I'll be implementing FIM in an environment that will be essentially greenfield with an AD forest (w/Exchange schema extensions but no plan currently to have an Exchange server on premise), and using Business Productivity Online Suite (BPOS) Exchange (and Sharepoint).. I have a few questions regarding this configuration: 1) Can this be considered an "Exchange 2007 mail server", as stated in the FIM Service install wizard - "Configure mail server connection"? (image: http://blogs.msdn.com/blogfiles/darrylru/WindowsLiveWriter/SettingupMultipleMiddleTiers_B54B/image_thumb_5.png) 2) If yes to #1, will "polling" be functional in this config as well? I'm guessing so, as I understand polling to just mean the FIM Service connecting to and reading its own mailbox, which would just happen to reside on BPOS. 3) Are there any considerations with regard to the ILM-based DirSync tool for syncing with BPOS? At this point, we're planning on keeping that on a separate server (which will be Server 2003 anyway). But also curious about any attribute considerations. 4) Can Outlook integration (the Outlook add-in) be used in this way? It says it requires Exchange 2007 organization, but are the technical requirements fulfilled from a mail server standpoint by MS Online Services/BPOS? 5) Has anyone already tried this scenario yet? 6) Are there any other theoretical or actual considerations or "gotchas" that you can think of with this scenario? Thanks! -Tim

I have been working on a similar project myself and can give you some answers - though as yet I've been given no access to BPOS itself so this is all based on research and a couple of meetings with Microsoft.1. No it cannot. BPOS gives a limited set of Exchange functionality and cannot be treated as a local installation.3. The DirSync tool is actually ILM. However they won't let you have the MA, so you have to treat it as a black box. Some other points about DirSync:- It only syncs AD -> BPOS (can't use ADAM)- It copies ALL users, contacts and distribution lists in the directory - you can't restict its view- User accounts are created in the BPOS directory without a mailbox. You have to use a seperate process, either through the MOAC console or using the remote powershell cmdlets to selectively enable users for mail.- Once the BPOS user has been mail-enabled, DirSync only replicates non-mail related attributes - meaning that there is no way to update the mail address and proxy addresses through DirSync.4. I would expect that the Outlook add-in for FIM would not work with BPOS. The reason is that it uses the Exchange web services to send and recieve emails. I may be wrong here - BPOS may be giving access to their web services - but it's not something I've see mentioned as yet. 6. Yes I have plenty of concerns about the current BPOS offering. Note some are supposed to be recitified in v2, but as yet there's no release date (except that it won't be before the end of this year).- I had originally planned to do everything using the powershell cmdlets and forget dirsync, but the Set-MSOnlineUser cmdlet doesn't work http://www.microsoft.com/online/help/en-us/bpos/html/964ccc1a-c927-4e5f-b977-c0029946ce52.htm. What this means is that, while you could could conceivably make a powershell XMA that would create, mail-enable and delete BPOS users, you can't update them. Which to me is fairly useless.- You don't seem to be able to disable a BPOS user - only remove, either using the Remove-MSOnlineUser cmdlet, or by deleting it out of your source directory used by dirsync. I really don't like removing users with mailboxes attached quite so quickly, but obviously you also can't leave the account open. The best I can come up with is changing its password.- Management of all mail-related attributes can only be done manually, and individually, through the MOAC. And there is no way to delegate different levels of access, so if someone has access to the MOAC they can administer all your users.But despite all this my customer is almost definitely going ahead with BPOS, mostly because the decision has been taken at a management level and they don't seem to have even asked their IT staff what they think. My current proposal looks like this:- We make a dedicated AD just for DirSync- FIM populates this dedicated AD --> DirSync replicates to BPOS- Local Admins can set attributes in the dedicated AD which will act as flags dictating what services people get in BPOS- FIM uses these attributes to enable the BPOS accounts through a seperate powershell XMAhttp://www.wapshere.com/missmiis

I have a customer that is in the pilot phase of BPOS and another looking seriously at it. Both are Notes shops currently.First, BPOS provisions to a trusted Exchange Reosurce forest by using a cusotm ILM instance. (Spposedly) They told the pilot customer that they could modify it but then it was theirs to support forever. Plus this customer did custom AD ACLs to only give them the bare minimum access (below the account operator level they wanted) and want to maintain isolation as much as possible. The BPOS ILM looks at some custom attributes that you set on provision (basically, email, mailnickname (usually sAMAccountName for "oopsie" link back up)) and some Exchange Extensions attributes. So even though you won't have Exchange in your forest you still need the Schema extensions. On the plus side, you don't need to worry about which Mailbox DB/Server the Exchange mailbox is provisioned.Since I'm a fairly cautious person, I wanted to be able to verify that they actually provisioned the mailbox before we tell users to come and get it. So I wanted to be able to read from the Excahgne forest. Unfortunately, they won't set Dir Repl Rights in the BPOS forest so that AD MA won't talk with the BPOS forest. So I put together a simple read-only Extensible MA to read back a few attributes and pass them back to ILM just to verify things. Waiting on a chance to test it.Currently the cusotmer isn't doing OCS in BPOS yet but internally to get off of SameTime. So I also had to write a OCS provisioning MA (using WMI, not the AD hacks) for them.Those are the highlights I've seen so far. Eric

It's funny that the one I'm working on is a Notes to BPOS migration as well. Maybe if you already have exchange inhouse you're not so worried about hosting it.So did you actually modify the configuration of the dirsync MAs? We asked if we could do that and were first told "we'll get back to you" and then we were told "no".With your read-only MA - is it an AD MA? I had assumed I wouldn't be able to do that, which is why I was planning a powershell MA.Carolhttp://www.wapshere.com/missmiis

No, the custmer decided that they didn't want to muddy the support lines. They're happy to have read only to the BPOS forest and BPOS has essentially read only to their forest. If they started messing with it, then it would quickly become Read/Write in both directions and create a huge mess when something needed to be cahnged.I just did a quick read-only Extensible MA that uses .NET Directory Service calls to return a few values. Mainly so that we'd be 1) about to verifiy that they accounts are created and 2) that we had verification of the in-use email addresses. Powershell would work just as well since it isn't anything fancy. I used AVP file format since I wanted it pull back proxyaddresses to check for alternate email addresses that may be in use.Eric

Thank you both for the insight. Your thoughts align with mine as well, or at least what I've come to learn across the FIM and BPOS spaces to this point. If I run into anything else myself, I'll post back here for others' benefit, as well. Thanks again! -Tim