Avatier Identity Management Suite Integrating Exchange 2007 With Identity Enforcer Version 9 2603 Camino Ramon Suite 110 San Ramon, CA 94583 Phone: 800-609-8610 925-217-5170 FAX: 925-217-0853 Email: support@avatier.com Page 1
Table of Contents 1 OVERVIEW... 3 2 PREREQUISITES... 4 3 GRANTING FULL MAILBOX RIGHTS TO THE AIMS SERVICE ACCOUNT... 5 4 ARCHIVING EXCHANGE 2007 MAILBOXES... 6 4.1.1 The History of Archiving Exchange Mailboxes... 6 4.1.2 Archiving Exchange 2007 Mailboxes With AIMS... 6 Page 2
1 Overview Avatier's Identity Management Suite Identity Enforcer module can be integrated with Microsoft Exchange 2007 and provide mailbox provisioning at the time of user account creation, and the management of Exchange 2007 mailbox properties when managing a user through the Identity Enforcer client. Page 3
2 Prerequisites The following prerequisites are required for integrating the Avatier Identity Management Suite's Identity Enforce module with Exchange 2007: 1. AIMS 9.0 must be installed and licensed. 2. Power Shell 2.0 must be installed on the AIMS server. 3. The Exchange 2007 Management Console must be installed on the AIMS server 4. The AIMS Service Account must be a member of the Exchange Server Administrator Role for every mailbox server in the Exchange 2007 environment. 5. The AIMS Service Account must be granted full mailbox rights to every mailbox database that AIMS will be creating and managing mailboxes on. If Archiving of a user's Exchange mailbox is desired, please note the following additional requirements: 1. The AIMS Server must be running on a 32 Bit Operating System. 2. The 32 Bit Exchange 2007 Management Console must be installed on the 32 Bit AIMS server. Please see: http://www.microsoft.com/downloads/details.aspx?familyid=6be38633-7248-4532-929b-76e9c677e802&displaylang=en (Note: Download file E2K7SP1N32.EXE only) 3. Microsoft Outlook 2003 SP1 or higher must be installed on the AIMS server. Page 4
3 Granting Full Mailbox Rights to the AIMS Service Account The AIMS service account needs full mailbox rights to each mailbox, however, granting the Exchange Server Administrator role to the AIMS service account does not provide this access. To grant full mailbox rights to the entire mailbox database, you execute an Exchange PowerShell cmdlet for each mailbox storage group on each Exchange 2007 server AIMS will interface with. 1. Log on to any Exchange 2007 server in the Exchange 2007 Organization as an Exchange Enterprise Administrator. 2. Launch the Exchange Management Shell 1. Execute the following command: Get-MailboxDatabase -identity "ExchangeServerName\First Storage Group\Mailbox Database" Add-AD Permission -user "domain\aimsserviceaccount" -ExtendedRights Receive-As where: ExchangeServerName is the name of the Exchange 2007 Server First Storage Group is the name of the first storage group. Note, you will have to repeat this for each storage group on the Exchange server domain\aimsserviceaccount is the domain and AIMS service account that will be used to execute the Exchange 2007 Power Shell commands Page 5
4 Archiving Exchange 2007 Mailboxes Avatier designed the AIMS 9.0 to be the first IDM solution to run in a pure 64 Bit Microsoft Windows environment and to take advantage of the improved performance a 64 Bit platform offers. There are however, architectural issues that must be considered in organizations that are running AIMS 9.0 and Microsoft Exchange 2007 that require the ability to archive a user s mailbox on Active Directory account disable or delete. This does not affect customers who only desire to create and delete mailboxes through the AIMS provisioning and de-provisioning tools. 4.1.1 The History of Archiving Exchange Mailboxes The method of archiving a user s mailbox from within the Avatier Identity Management Suite is to access the mailbox of the user in the context of the AIMS service account and extract the contents of that mailbox to a Personal Storage file (PST). PST files are Microsoft Outlook client side only files. The Exchange servers do not know about or care about PST files. Microsoft Exchange 2000 and 2003 mailbox parameters were attributes in the extended Active Directory schema, and mailboxes could be managed from any workstation or server running the Active Directory Users And Computers MMC plug-in in conjunction with the Exchange 2000/2003 management tools. The only way to create a PST file was from within the Microsoft Outlook client, or to use the Microsoft supplied MAPI DLLs included with the Exchange 2000/2003 Management tools in conjunction with a Microsoft supplied utility called ExMerge which was installed on at least one Exchange server in the Exchange Organization. With the introduction of Microsoft Exchange 2007, the following items are true: Microsoft has disconnected mailbox management from Active Directory. Mailbox manipulation can only be done through the MS Exchange 2007 Management Console or the Windows Powershell 1.0 or 2.0 extensions for Microsoft Exchange. MS Exchange 2007 can only run in production on a 64 Bit Windows Server 2008 Operating System. MS Exchange 2007 no longer includes the MAPI DLLs and ExMerge utility. Disabling a user s Active Directory account and moving that account to a disabled users Organizational Unit leaves the mailbox in a disconnected state. You cannot delete, manipulate, or reconnect the mailbox to the account unless you move the account back to the original Organizational Unit it was in before the account was disabled. PowerShell cmdlets executed from a 64 bit operating system cannot export the contents of mailbox to a PST file. Remember, PST files are Outlook client side files and require the Outlook 32 Bit MAPI DLLs to accomplish this task. 4.1.2 Archiving Exchange 2007 Mailboxes With AIMS At the current time, the constraints that Microsoft has put in place for the Exchange 2007 operating environment limits a customer who desires Exchange 2007 mailbox archiving on user termination from running AIMS 9.0 on a 64 Bit Windows Server 2008 machine. It is possible however, to run Page 6
AIMS 8.0 on a Windows Server 2008 32 Bit Operating System, without any loss of performance or functionality, and achieve Exchange 2007 mailbox archiving. Microsoft has a 32 Bit version of the Exchange 2007 Management console that you can install on a 32 bit Server 2008 machine for the sole purpose of managing the Exchange environment from a 32 bit client device. AIMS 9.0 can be installed on this server, in conjunction with Microsoft Outlook to provide the needed MAPI DLLs to create the desired PST files on user account disable or delete. To enable AIMS to archive Exchange 2007 mailboxes: 1. Install AIMS on a 32 bit Operating System. 2. Install the 32 bit Microsoft Exchange Management Console. 3. Install Outlook 2003 SP1 or higher on the AIMS server. 4. Configure the Account Terminator archive settings to perform Exchange 2007 mailbox archiving. Page 7