GALSync Troubleshooting: LegacyExchangeDN is not populated

Microsoft Support continues to receive calls around GALSync and the fact that the LegacyExchangeDN is not being populated on the mail-enabled contact object after export.

LegacyExchangeDN was an attribute stamped by the Exchange Recipient Update Services (RUS) which went away in Microsoft Exchange 2007 and is still not present in Microsoft Exchange 2010. In doing so Microsoft Identity Integration Server 2003 (MIIS 2003) and Microsoft Identity Integration Feature Pack (IIFP) would create the mail-enabled contact object, but the mail-settings that were updated by the RUS no longer occurred. Thus leaving the LegacyExchangeDN attribute empty.

MIIS 2003 and IIFP came out long before either Microsoft Exchange 2007 or Microsoft Exchange 2010. ILM 2007 was already out. What this means, is that if you are using MIIS 2003 or IIFP to execute your GALSync solution to a Microsoft Exchange 2007 server, you will need to run an Exchange PowerShell CMDLET called get-mailcontact on the Microsoft Exchange Server after each Export. You can find more information on this on our Microsoft Knowledge Base. If you are exporting to Microsoft Exchange 2010, then you could end up with Forest Level Mail-Enabled Contacts which are Read-Only.

Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (ILM 2007 FP1) was our first product that incorporated the new Microsoft Exchange PowerShell CMDLET called Update-Recipient (2007 / 2010). This would fire during the Export process of the GALSync Solution. You would, however, need the Microsoft Exchange 2007 Exchange Management Tools Service Pack 1 or later and Windows PowerShell v1 installed on the ILM 2007 FP1 server. Find more information on the prerequisites for exporting to Microsoft Exchange 2007 here.

Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 Service Pack 1 (ILM 2007 FP1 SP1) is the first Identity Management product that was designed to export to Microsoft Exchange 2010. Here, you would need Microsoft Windows PowerShell v2 installed on the ILM 2007 FP1 SP1 machine. We utilize WinRM to make a remote PowerShell call to the Microsoft Exchange 2010 Client Access Server (CAS) calling the Update-Recipient (2007 / 2010) PowerShell CMDLET. You will have to configure the GALSync Management Agent to work with the Exchange 2010 CAS server. You can find more information on that here.

Microsoft Forefront Identity Manager 2010 (FIM 2010) will work with both. You will still need the prerequisites for exporting to Exchange 2007 or Exchange 2010.

If you are using ILM 2007 FP1, ILM 2007 FP1 SP1, or FIM 2010 and the mail-enabled contacts are getting created and you are not receiving any error message, then this is an indication that you are using “No Provisioning” on the Configure Extensions tab. If this is true, then you will see the same effect as if you were exporting using MIIS 2003. The LegacyExchangeDN would not be populated, and you would need to either run the PowerShell CMDLET on the Microsoft Exchange Server, or you would need to use either Exchange 2007 Provisioning or Microsoft Exchange 2010 Provisioning.

If you are using ILM 2007 FP1, ILM 2007 FP1 SP1, or FIM 2010 and the mail-enabled contacts are getting created and you are receiving an error message, then this is most likely because one of the prerequisites is missing for provisioning to Exchange 2007 or Exchange 2010.

In conclusion:

1. MIIS 2003 is not designed to work with Exchange 2007 or Exchange 2010 out of the box.

   1. For MIIS 2003 to export to Microsoft Exchange 2007, you need to execute an Exchange PowerShell CMDLET on the Exchange 2007 Server after each Export.

   2. MIIS 2003 does not work with Exchange 2010. You will need to upgrade to ILM 2007 FP1 SP1 or FIM 2010

      Note

There may be possible ways to force MIIS 2003/IIFP to work with Microsoft Exchange 2010, but it is more recommended to upgrade than force the older products to work with the newer products.

• ILM 2007 FP1 is designed to work with Exchange 2007 out of the box but will need Service Pack 1 (ILM 2007 FP1 SP1) in order to export to Exchange 2010.
  1. You will need the prerequisites in order to export to either Exchange 2007 or Exchange 2010.

Identity Management Resource Wiki pages

• Current Forefront Identity Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/forefront-identity-manager-resources.aspx
• Current Certificate Lifecycle Manager Resources: http://social.technet.microsoft.com/wiki/contents/articles/current-certificate-lifecycle-manager-resources.aspx
• Current GALSync Resources: http://social.technet.microsoft.com/wiki/contents/articles/1726.global-address-list-synchronization-GALSync-resources.aspx
• Current PCNS – Password Synchronization Resources: http://social.technet.microsoft.com/wiki/contents/articles/2762.pcns-password-synchronization-resource-wiki.aspx
• Extension-DLL-Exception Resources: http://social.technet.microsoft.com/wiki/contents/articles/7515.sync-extension-dll-exception.aspx