 2007 SP1 Management Console installed.

So far, I haven't seen the options in IIFP either. I am using IIFP2 which was released on 10/21/2008.
Download details: Microsoft Identity Integration Feature Pack SP2
ILM Feature Pack 1 specifically mentions Exchange 2007 support, but it is a pay solution. I am wondering if MS pulled the 2007 support from IIFP in order to move people to ILM, or does the documentation just not match the product?

HeroPsycho · 04-02-2009, 04:00 PM

Those screenshots are using ILM FP1, not IIFP freebie.

What is the Exchange organization mode though? (NOT AD functional mode)

Claymoore · 04-02-2009, 04:38 PM

I wasn't aware that Exchange 2007 had modes like 2003. Where can I find that?

HeroPsycho · 04-02-2009, 04:46 PM

Nvm, I thought your E2K7 was mixed with E2K3 in it. Sorry.

Claymoore · 04-02-2009, 05:06 PM

No problem. I was really hoping it would be something simple like that that I just overlooked.

I'll keep working at this after I take the 236 exam tomorrow. Maybe passing the test will make me smarter.

Claymoore · 04-07-2009, 02:51 PM

You know, you lose focus in this game for one second...

One of the management agent run options is Export. You can run all the imports and synchronizations you want, but until you actually run an export nothing is written to AD. Such a simple thing to overlook. It works now, so time to test it with throttled back AD permissions.

Run profiles and the correct run profile order are documented in the Technet walkthrough here. Another walkthrough that lists the run profile order as well as how to automate the imports, syncs and exports can be found at the bottom of the post here.

The powershell script to mail enable the synchronized contacts was easy. After I narrow the management agent account permissions, I'll work on the availability service.

HeroPsycho · 04-08-2009, 02:22 PM

Good deal!