CzechIdM and Exchange 2007
One of our customers decided to abandon the old version of Microsoft Exchange, namely version 2003, and upgrade to a newer version – MS Exchange 2007. Our Identity Manager CzechIdM takes care of all accounts across the information system – it automatically creates, updates and deletes accounts according to the user lifecycle.
Let’s have a look at the migration from MS Exchange 2003 to MS Exchange 2007 from the point of view of the Identity Manager CzechIdM. We are going to discuss what changes had to be done and what are the main differences between the connection of MS Exchange 2003 and MS Exchange 2007.
The approach of CzechIdM to a connected system is always the same, even if it is database table, directory tree, Excel sheet or SAP. User account even at a very complex system is just a set of pairs: an attribute and its value. One interface for all systems is provided by the so called „connectors“, special Java or C# classes, that help to send data from CzechIdM to systems. In fact, such a connector is a special layer between CzechIdM and the connected system. Thanks to connectors, both CzechIdM and the connected system can communicate as they are used to.
Some connectors we use were created as opensource by people from the OpenICF project. Some, for more complex applications especially, were written by us, tailored for a particular customer.
Active Directory Connector vs Exchange Connector
We had used the Active Directory Connector at our customer. This connector can manage both domain accounts and e-mail accounts. The Active Directory connector is a special class written in C#, which serves to CzechIdM as a gateway to the domain controller. That is all, nothing more. It just stores the set of attributes it gets from CzechIdM to the domain controller. Some of these attributes are used by Exchange and you can use them for creating or updating user mailboxes.
Unfortunately, this approach does not work for Exchange 2007. You can create an Exchange 2007 mailbox, but only of type „Legacy Mailbox“, not „User Mailbox“. What are the basic differences? There are quite a few: you cannot access Legacy Mailbox from the web interface, for example. That is bad, right? Fortunately, there is a solution: the OpenICF Exchange Connector.
Exchange Connector extends the old Active Directory Connector as a C# class. So it can do everything the old connector could and a little more. It does not approach user accounts through the domain controller only: it runs Power Shell scripts, which is much more effective.
Exchange Connector configuration
Let us say you want migrate from Active Directory connector ot Exchange Connector. Beware of these troubles I had to deal with:
- Exchange Connector uses Power Shell, namely Exchange Management Tools. Check you have installed them, otherwise the connection fails.
- The attribute set is more complicated compared to the Active Directory Connector. The most important of new attributes is „recipientType“ attribute. It is a String, „UserMailbox“ constant usually. That is the only way to create a new domain account along with a mailbox. Moreover, you have to use „Database“ attribute. Fill it with the distinguished name of the database you want to be used for the new mailbox, for example:
CN=Mailbox Database 123456789,CN=Databases,CN=Exchange Administrative Group(ABCDEFG1234567),CN=Administrative Groups,CN=ABC Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ABC,DC=COM
Both attributes are required.
- „mailNickname“ attribute cannot be used anymore. It is generated by Exchange 2007 as well as the „sAMAccountName“ attribute. All attempts to fill this attribute lead to an exception.
Migration from Exchange 2003 to Exchange 2007 using CzechIdM means to switch a connector: old Active Directory Connector has to be replaced by a newer Exchange Connector. Then you have to reconfigure some attributes as I described above. However it is not very difficult. Do you need my help? Write me an e-mail: my address is firstname.lastname@example.org. See you next time!