Editing: How to Configure the Exchange 2010 RPS URI

Title
<html> <body> <p>The goal of this article is to explain the configuration of the Active Directory Management Agent (AD MA) so you can provision objects to Exchange 2010.<br> <br> This article will not discuss the attribute flows for the Exchange attributes. It will focus on the Exchange 2010 RPS URI specification. You can configure this URI in the extensions tab of the AD MA connected to the domain hosting your Exchange environment.</p> <p><img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/2402.FIM_5F00_.png" style="border:0px solid"></p> <p></p> <table cellspacing="0" cellpadding="0" style="width:100%; border-collapse:collapse"> <tbody> <tr> <th style="text-align:left; padding-bottom:5px; background-color:#c0c0c0; padding-left:5px; padding-top:5px"> <img alt="note" src="http://apfhrw.bay.livefilestore.com/y1pCed6u9dxDV3LOdzgtYt8xFaDWmIf_thMiOiFb3SmUARdxwIei5b6sPCHGruZWYphrJEU8j2BZEd51ZoAkp_ONkG8moMODvLC/Note.gif"> <strong>Note</strong></th> </tr> <tr> <td style="background-color:#f0f0f0; padding-left:5px">RPS URI stands for Remote PowerShell Uniform Resource Identifier.</td> </tr> </tbody> </table> <p><br> The Exchange 2010 RPS is available on each server which has the Client Access (CAS) role of Exchange 2010 installed. Leveraging remote PowerShell it allows you to send commands to Exchange 2010 without the need for the Exchange Management tools.</p> <table cellspacing="0" cellpadding="0" style="width:100%; border-collapse:collapse"> <tbody> <tr> <th style="text-align:left; padding-bottom:5px; background-color:#c0c0c0; padding-left:5px; padding-top:5px"> <img alt="note" src="http://apfhrw.bay.livefilestore.com/y1pCed6u9dxDV3LOdzgtYt8xFaDWmIf_thMiOiFb3SmUARdxwIei5b6sPCHGruZWYphrJEU8j2BZEd51ZoAkp_ONkG8moMODvLC/Note.gif"> <strong>Note</strong> </th> </tr> <tr> <td style="background-color:#f0f0f0; padding-left:5px">Provisioning towards Exchange 2007 requires the Exchange Management tools to be installed on the FIM Synchronization Server. Exchange 2010 does not have this dependency.</td> </tr> </tbody> </table> <p>Client Access servers can be installed in various topologies. For redundancy they can be installed in a load balanced setup. In a load balanced setup one or more virtual names are chosen to access Client Access role components such as Outlook Web Access. The load balancing solution will then redirect clients to one of the nodes in the farm when accessing the virtual name.</p> <p>One of the reasons to use a load balancing solution for Exchange 2010 CAS components can be redundancy. It completely makes sense to have your Exchange provisioning also benefit this redundancy. It's there anyhow, why not use it? Sadly there are some technical limitations.<br> <br> </p> <h2><a name="Exchange_2010_RPS_Requirements"></a><a name="Exchange_2010_RPS_Requirements"></a><a name="Exchange_2010_RPS_Requirements"></a>Exchange 2010 RPS Requirements</h2> <p>The Exchange 2010 RPS feature is made available through the /powershell virtual directory (IIS). In order to properly access it, there are some requirements:</p> <ol> <li>Access it using HTTP </li><li>Be authenticated using Kerberos </li></ol> <p><em>Use HTTP</em> is pretty straightforward, however <em>Kerberos authentication</em> requires some explanation. <strong>Service Principal Names</strong> (SPN’s) are a requirement for Kerberos authentication to take place. Every server has the HOST SPN registered on its computer account object by default. The HOST SPN is in fact an alias which includes many services. One of these services is HTTP. Otherwise said, when we access http://casservername.demo.com/powershell we can successfully be authenticated using Kerberos authentication without the need for any configuration changes.</p> <p>On the other hand, if we use an alias like webmail and access http://webmail.contoso.com/powershell we will not be able to authenticate using Kerberos. This would involve registering http/webmail.contoso.com on an account in Active Directory. But because we are talking about an alias which is used to access 2 or more CAS servers, we’d have to set this SPN on a shared account: a service account. And that’s where Exchange 2010 SP1 comes in. <strong>Starting from SP1 it’s now supported to perform the changes required for Kerberos authentication to a name assigned to the CAS array</strong>. The process is explained here:</p> <ul> <li><a href="http://technet.microsoft.com/en-us/library/ff808313.aspx">Using Kerberos with a Client Access Server Array or a Load-Balancing Solution</a> </li><li><a href="http://technet.microsoft.com/en-us/library/ff808312.aspx">Configuring Kerberos Authentication for Load-Balanced Client Access Servers</a> </li></ul> <h2 style="color:#365f91"><a name="FIM_2010_Provisioning_to_Exchange_2010_Pre_SP1"></a></h2> <h2 style="color:#365f91"><a name="FIM_2010_Provisioning_to_Exchange_2010_Pre_SP1"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_Pre_SP1"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_Pre_SP1"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_Pre_SP1"></a>FIM 2010 Provisioning to Exchange 2010 (Pre SP1)</h2> <p>Before Exchange 2010 SP1 there was no way to properly Kerberos-enable the load balanced services. The only working way was to point the AD MA to a dedicated node in the load balanced farm:</p> <p> </p> <p><img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/4075.Wiki_5F00_PreSP1.png" style="border:0px solid"></p> <p> </p> <p>And more specifically, the Exchange 2010 RPS URI had to be of the format: <a href="http://netbiosname.fqdn/powershell"> http://NetBIOSname.fqdn/powershell</a> where NetBIOSname is the name of a CAS server.</p> <p><img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/5305.FIM_5F00_PreSP1.png" style="border:0px solid"></p> <h2 style="color:#365f91"><a name="FIM_2010_Provisioning_to_Exchange_2010_SP1_or_later"></a></h2> <h2 style="color:#365f91"><a name="FIM_2010_Provisioning_to_Exchange_2010_SP1_or_later"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_SP1_or_later"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_SP1_or_later"></a><a name="FIM_2010_Provisioning_to_Exchange_2010_SP1_or_later"></a>FIM 2010 Provisioning to Exchange 2010 SP1 or later</h2> <p>Exchange 2010 SP1 introduced some changes which allow you to Kerberos enable the load balanced services. Now you can point the AD MA to the load balanced services using their virtual name. As such your Exchange provisioning will not be interrupted when a node is unavailable.</p> <p><img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/6318.Wiki_5F00_SP1.png" style="border:0px solid"></p> <p>And more specifically, the Exchange 2010 RPS URI can be of the format: <a href="http://netbiosname.fqdn/powershell"> http://netbiosname.fqdn/powershell</a> where VirtualName is the name of a load balanced service. Besides that the required configuration changes have to be performed on the Exchange side of things and the SPN's have to be registered for http/VirualName.fqdn.</p> <p><img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/0143.FIM_5F00_SP1.png" style="border:0px solid"></p> <h2 style="color:#365f91"><a name="Summary"></a>Summary</h2> <p> Depending on your exchange version you have the following options:</p> <ol> <li><strong>Exchange 2010 pre SP1:</strong> http://casservername.demo.com/powershell </li><li><strong>Exchange 2010 SP1 or later:</strong> http://name-of-choice.demo.com/powershell </li></ol> <p>It’s really important to follow these guidelines carefully. The difference between both is that before SP1 you really had to use the NetBIOS name of a Client Access Server whereas from SP1 and later you can choose a DNS alias to access your load balanced Client Access Servers.</p> <h2 style="color:#365f91"><a name="Recommended_Reading"></a>Recommended Reading</h2> <ul> <li><a href="http://technet.microsoft.com/en-us/library/ff608273(WS.10).aspx" target="_blank">TechNet Magazine: Exchange Provisioning using ILM 2007 and FIM 2010</a> </li></ul> <h2 style="color:#365f91"><a name="Related_FIM_Forum_Posts"></a>Related FIM Forum Posts</h2> <ul> <li> <p><a href="http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/909ae62e-7a41-4a49-8a57-b0be6dd1e0d1/">Exchange 2010 RPS URI and NLB</a></p> </li></ul> <table cellspacing="0" cellpadding="0" style="width:100%; border-collapse:collapse"> <tbody> <tr> <th style="text-align:left; padding-bottom:5px; background-color:#c0c0c0; padding-left:5px; padding-top:5px"> <img alt="note" src="http://apfhrw.bay.livefilestore.com/y1pCed6u9dxDV3LOdzgtYt8xFaDWmIf_thMiOiFb3SmUARdxwIei5b6sPCHGruZWYphrJEU8j2BZEd51ZoAkp_ONkG8moMODvLC/Note.gif"> <strong>Note</strong> </th> </tr> <tr> <td style="background-color:#f0f0f0; padding-left:5px">To provide feedback about this article, create a post on the <a href="http://go.microsoft.com/fwlink/?LinkID=163230" target="_blank">FIM TechNet Forum</a>.<br> </td> </tr> </tbody> </table> </body> </html>
Comment
Tags
Please add 2 and 7 and type the answer here:

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?