Most identity management implementations include provisioning/de-provisioning of mailboxes and updating mailbox related information like distribution lists. In today's world, most mailboxes are probably Microsoft Exchange-based. If that's you, read on. If not, the bad weather is going to miss you entirely.
In Exchange 2000 and Exchange 2003 vendors relied on the "Recipient Update Service" - RUS - to interact with Active Directory. This made it easy to create, read, update and delete identity information for Exchange via Active Directory and LDAP.
In Exchange 2007, RUS is no more. RUS has been replaced by Exchange Management Shell cmdlets. The key word in that last sentence is "cmdlets". What the heck is a cmdlet?
A cmdlet is a command implemented by deriving a class from one of two specialized Windows PowerShell base classes --Microsoft.
What Microsoft has done in Exchange 2007 is move certain functionality to the Exchange Management Shell. Some of the functionality that has been moved to the Exchange Management Shell includes:
- Mailbox creation (create mailbox, mail enable an Active Directory user)
- Mailbox management (enable/disable mailbox, set mailbox attribute)
- Distribution group management (set, enable, disable, add/delete members
If your identity management provider does not update their product(s) to use PowerShell then they will cease to be able to create, delete or modify Exchange users or distribution lists. How serious of an issue will this be for you?
I've been trolling around looking to see which identity vendors have specifically announced support for Exchange 2007 I can't find anyone. Through Quest's ActiveRoles product we support all of these capabilites because we've built in support for PowerShell. When I checked some of the IDM vendors sites here's what I found:
- IBM Tivoli Identity Manager 4.6: "Use the Active Directory connector" - When I checked their documentation they mention how the AD connector is used to set various Exchange attributes and for provisioning/deprovisioning mailboxes but there is no specific mention of Exchange 2007 support. My guess: IBM's TIM does not support Exchange 2007. My August posting to the Tivoli User Forum resulted in no responses - go figure.
- Sun Java System Identity Manager 7.0: "Microsoft Exchange 2000 and 2003 are managed through the Microsoft Windows Active Directory 2000 and 2003 resources" - My guess: Sun's product does not support Exchange 2007. In fact, if you check out this post on their developer forum you'll see how one customer had to debug PowerShell scripts themselves.
- Microsoft's Identity Lifecycle Manager 2007 (aka MIIS): This is the one solution that you'd expect to support provisioning Exchange 2007 mailboxes but it doesn't! The ILM 2007 FAQ does not list support for Exchange 2007.
Now this isn't the end of the world yet - as I said, the storm clouds are on the horizon - because this issue will only be manifested in a pure Exchange 2007 environment. Most of us are probably going to run a mixed environment for a period of time. However, better to be forewarned than have your hair on fire, your auditor's hair on fire and your boss' hair on fire, because provisioning/de-provisioning no longer works!
Start asking your IdM vendor about their plans to support Exchange 2007 now.