FIM service account permission during linked mailbox provisioning

I have a FIM environment which provision a cross forest link mailbox.

When using domain admin as destination FIM MA service account, provisioning works fine.

However when using a FIM service account, provisioning failed with a corrupted mailbox.

homeMDB is empty.

A quick look into FIM event viewer shows the error: ExchangeGuid is mandatory on UserMailbox. Property Name: ExchangeGuid

The service account has the following permission:

Forest wide directory read only and replicating directory changes rights

Full control for OUs involve in the provisioning

Exchange Recipient management

I tested logging in as the service account to create the link mailbox manually and it works.

Only after adding built in domain\builtin administrators membership does the provision start to work again. However, customer requirement dictate that this is not allowed.

May I know if I missed out any additional permission required for cross forest mailbox provisioning.

Thanks in advance!


  • Edited by Viktor Lee Thursday, March 26, 2015 11:23 AM
March 26th, 2015 11:23am

The permissions you outlined look right.Does this happen on all objects? Or only on objects in groups such as account operators or Domain Admins? If so then AdminSDHolder is your culprit. You will need to grant permissions to the AdminSDHolder object.

If the issues is that the HomeMDB is empty after FIM provisions the object then the error could be in how you are generating that value in FIM. So double check the pending export -- is the value correct -- double check that you can navigate to it using ADSI edit. Normally, if the value is incorrect i.e. it points to semething that doesn't exist you will get an reference attributes error message on export.

Another possibility is you are pointing the HomeMDB to an existing object but it is one that doesn't exist on the MsExchHomeServer that you have configured for that mailbox. At least initially these values must cooperate.

Free Windows Admin Tool Kit Click here and download it now
May 6th, 2015 1:10pm

Hi,

Can you please confirm if you have set the required attributes as mentioned in article below.

https://msdn.microsoft.com/en-us/library/ms696051

If not it could be the culprit.

Regards

Dhaya

May 19th, 2015 5:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics