5 Oracle Waveset Connector for Microsoft Exchange

This chapter includes the following information about the Exchange connector for Oracle Waveset:

• About the Exchange Connector

• Migrating to the Exchange Connector

• Deploying the Exchange Connector

• Using the Exchange Connector

• Frequently Asked Questions (FAQs)

• Troubleshooting Connector Issues

5.1 About the Exchange Connector

• Overview of the Exchange Connector

• Security Considerations for the Exchange Connector

• Certified Components for the Exchange Connector

• Supported Languages for the Exchange Connector

5.1.1 Overview of the Exchange Connector

The Exchange connector is a .NET connector that supports provisioning and reconciliation for target systems running Microsoft Exchange Server On-Premise 2007 and On-Premise 2010.

The Exchange connector also extends the functionality of the Active Directory connector. The Exchange connector bundle includes both the Exchange connector and Active Directory connector libraries (DLL files). If you use the Exchange connector to provision Active Directory, the operations and deployment considerations for the Active Directory connector also apply to the Exchange connector. For more information, see Chapter 2, "Oracle Waveset Connector for Microsoft Active Directory".

Other considerations for the Exchange connector are:

• The Exchange connector uses Windows PowerShell to manage the Exchange Server target systems. Therefore, the appropriate PowerShell cmdlet set must be available to the connector.

• The Exchange connector operates in the context of the .NET Connector Framework, which in turn requires an application to execute. Therefore, by default, Oracle provides (and recommends) the .NET connector server to run the Exchange connector and Active Directory connector. For more information, see Deploying the Exchange Connector.

• The Exchange connector supports agentless target deployment; that is, an agent is not required.

• The Exchange connector supersedes the Exchange resource adapter and earlier versions of the Exchange connector. For migration information, see Migrating to the Exchange Connector.

Additional information in this section includes:

• Exchange Connector Features

• Exchange Connector Resource Configuration Parameters

5.1.1.1 Exchange Connector Features

The Exchange connector supports the operations shown in the following table. The Exchange connector also supports the operations for Active Directory, as described in Active Directory Connector Features.

Table 5-1 Exchange Connector Operations

Operation	Description
Account provisioning	Operations include create, read, update, and delete objects.
Reconciliation	Both full and incremental reconciliation are supported. Reconciliation can perform the following functions: Detect new mailboxes or new mail users Detect changes in mailbox attribute values or mail user attribute values Correlate mailboxes or mail users with Oracle Waveset users Detect mailboxes or mail users that are not associated with Oracle Waveset users Active Sync polls for changes to a resource and detects incremental changes in real time. Active Sync is performed by the Active Directory connector. For additional information about Active Sync, see the Oracle Waveset 8.1.1 Deployment Guide in the following library: http://docs.oracle.com/cd/E19225-01/index.html
Before and after actions	Before and after actions use scripts to perform activities during a user create, update, or delete request. Script execution is performed by the Active Directory connector. For more information, see Configuring Before and After Actions for the Active Directory Connector.

5.1.1.1.1 Provisioning and Reconciliation Across Multiple Domains

The Exchange connector supports reconciliation and provisioning of mailboxes for users across multiple Microsoft Active Directory domains. For example, users on ChildDomain1, ChildDomain2, ParentDomain, and PeerDomain can have mailboxes in the same Exchange Server installed on the parent domain. Oracle Waveset can reconcile and provision mailboxes for the users who belong to each of these domains, with a resource pointing to the parent domain where Exchange Server is installed.

Note:

Latency in Replication of Data Between Domain Controllers and the Global Catalog Server

The Exchange connector gets user and distribution group information from the domain controllers. Information residing in different domain controllers must be replicated among each other. At certain times, there can be a delay in this replication, and complete user or distribution group information might not be pulled into Oracle Waveset by the connector. In these situations, it is recommended to search for the entity information again.

By default, the user forms cache Active Directory and Exchange groups. After you create a new resource, clear the cache. To clear the cache, navigate to debug page and click Clear Resource Object List Cache. After the cache is cleared, Oracle Waveset obtains information about the groups from the target system. Subsequently, Oracle Waveset obtains this information from cache.

5.1.1.2 Exchange Connector Resource Configuration Parameters

When you configure a resource for the Exchange connector on a Windows target system, the connector uses the Active Directory connector configuration parameters, described in Active Directory Connector Resource Configuration Parameters.

The Exchange connector also requires the additional configuration parameters described in the following table.

Table 5-2 Exchange Connector Resource Configuration Parameters

Parameter Name	Type	Required	Description
AuthenticationMechanism	String	Yes	This entry is used when the connector is configured against Exchange 2010 to remotely connect to the Exchange Server. Default value: Kerberos Do not modify this entry.
Exchange Server Type	String	Yes	Version of the Exchange Server target. The choices are: OnPremise2007 OnPremise2010
ExchangeServerHost	String	No	Hostname of the computer hosting Exchange Server 2010. This is required only if ExchangeServerType is set to OnPremise2010.
ExchangeUser	String	No	User name of the service account having minimum privileges. Format: DomainName\UserName This is required only if ExchangeServerType is set to OnPremise2010.
ExchangeUserPassword	String	No	Valid password for user specified for the ExchangeUser parameter. This is required only if ExchangeServerType is set to OnPremise2010.
UseSSLForRemotePowerShell	String	Yes	This entry is used when the connector is configured against Exchange 2010 to remotely connect to the connector. Default value: false Do not modify this entry.

5.1.2 Security Considerations for the Exchange Connector

• Secure Communication to the Target System

• Administrator Account Considerations for Exchange Server

For Active Directory, see Security Considerations for the Active Directory Connector.

5.1.2.1 Secure Communication to the Target System

On the Exchange connector side, secure communication is ensured by the API. Any bind to the directory is secured by the Windows Security Support Provider Interface (SSPI).

Communication to the Exchange Server is secured by Windows PowerShell.

The communication between the .NET Connector Framework and Oracle Waveset is encrypted by the framework, but it is also recommended that you use an SSL connection.

5.1.2.2 Administrator Account Considerations for Exchange Server

Depending on the Exchange Server version you are using, ensure the administrator account meets the following requirements:

• Privileges for Exchange 2007 Service Account

• Privileges for Exchange 2010 Service Account

5.1.2.2.1 Privileges for Exchange 2007 Service Account

The minimum privileges required for a Exchange 2007 service account to manage recipients (UserMailbox and MailUser) are:

• The service account must be a member of Exchange Recipient Administrators group.

  For more information, see http://technet.microsoft.com/en-us/library/aa996881%28v=exchg.80%29.aspx.

• If you want to add a recipient to a distribution group or remove a recipient from a distribution group, then the service account must also be a member of Account Operators group in the domain where the distribution group exists.

  For more information, see http://technet.microsoft.com/en-us/library/bb124340%28v=exchg.80%29.aspx and http://technet.microsoft.com/en-us/library/aa997627%28v=exchg.80%29.aspx.

5.1.2.2.2 Privileges for Exchange 2010 Service Account

The minimum privilege required for a Exchange 2010 service account to manage recipients (UserMailbox and MailUser) is:

• The service account must be a member of Recipient Management group.

  For more information, see http://technet.microsoft.com/en-us/library/dd298028%28v=exchg.141%29.aspx.

5.1.3 Certified Components for the Exchange Connector

The Exchange connector is certified with the following components:

Table 5-3 Exchange Connector Certified Components

Component	Requirement
Oracle Waveset	Oracle Waveset 8.1 Update 1 Bundle Patch 8 or later
Identity Connector Framework (ICF)	ICF 1.2 or later
Microsoft .NET Framework	Microsoft .NET Framework 3.5 Note: To prevent a memory leak problem with Microsoft .NET Framework 3.5, apply the hotfix described in the following article: http://support.microsoft.com/kb/981575
Target Systems	The target system can be any one or a combination of the following: Microsoft Exchange 2007 SP1, SP2, SP3 (64-bit) Microsoft Exchange 2010 RTM, SP1, SP2, SP3 (64-bit)

5.1.4 Supported Languages for the Exchange Connector

The Exchange connector is localized in the following languages:

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Danish

• French

• German

• Italian

• Japanese

• Korean

• Portuguese (Brazilian)

• Spanish

5.2 Migrating to the Exchange Connector

• Migrating an Earlier Exchange Connector

• Migrating an Exchange Resource Adapter

• Post Migration Task

5.2.1 Migrating an Earlier Exchange Connector

To migrate from an earlier version of the Exchange connector, follow these steps:

1. Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the Exchange Connector.

2. Log in to the Oracle Waveset Administrator interface.

3. In the Edit Resource wizard, specify the new Exchange connector version and configure the Resource Parameters, as required for your deployment.

5.2.2 Migrating an Exchange Resource Adapter

Before You Get Started: Install and configure the latest version of the connector server, as described in Installing, Configuring, and Running the Connector Server.

To migrate an Exchange resource adapter to the Exchange connector, follow these steps:

1. Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the Exchange Connector.

2. Log in to the Oracle Waveset Administrator interface.

3. Go to the Migrate Adapters page.

4. Select the Resource you want to migrate from.

5. Select the type of the connector you want to convert to.

6. On the next page, select the Exchange connector version and the connector server to use.

7. Provide the Active Directory Domain Name and Exchange Server Type.

8. Click Convert.

5.2.3 Post Migration Task

After migrating an earlier Exchange connector or Exchange resource adapter, perform the following task:

1. In the Exchange connector userForm.xml file, replace "Exchange" with "Windows Active Directory" in the following field:

   <contains>
   <ref>accountInfo.typeNames</ref>
   <s>Exchange</s>
   <contains>
   

2. In the postProcess.xml file, replace "Exchange" with "Windows Active Directory" in the following line:

   <MapEntry key='typeString' value='Exchange'/>
   

3. Import the userForm.xml and postProcess.xml files into Oracle Waveset, as follows:

   1. Click the Configure tab.

   2. Click Import Exchange File.

   3. Select the XML files and then click Import.

5.3 Deploying the Exchange Connector

• Exchange Connector Deployment Architecture

• Downloading the Exchange Connector

• Installing, Configuring, and Running the Connector Server

• Installing the Exchange Connector

• Postinstallation Tasks for the Exchange Connector

5.3.1 Exchange Connector Deployment Architecture

The connector uses Exchange-related PowerShell cmdlets to perform recipient administration activities on the Exchange Server. The connector supports User, UserMailbox, and MailUser recipient types. Connector server is mandatory for both Exchange 2007 and Exchange 2010 target system versions.

Note:

You can also use the Exchange connector to manage Active Directory users. To manage Active Directory users, select RecipientType as User in the user form. In this case, the Exchange connector only creates a user in Active Directory. The Exchange connector will not create any UserMailbox or mark this Active Directory user as a MailUser. For more information, see Oracle Waveset Connector for Microsoft Active Directory.

The following sections discuss details specific to Exchange resource only.

For more information about recipient types, see http://technet.microsoft.com/en-us/library/bb201680%28v=exchg.141%29.aspx.

Figure 5-1 shows the architecture of the connector supporting Exchange Server 2007. In this architecture diagram, the connector server is installed on a different computer in the same domain as that of the Exchange Server computer. You can also install the connector server on the same computer hosting Exchange Server.

Figure 5-1 Architecture of the Connector Supporting Exchange Server 2007

Description of "Figure 5-1 Architecture of the Connector Supporting Exchange Server 2007"

Oracle Waveset communicates with Exchange Server 2007 via connector bundle. The connector bundle is deployed on a Windows computer with the connector server installed. To communicate with Exchange Server 2007, the connector loads the Microsoft.Exchange.Management.PowerShell.Admin snap-in locally to create a runspace, which is the environment for running PowerShell cmdlets. This snap-in becomes available when Exchange Management Tools are installed. For this reason, Exchange Management Tools must be installed on the Windows computer hosting connector server.

For more information on hardware requirements, installing, and configuring connector server, see Installing, Configuring, and Running the Connector Server.

Figure 5-2 shows the architecture of the connector supporting Exchange Server 2010. In this architecture diagram, the connector server is installed on a different computer in the same domain as that of the Exchange Server computer. You can also install the connector server on the same computer hosting Exchange Server.

Figure 5-2 Architecture of the Connector Supporting Exchange Server 2010

Description of "Figure 5-2 Architecture of the Connector Supporting Exchange Server 2010"

Oracle Waveset communicates with Exchange Server 2010 via connector bundle. The connector bundle is deployed on a Windows computer with the connector server installed. To communicate with Exchange Server 2010, Oracle Waveset uses remote Shell, which in turn uses Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0 without the need for Exchange Management Tools. Therefore, Exchange Management Tools are not required to be installed on the connector server for Exchange Server 2010. For more information, see the following topic on Remote Exchange Management at:

http://technet.microsoft.com/en-in/library/dd297932%28v=exchg.141%29.aspx

Run the Enable-PSRemoting cmdlet to configure the Exchange Server computer to receive Windows PowerShell remote commands that are sent by using the WS-Management technology. For more information about the Enable-PSRemoting cmdlet, see:

http://technet.microsoft.com/en-us/library/hh849694.aspx

For more information on hardware requirements, installing, and configuring connector server, see Installing, Configuring, and Running the Connector Server.

5.3.2 Downloading the Exchange Connector

The Exchange connector is available on the Oracle Identity Manager Connector Downloads page:

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

5.3.3 Installing, Configuring, and Running the Connector Server

The connector server is an application that enables remote execution of the Exchange connector. As the Exchange connector is implemented in .NET, it requires a .NET connector server.

The connector server can either be installed on the same computer as that of the Exchange Server or on a different computer in the same domain as that of the Exchange Server. For more information, see Exchange Connector Deployment Architecture.

This section contains the following topics:

• Pre-requisites for the Connector Server

• Installing the Connector Server

• Configuring the Connector Server

• Enabling Logging

• Configuring Log File Rotation

• Running the Connector Server

5.3.3.1 Pre-requisites for the Connector Server

The following pre-requisites and requirements are recommended for the connector server:

• The computer hosting the connector server has Intel Dual-Core Processor, 2 GHz with 4 GB RAM or a computer with similar configuration.

  If you have a computer dedicated to the connector server, then 2 GB RAM is sufficient.

• Before you install the connector server, ensure that you have installed .NET Framework 3.5 SP1 on the same computer where you are installing the connector server.

  In addition, you must install the following patch:

  http://support.microsoft.com/kb/981575

  The connector server need not be installed on the Exchange server target system. It can be installed either on the Exchange server or on a system that belongs to the same domain as that of the Exchange server. However, it is recommended to deploy connector server on a separate system that belongs to the same domain as that of the Exchange server.

• If you are using Exchange Server 2007, then you must install Exchange Management Tools on the computer hosting the connector server. This is a mandatory requirement.

• If you are using Exchange Server 2010, then the pre-requisites and requirements must be met for remote Shell as mentioned in the Remote Exchange Management page at:

  http://technet.microsoft.com/en-in/library/dd297932%28v=exchg.141%29.aspx

  Windows 2008 R2 is recommended as the operating system for the computer hosting the connector server as it includes all the necessary pre-requisites and requirements.

5.3.3.2 Installing the Connector Server

To install the connector server:

1. Download the connector server package (a zip file such as Connector_Server_111200.zip) from the Oracle Identity Manager Connector Downloads page at:

   http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

2. Extract the contents of the connector server package and locate the ServiceInstall-version.msi file, such as ServiceInstall-1.4.0.0.msi.

3. Install the connector server by running the ServiceInstall-1.4.0.0.msi file.

   If the Setup Type - Typical option is used during the installation, then the connector server will be installed at the C:\Program Files\Identity Connector\Connector Server directory.

   Note:

   In this guide, CONNECTOR_SERVER_HOME represents the C:\Program Files\Identity Connector\Connector Server directory.

4. Upon successful installation, the connector server is registered as a Windows service and will be started automatically.

5. Stop the connector server Windows service.

5.3.3.3 Configuring the Connector Server

To configure the connector server:

1. Open the connectorserver.exe.config file located in the CONNECTOR_SERVER_HOME directory. In the connectorserver.exe.config file, set the following properties, as required by your deployment.

   Property	Description
   connectorserver.port	Port on which the connector server listens for requests. Default value: 8759
   connectorserver.usessl	If set to true, the connector server uses SSL for secure communication with Oracle Waveset. If this property is set to true, then you must set the corresponding property in Exchange Connector Server IT resource to true. Default value: false.
   Certificatestorename	If the connectorserver.usessl property is set to true, then this property should point to your certificate store name.
   connectorserver.key	Connector server key. See Step 2 for information about setting this value.

   
   

2. Set The connector server key in the connectorserver.exe.config file, as follows:

   Note:

   This key value must be mentioned in the Exchange Connector Server IT resource property.

   1. Open a command prompt and navigate to CONNECTOR_SERVER_HOME directory.

   2. Run the ConnectorServer.exe /setKey command.

      This displays the prompt Enter Key:

   3. Enter an appropriate key and press Enter.

      This displays the prompt Confirm Key:

   4. Enter the same key to confirm and press Enter.

      This displays the message Key Updated.

5.3.3.4 Enabling Logging

The Exchange connector uses the built-in logging mechanism of the .NET framework. Logging for the Exchange connector is not integrated with Oracle Waveset. The log level is set in the connector server configuration file (ConnectorServer.exe.config).

By default, logging is not enabled for the connector. To enable logging:

1. Navigate to CONNECTOR_SERVER_HOME directory. The default directory is C:\Program Files\Identity Connectors\Connector Server.

   The ConnectorServer.exe.config file must be present in this directory.

2. Search and locate the tag <add name="myListener" under the <listeners> tag.

3. The connector logs all information in the file indicated by the initializeData parameter. The default value is c:\connectorserver.log.

   Edit this value as per your deployment needs. As the connector server runs using the service account, ensure the service account has write permissions on the log location and on the log file. Otherwise, there would be no logs generated even if you enable logging.

4. In the ConnectorServer.exe.config file, add the lines shown in bold text:

   <system.diagnostics>
     <trace autoflush="true" indentsize="4">
       <listeners>
         <remove name="Default" />
         <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver.log" traceOutputOptions="DateTime">
           <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
         </add>
       </listeners>
     </trace>
     <switches>
       <add name="ExchangeSwitch" value="4" />
     </switches>
   </system.diagnostics>
   

   The value="4" sets the log level to Verbose. This value can be set as follows:

   Table 5-4 Log Levels

   Value	Log Level
   value="4" or value="Verbose"	Verbose level. Most granular.
   value="3" or value="Information"	Information level.
   value="2" or value="Warning"	Warning level.
   value="1" or value="Error"	Error level.
   value="0"	No logging.

   
   

5.3.3.5 Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

1. Log in to the computer that is hosting the connector server.

2. Stop the connector server.

3. Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.

4. In a text editor, open the ConnectorServer.exe.config file for editing.

5. Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

   <remove name="Default" />
   <add name="FileLog"type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
   initializeData="FileLogWriter"
   traceOutputOptions="DateTime"
   BaseFileName="ConnectorServerDaily"
   Location="Custom"
   CustomLocation="C:\ConnectorServerLog\"
   LogFileCreationSchedule="Daily">
   <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
   </add>
   

6. Save the file and close it.

7. Start the connector server.

See Also:

The following URL for more information about configuring log file rotation:

http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx

5.3.3.6 Running the Connector Server

To run the connector server, perform one of the following steps depending on the Exchange Server version:

• If you are using Exchange Server 2007:

  1. Login to computer hosting the connector server.

     The login user must have permissions to perform the following steps.

  2. Open Windows services explorer. To do so:

     Click the Start button, then click to Run... Enter Services.msc and click OK.

  3. Locate the Connector Server service.

  4. Right-click on the service and click Properties.

  5. Click the Log On tab and select This Account.

  6. Click Browse to choose the service account having minimum privileges as described in Privileges for Exchange 2007 Service Account Then, enter password for this service account.

  7. Click OK.

  8. With this service selected, click Run.

  After the above steps are completed successfully, the connector server runs with the service account that has the minimum privileges to perform recipient management tasks on Exchange Server 2007.

  Note:

  The above steps are mandatory and must be completed successfully. This is because the Exchange connector uses the credentials of the user who starts the connector server to communicate with Exchange Server 2007. The username and password information provided in the Exchange resource is not used.

• If you are using Exchange Server 2010:

  1. Login to computer hosting the connector server.

     The login user must have permissions to perform the following steps.

  2. Open Windows services explorer. To do so:

     Click the Start button, then click to Run... Then, enter Services.msc and click OK.

  3. Locate the Connector Server service and click Run.

  Note:

  The Exchange connector uses the user credentials provided in the Exchange resource to communicate with Exchange Server. Therefore, any user can start the connector server.

  Alternatively, the connector server can be started by the service account having minimum privileges as described in Privileges for Exchange 2010 Service Account.

5.3.4 Installing the Exchange Connector

To install the Exchange connector bundle in the connector server:

1. Change to the directory where the connector server was installed.

2. Unzip the Exchange connector ZIP file in the directory from Step1.

   Note:

   If the AD connector DLL was updated by any one-off releases or patches, then do not update the AD DLL provided as part of the Exchange connector bundle zip file.

3. Restart the connector server service. Or, you can also restart the connector server using the following command:

   ConnectorServer.exe /run
   

5.3.5 Postinstallation Tasks for the Exchange Connector

• Configuring the Connector Server in Oracle Waveset

• Updating to Newer Versions of the Connector-related Configuration in Oracle Waveset

• Creating an Exchange Connector Resource

• Editing the Exchange Connector Tabbed User Form

Configuring before and after actions for the Exchange connector is the same as for the Active Directory connector. See Configuring Before and After Actions for the Active Directory Connector.

5.3.5.1 Configuring the Connector Server in Oracle Waveset

Before you create an Exchange connector resource, configure the connector server in Oracle Waveset, as follows.

1. Click the Configure tab and then select the Connector Servers subtab.

2. Click New and provide the required configuration details, including:

   • Hostname or IP Address

   • Connector Server Port

   • Connector Server Key

   • Any user-specific name of the connector server

3. Click Save.

   If the connector server is up and running, the status is displayed as Available.

   If the status is displayed as "Failed: Connection refused", start the connector server service or execute the following command:

   ConnectorServer.exe /run
   

5.3.5.2 Updating to Newer Versions of the Connector-related Configuration in Oracle Waveset

To update Oracle Waveset with the newer versions of the Exchange connector artifacts:

1. Log in to the computer hosting Oracle Waveset and navigate to the Oracle Waveset installation directory.

2. Unzip the ExchangeConnector-idmglue-1.0.8.zip file in the installation directory.

   This will extract the following files:

   • WEB-INF/lib/ExchangeConnector-idmglue.jar

   • sample/connectors/ExchangeConnector-idmglue/migration.xml

   • sample/connectors/ExchangeConnector-idmglue/postProcess.xml

   • sample/connectors/ExchangeConnector-idmglue/resourceWizard.xml

   • sample/connectors/ExchangeConnector-idmglue/userForm.xml

3. Import the resourceWizard.xml file in the sample/connectors/ExchangeConnector-idmglue/ directory.

4. (Optional) Import the remaining XML files in the sample/connectors/ExchangeConnector-idmglue/ directory as required.

5.3.5.3 Creating an Exchange Connector Resource

To create an Exchange connector resource, follow these steps:

1. Log in to the Oracle Waveset Administrator interface.

2. Create the Exchange connector resource by following the Create Windows Exchange Connector Resource wizard.

3. Select the Exchange Connector Version as "2.0.0.1".

4. Select the connector server on which the Exchange connector bundle is deployed.

5. Specify values for the Exchange connector, depending on your deployment. For more information, see:

   • Exchange Connector Resource Configuration Parameters

   • Object Classes and Attributes Supported by the Exchange Connector

5.3.5.4 Editing the Exchange Connector Tabbed User Form

Edit the Tabbed User Form to use Exchange User Form for the Exchange resource created in Creating an Exchange Connector Resource as follows:

1. Go to the Oracle Waveset debug page:

   http://host-name:port/idm/debug

2. Select User Form from the drop-down box, which is adjacent to List Objects, and then click on List Objects.

3. Search for the Tabbed User Form and then click Edit. Under the _FM_ATTRIBUTES field:

   If this is the first connector using the dynamic form, search for the "MissingFields" string. Then, replace the <FieldRef name='MissingFields'/> block with following block:

   <FieldRef name='accountId'/>
   <FormRef name='Exchange User Form'>
   <Property name='RESOURCE_NAME' value='Exchange Server'/>
   </FormRef>
   

   If any other connector is configured already, then add the following block between </FormRef> and </Field>:

   <FormRef name='Exchange User Form'>
   <Property name='RESOURCE_NAME' value='Exchange Server'/>
   

   where Exchange Server is the resource name created in Creating an Exchange Connector Resource.

4. Navigate to the top of this form and add following line under the <include> tag:

   <ObjectRef type='UserForm' id='' name='Exchange User Form'/>
   

   The id will be picked up automatically.

5. Save the form.

5.4 Using the Exchange Connector

• Object Classes and Attributes Supported by the Exchange Connector

• Exchange Connector Sample Forms

5.4.1 Object Classes and Attributes Supported by the Exchange Connector

The Exchange connector support the following object classes:

• __ACCOUNT__ Object Class for the Exchange Connector

• __GROUP__ (or Group) Object Class for the Exchange Connector

• organizationalUnit Object Class for the Exchange Connector

• __MAILBOXDATABASE__ Object Class for the Exchange Connector

• __DISTRIBUTIONGROUP__ Object Class for the Exchange Connector

Note:

The Exchange connector extends the Active Directory connector schema. The Exchange connector supports any arbitrary Active Directory schema attribute used by Exchange Server and a predefined subset of Exchange PowerShell cmdlet parameters.

5.4.1.1 __ACCOUNT__ Object Class for the Exchange Connector

The following table lists only the Exchange Connector attributes that are additional to the Active Directory connector. For a complete list of the attributes, see __ACCOUNT__ Object Class for the Active Directory Connector.

Unless noted otherwise, an attribute is single-valued and optional, and can be created, updated, and read.

Table 5-5 Additional __ACCOUNT__ Attributes for the Exchange Connector

Attribute Name	Exchange Mapped Attribute	Type	Description
Database	Database	String	The list of available databases from the target is returned by default. When provisioning an Oracle Waveset user to an Exchange resource, the Database attribute value must be a distinguished name in the following format: CN=Mailbox Database 123456789,CN=Databases,CN=Exchange Administrative Group(ABCDEFG1234567),CN=Administrative Groups,CN=ABC Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ABC,DC=COM Once set, this attribute is not updatable. Required for Exchange Server 2007 but optional for Exchange Server 2010.
ExternalEmailAddress	ExternalEmailAddress	String	Not returned by default. Required for both Exchange Server 2007 and Exchange Server 2010, if RecipientType is MailUser.
RecipientType	RecipientType	String	Required. Not returned by default.
Alias	Alias	String	Mailbox alias, which is generally the same as sAMAccountName. Note: sAMAccountName is the user login for Microsoft Active Directory.
SimpleDisplayName	SimpleDisplayName	String	Used to display an alternative description of the object when only a limited set of characters is permitted. This limited set of characters consists of ASCII characters 26 through 126, inclusively.
DisplayName	DisplayName	String	Name of a user as displayed in the address book. This is usually a combination of the user's first name, middle initial, and last name.
MaximumRecipients	RecipientLimits	String	Specifies the maximum number of recipients per message to which this mailbox can send.
MaxOutgoingMessageSize	MaxSendSize	String	Specifies the maximum size of messages that this mailbox can send.
MaxIncomingMessageSize	MaxReceiveSize	String	Specifies the maximum size of messages that this mailbox can receive.
UseStorageDefaults	UseDatabaseQuotaDefaults	Boolean	Specifies that this mailbox uses the quota attributes specified for the mailbox database where this mailbox resides.
ReceiptQuota	ProhibitSendReceiveQuota	String	Specifies the mailbox size at which the user associated with this mailbox can no longer send or receive messages.
TransmitQuota	ProhibitSendQuota	String	Specifies the mailbox size at which the user associated with this mailbox can no longer send messages.
MailboxWarningSize	IssueWarningQuota	String	Specifies the mailbox size at which a warning message is sent to the user.
ArchiveMailboxSize	ArchiveQuota	String	The archive mailbox size at which messages will no longer be accepted.
ArchiveMailboxWarningSize	ArchiveWarningQuota	String	The archive mailbox size at which a warning message is sent to the user.
RetainDeletedItems	UseDatabaseRetentionDefaults	Boolean	Specifies that this mailbox uses default values to handle deleted items or messages.
RetainDeletedItemsFor	RetainDeletedItemsFor	String	Specifies the length of time to keep deleted items.
RetainDeletedItemsUntilBackup	RetainDeletedItemsUntilBackup	Boolean	Specifies whether to retain deleted items until the next backup. The two possible values for this parameter are $true or $false.
HiddenFromAddressListsEnabled	HiddenFromAddressListsEnabled	Boolean	Specifies whether this mailbox is hidden from address lists. The two possible values for this parameter are $true or $false.
EmailAddressPolicyEnabled	EmailAddressPolicyEnabled	Boolean	Specifies whether the e-mail address policy for this mailbox is enabled. The two possible values for this parameter are $true or $false.
PrimarySMTPAddress	PrimarySMTPAddress	String	Specifies the address that external users see when they receive a message from this mailbox.
Distributiongroups	DistributionGroup	String	Multi-valued attribute.

Note:

Oracle Waveset brings all the groups (Active Directory and Exchange distribution groups) from the target system for the first time and then caches it. From the next time the user form is opened, the groups are loaded from the cache. If a new group is added on the target system and if the group needs to be reflected in Oracle Waveset user form, then you must clear the cache. In addition, if you create a new resource, you must clear cache. To do so:

1. Go to the Oracle Waveset debug page at:

   http://host_name:port/idm/debug

2. Click Clear Resource Object List Cache.

   A message is displayed indicating that the Resource Object List cache has been cleared. Every time a new resource is created, you must clear the cache.

The following table lists the PowerShell cmdlet parameters supported by the Exchange connector. None of these attributes are returned by default.

The Exchange connector supports all multi-valued attributes that are supported by Exchange Server target. The attributes in the following table are supported for Exchange Server 2010, unless the description specifies Exchange Server 2007.

Note:

By default, the Exchange connector includes only the DistributionGroup attribute in the userForm.xml file. To support additional multi-valued attributes, edit the userForm.xml and postProcess.xml files as described in Supporting Multi-Valued Attributes for the Exchange Connector.

Table 5-6 PowerShell cmdlet Parameters Supported by the Exchange Connector

Attribute Name	Exchange Mapped Attribute	Type	Description
AcceptMessagesOnlyFrom	AcceptMessagesOnlyFrom	String	Multi-valued.
AcceptMessagesOnlyFromDLMembers	AcceptMessagesOnlyFromDLMembers	String	Multi-valued.
AcceptMessagesOnlyFromSendersOrMembers	AcceptMessagesOnlyFromSendersOrMembers	String	Multi-valued.
BypassModerationFromSendersOrMembers	BypassModerationFromSendersOrMembers	String	Multi-valued.
CustomAttribute1 through CustomAttribute15	CustomAttribute1 through CustomAttribute15	String
EmailAddresses	EmailAddresses	String
ExtensionCustomAttribute1 through ExtensionCustomAttribute5	ExtensionCustomAttribute1 through ExtensionCustomAttribute5	String	Multi-valued. Attributes are supported only by Exchange Server 2010 SP2 and later releases.
Extensions	Extensions	String	Multi-valued. Supported for Exchange Server 2007.
GrantSendOnBehalfTo	GrantSendOnBehalfTo	String	Multi-valued.
ModeratedBy	ModeratedBy	String	Multi-valued.
RejectMessagesFrom	RejectMessagesFrom	String	Multi-valued.
RejectMessagesFromDLMembers	RejectMessagesFromDLMembers	String	Multi-valued.
RejectMessagesFromSendersOrMembers	RejectMessagesFromSendersOrMembers	String	Multi-valued.
RequireSenderAuthenticationEnabled	RequireSenderAuthenticationEnabled	Boolean
WindowsEmailAddress	WindowsEmailAddress	String

5.4.1.2 Supporting Multi-Valued Attributes for the Exchange Connector

By default, the Exchange connector includes only the multi-valued DistributionGroup attribute. To support additional multi-valued attributes, edit the userForm.xml and postProcess.xml files, as follows:

1. In the postProcess.xml file, add mappings for the multi-valued attributes that you want to add. For example, the mapping for the GrantSendOnBehalfTo attribute is:

   <MapEntry
   key='accountAttributes[mapName==GrantSendOnBehalfTo].attributeName' value='GrantSendOnBehalfTo'/>
   <MapEntry key='accountAttributes[mapName==GrantSendOnBehalfTo].multi' value='true'/>
   

2. In the userForm.xml file, add the Field reference for the multi-valued attributes you want to add. For example, the reference for the GrantSendOnBehalfTo attribute is:

   <Field name='accounts[$(RESOURCE_NAME)].GrantSendOnBehalfTo'>
   <Display class="TextArea">
   <Property name="title" value="SendOnBehalf" />
   <Property name="rows" value="4" />
   <Property name="columns" value="60" />
   <Property name="format" value="list" />
   <Property name="sorted" value="true" />
   </Display>
   </Field>
   

3. Import the postProcess.xml and userForm.xml files into Oracle Waveset.

5.4.1.3 __GROUP__ (or Group) Object Class for the Exchange Connector

The __GROUP__ (or Group) object class represents Active Directory groups excluding distribution groups (which are still part of Active Directory groups but are specific to Exchange).

For a list of the __GROUP__ (or Group) object class attributes, see __GROUP__ (Group) Object Class for the Active Directory Connector.

5.4.1.4 organizationalUnit Object Class for the Exchange Connector

For a list of the organizationalUnit object class attributes, see organizationalUnit Object Class for the Active Directory Connector.

5.4.1.5 __MAILBOXDATABASE__ Object Class for the Exchange Connector

The __MAILBOXDATABASE__ object class is added to the existing Exchange connector schema to make it more convenient to retrieve mail store and mailbox database data from each version of the target system.

Table 5-7 __MAILBOXDATABASE__ Object Class for the Exchange Connector

Attribute Name	Type	Description
__NAME__	String	Required.

5.4.1.6 __DISTRIBUTIONGROUP__ Object Class for the Exchange Connector

There are no additional attributes to the schema in the Exchange connector for groups; however the connector forces the group type to be a Distribution group.

5.4.2 Exchange Connector Sample Forms

The Exchange User Form (UserForm.xml) is provided with the Exchange connector.

In addition, the following forms are also provided: PostProcess.xml, Migration.xml, and ResourceWizard.xml

5.5 Frequently Asked Questions (FAQs)

You can refer the following FAQs as guidelines and to troubleshoot connector issues. The following topics are discussed in this section:

• FAQs Common to Both Exchange 2010 and 2007

• FAQs Related to Exchange 2010

• FAQs Related to Exchange 2007

5.5.1 FAQs Common to Both Exchange 2010 and 2007

The following are FAQs on connector issues common to both Exchange 2010 and Exchange 2007:

1. What is the recommended system configuration for the computer hosting and running the connector server?

   Answer: The computer on which you want to install and run the connector server must meet the following requirements:

   • The computer hosting the connector server must have Intel Dual-Core Processor, 2 GHz with 4 GB RAM or a computer with similar configuration. If you have a computer dedicated to the connector server, then 2 GB RAM is sufficient.

   • Microsoft Windows Server 2003 or 2008, either 32-bit or 64-bit versions.

2. Where should I install the connector server for the Exchange connector?

   Answer: Install the connector server on a computer that belongs to the same domain as that of the target Exchange server.

3. Why cannot I see the log files corresponding to the connector operations in the computer hosting Oracle Identity Manager?

   Answer: The Exchange connector uses the built-in logging mechanism of the .NET framework. Therefore, all connector logs are generated on the computer hosting the connector server. See Enabling Logging for more information.

4. After extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory, I observed some DLLs. Does it matter whether the computer hosting the connector server is 32-bit or 64-bit?

   Answer: No, you can use the same DLLs on both 32-bit and 64-bit computers.

5. Can a single connector server be used to deploy the Active Directory User Management connector bundle and the Exchange connector bundle?

   Answer: Yes, a single connector server can host both the Active Directory User Management and the Exchange connector bundles.

   While deploying the Exchange connector, ensure not to replace the existing ActiveDirectory.Connector.dll file on the connector server.

6. Does the Exchange connector support managing only Active Directory user as well? If so, what steps need to be done?

   Answer: Yes, the Exchange connector supports managing Active Directory users as well. To manage Active Directory users, in the user form select User in the recipient type drop down box. In this case, only Active Directory user will be created.

   Alternatively, you can use Oracle Waveset Connector for Microsoft Active Directory to manage Active Directory users. For more information, see Oracle Waveset Connector for Microsoft Active Directory.

5.5.2 FAQs Related to Exchange 2010

The following are FAQs on connector issues specific to Exchange 2010:

1. In what format should the IT resource parameter ExchangeUser be specified?

   Answer: It should be in the DOMAIN_NAME\USER_NAME format.

2. How do I ensure that the username and password provided in the IT resource are correct?

   Answer: Follow the steps mentioned in Table 5-9, "Troubleshooting Connector Issues with Exchange 2010" for the error "unknown user name or bad password."

3. What is the minimum permission/role that the user provided in IT resource should have?

   Answer: The user should be part of the Recipient Management group.

4. What are Exchange 2010 specific requirements that must be met by the computer hosting connector server?

   Answer: The host computer should meet all the prerequisites of Remote PowerShell. For more information, see the topic on Connect Remote Exchange Management Shell to an Exchange Server at:

   http://technet.microsoft.com/en-in/library/dd297932%28v=exchg.141%29.aspx

5. Does the computer hosting the connector server need to have Exchange Management Tools installed?

   Answer: No.

5.5.3 FAQs Related to Exchange 2007

The following are FAQs on connector issues specific to Exchange 2007:

1. Does the connector support RTM version of Exchange 2007?

   Answer: No.

2. What values do I have to provide for ExchangeUser, ExchangeUserPassword, and ExchangeServerHost in the Exchange IT resource?

   Answer: No values are required for these attributes. You can leave them blank. As the connector communicates to Exchange 2007 via local runspace, the connector does not use username or password provided in IT resource to connect to Exchange server. It uses the username and password of the user who starts the connector server.

3. Does the computer hosting the connector server need to have Exchange Management Tools installed?

   Answer: Yes.

4. What is the minimum permission/role of the user who starts the connector server?

   Answer:

   • User should be part of the Exchange Recipient Administrators group.

   • User should be part of the Account Operators group in the domain where the distribution group exists.

5. What are Exchange 2007 specific requirements that need to be met by the computer hosting the connector server?

   Answer: The host computer needs to have Exchange Management Tools installed.

5.6 Troubleshooting Connector Issues

The following tables list solutions to some issues associated with the Exchange connector:

• Table 5-8, "Troubleshooting Common Connector Issues"

• Table 5-9, "Troubleshooting Connector Issues with Exchange 2010"

• Table 5-10, "Troubleshooting Connector Issues with Exchange 2007"

Table 5-8 lists solutions to some commonly encountered issues associated with the Exchange connector:

Table 5-8 Troubleshooting Common Connector Issues

Problem Description	Solution
The Exchange connector throws the following error: Could not find domain controller for user <user_name>	The connector tries to get the domain controller where the Active Directory (AD) user was created using the value provided in the Directory Adminstrator's Account field. This value must be same as the value provided for the User Principal Name field during AD provisioning. If there is any mismatch, the connector throws this error. Ensure the values provided for these two fields are same.
The Exchange connector does not log any information. Logging is enabled for the connector in ConnectorServer.exe.Config file. The line <add name="ExchangeSwitch" value="4" /> has been added and connector server has been restarted.	Ensure the log file location and name as specified in the ConnectorServer.exe.Config file is valid. Also, ensure the user who is running the connector server has write permission on the log file. Then, restart the connector server.
The Exchange connector throws the following error while updating a user: "Account not found in Resource"	Multiple domain controllers may be configured for the same domain. In such a case, add a field to the ResourceWizard.xml file as follows: <Field name="resourceAttributes[SyncDomainController].value" required="false"> <Display class="Text"> <Property name="title" value="SyncDomainController"/> <Property name="help" value="SyncDomainController"/> </Display> </Field> Then, import the XML file and specify the domain controller (host) value in the resource form.

Table 5-9 lists solution to a commonly encountered issue associated with the connector when using Exchange 2010:

Table 5-9 Troubleshooting Connector Issues with Exchange 2010

Problem Description

Solution

The Exchange connector throws the following error: ConnectorServer.exe Error: 0 : System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : Logon failure: unknown user name or bad password. For more information, see the about_Remote_Troubleshooting Help topic.

Ensure the username and password specified are correct. The username must be in the format DomainName\UserName. User distinguished name (DN) must not be mentioned as a value for the ExchangeUser resource parameter. If this does not solve the issue, verify if you can connect to Exchange Server from the computer hosting the connector server using a remote PowerShell window using the same credentials by following below commands: $cred = Get-Credential //provide same credentials as specified in the resource $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<ExchangeServerHostName>/PowerShell/ -Authentication Kerberos -Credential $cred //provide same Exchange Server host name as provided in the resource parameter Import-PSSession $session //this should import Exchange cmdlets without any issues. Ideally by this step, you should encounter the issue. Remove-PSSession -Session $Session // remove newly created test session If the above steps complete without any error, then check Windows event logs for more information. Alternate Solution: Run the Enable-PSRemoting cmdlet to configure the Exchange Server computer to receive Windows PowerShell remote commands that are sent by using the WS-Management technology. For more information about the Enable-PSRemoting cmdlet, see: http://technet.microsoft.com/en-us/library/hh849694.aspx

Table 5-10 lists solution to commonly encountered issue associated with the connector when using Exchange 2007:

Table 5-10 Troubleshooting Connector Issues with Exchange 2007

Problem Description

Solution

The Exchange connector throws the following error while adding a user to a distribution group: ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Problem while PowerShell execution Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Active Directory operation failed on MachineName.connectordevroot1.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS)

For Exchange 2007, the service account must be a member of the Exchange Recipient Administrator role and the Account Operator role in every domain where the distribution group exists. Add the user to the Account Operator role of the domain where the distribution group exists and restart the connector server.