I asked this in the Exchange forums, but decided to ask it here too. I've an email address policy that gives a user email that is givenName.lastName@mycompany.local After users last name is changed (FIM changes it), it should update emails as well (new should be added and it should be primary). But it does not. Then when I choose "apply" to policy (Organization Configuration -> Hub Transport -> Email Address policies) it applies this policy to users and everything is as it should be. What is causing this and how do I do this without this manual process? Exchange guys thought it would be absence of RUS in 2007, but I thought FIM only rely on RUS in 2003.

What is your exchange organization setup? Exchange guys might be right if you are still using RUS and you are not using Ex2007 or Ex2010 provisioning from FIM. Question also is if you are excluding your users from recipient policy or not (are you setting any values for msExchExcludedPolicies attribute from FIM). Difference between RUS behavior and Ex2007/2010 behavior is that RUS is stamping user only once and then you have to maintain the addresses if you want to keep them in synch with changes of user names etc. With Ex2007 / 2010 where FIM is calling some Powershell cmdlets these cmdlets should take care about updating user e-mails according to recipient policy, if user is not excluded from policy. So it depends what is your exchange organization setup and what Exchange provisioning method you are using from FIM

Hi There, When I had to do something similar for a client I had made the following attribute flows: - mail -> changed to the new primary SMTP address. - proxyAddresses -> depending on the requirement, I either completely replaced the value of the entry with the "SMTP:" in all caps (which stopped routing of the email to the older address) Parsed the SMTP addresses to change the primary SMTP address with the all caps SMTP value to a lower case value and then added the new primary SMTP address with the all caps "SMTP:" prefix. Note that you have to be careful with proxy addresses and assignments like that however. There are obvious uniqueness requirements that you have to maintain and therefore, having a workflow that searches on AD to ensure that the values of the new address is unique must be done. Remember you should search for matching values in the "proxyAddresses" field using the prefixes of SMTP: or smtp: to look for primary and secondary addresses. Thanks B

Thanks for your responses. I'm using AD MA's option to do Exchange provisioning and I do not exlude user from policies using msExchPoliciesExcluded. These attributes are in place: mailNickname homeMDB msExchHomeServerName I don't want to edit proxyaddresses directly, because in this case it would not be necessary. Any ideas?

If I were to troubleshoot I would take FIM out of the equation: if the user has the "update address based on policy" checked from the Exchange Management tools point of view, and the policy is based on first & last name. You can simply modify the first and or last name with a tool such as ADUC. If that doesnt trigger the address update there's a problem going on with AD/Exchange. There should be tons of souces on google on how to resolve such kind of issues. Whenever I have such a problem I always tend to simplify the setup. Not to push the problem to an other team,but just to make it eassier to look for on the web.http://setspn.blogspot.com

Thanks Thomas. User has the "update address based on policy" checked I tried to change values directly from ADUC and it did not work. Could you or someone else provide a link where this process is explained (what really triggers the change, does it happen immeately after the change...)?

Did you get to the bottom of this? If so, can you provide the answer and close down the thread? If not, what do you need? RUS still exists in Exchange 2007/2010 but it's accessed via Update-Recipient (and probably other cmdlets too). If you update a user's properties you'll need to "tell" exchange you've done this IIRC.

Paul, I still need to know more about how to tell exchange that user's properties have changed.

I've read the other thread. We should re-energise it. When the AD MA processes exports and is configured for Exchange 2007/2010 Provisioning it runs the Update-Recipient cmdlet on every export (it actually doesn't ensure that the correct attributes are there or not, it's a blanket execution with the -Identity parameter set to that of the CS object being exported). Test the following: Update the last name of a user (using Exchange cmdlet or ADUC or whatever) Execute Update-Recipient IIRC you can pipe the output of the Set-User to Update-Recipient, e.g. (not tested, guessing/remembering): Get-User -Identity "CORP\paulw" | Set-User -Firstname "Chuck" -LastName "Norris" | Update-Recipient;

When the AD MA processes exports and is configured for Exchange 2007/2010 Provisioning it runs the Update-Recipient cmdlet on every export. I thought this too, but it seems that it doesn't. I checked that Exchange 2007 is selected in AD MA's dropdown I tried Exchange Shell like you suggested and after Update-Recipient (or if it's piped) it changes the email right away. Any ideas?

I think the "update-recipient" command is only execute for newly provisioned objects in the CS and not for every existing object. Try adding the required attributes for exchange provisioing for an existing user. I don't think it will receive a mailbox... But I still don't see why you need an exchange command to be run to updaten an address of a user. Doens't the address policies in Exchange exist for this sole purpose? If you got a policy in place first.last@customer.com and you change first in AD the firstnew.last@cusotmer.com should be added... So if you say it has "update address based on policy" checked. What does happen when you change the first or lastname using ADUC?http://setspn.blogspot.com

I think the "update-recipient" command is only execute for newly provisioned objects in the CS and not for every existing object. Try adding the required attributes for exchange provisioing for an existing user. I don't think it will receive a mailbox... http://setspn.blogspot.com I have it on good authority that that is not the case. I have been told by a senior member of the Synchronization Service team that once you enable provisioning for Exchange 2007 or 2010 that simply tells the synchronisation engine to call out into Update-Recipient with the server and DN of the object just touched. It happens every time the object is exported, not just on initial export.

Mind you, in order for Update-Recipient to do anything with the target the necessary Exchange attributes need to be set. You can certainly mailbox-enable an existing AD user object outside of provisioning logic in the synchronisation service. I use this technique. I add the Exchange SR as a dependent SR on my user provisioning SR (which means no initial flow only flows).

I think the "update-recipient" command is only execute for newly provisioned objects in the CS and not for every existing object. Try adding the required attributes for exchange provisioing for an existing user. I don't think it will receive a mailbox... http://setspn.blogspot.com I have it on good authority that that is not the case. I have been told by a senior member of the Synchronization Service team that once you enable provisioning for Exchange 2007 or 2010 that simply tells the synchronisation engine to call out into Update-Recipient with the server and DN of the object just touched. It happens every time the object is exported, not just on initial export. This behavior is my experience. You can look at the MSExchange Management log on the Exchange server you point FIM to and see each call.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Ok, seems I got this part wrong. Sorry for causing uncertainty. Thanks for correcting me. So perhaps a good advise is to point to a single CAS server in your AD MA config and then check the MSExchange Management log like Brian suggests.http://setspn.blogspot.com

Ok, seems I got this part wrong. Sorry for causing uncertainty. Thanks for correcting me. So perhaps a good advise is to point to a single CAS server in your AD MA config and then check the MSExchange Management log like Brian suggests. http://setspn.blogspot.com I'm pretty sure this was a behavior change compared to ILM although I'd have to double check.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

I don't believe there's been any change in this area. Although it might now be easier to achieve it through additional SRs as opposed to provisioning code/logic. Re. Robert's last post: > I tried Exchange Shell like you suggested and after Update-Recipient (or if it's piped) it changes the email right away. > Any ideas? If the Synchronization Service is a member of the Recipient Administrators group, Exchange Provisioning is enabled and you are flowing the correct mandatory attributes for Update-Recipient for Exchange 2007 (mailNickname and homeMDB for mailbox-enabled users) and you're having issues I would do two things: Update the management tools on the FIM Synchronization Service to Exchange Server 2007 Service Pack 3 plus the latest Cumulative Update [1] If that hasn't changed anything raise a support incident. [1] There were loads of bugs and issues with Update-Recipient and preferred DCs, etc. and it took several updates to get it right.

Do Synchronization Service service account have to be a member of the Recipient Administrators group or is it AD MA?

Sorry, that's my fault. The AD MA account requires the permissions and group membership.