In July 2009 Microsoft announced several new support options for ILM 2007. The following KB below provides details regarding the new support options http://support.microsoft.com/default.aspx/kb/2000082 but in short ILM 2007 FP1 is now supports:
As mentioned before, ILM 2007 FP1 is also supported on Windows Server 2008 32-bit. Please refer to ILM 2007 – Windows 2008 Support
Good news for customers that want to get rid of new Windows Server 2003 installations. The Microsoft product team have changed the support statement for Windows Server 2008 and Microsoft Identity Lifecycle Manager 2007. Please refer to the ILM FAQ on Microsoft.com.
Note this only includes 32-bit support. 64-bit support will launch with FIM 2010.
Yes, Windows Server 2008 32 bit is a supported platform.
The user provisioning and synchronization services can be installed on Windows Server 2008. Note that you might need to turn off UAC (User Access Control) when adding new Management Agents. SQL MA is one example where the MA needs elevated privilege on Windows to be able to impersonate the user account used to connect to remote system.
Note also:
With the update in KB article 946797 Certificate lifecycle management can be installed on Windows Server 2008 32 bit and use Active Directory Certificate Services Enterprise CA on Windows Server 2008 32 bit.
In many organisations there at requirements to segment the Exchange Global Address list, but even with permissions – all users are visible within the OWA GAL. To identity and manage specific search scopes within OWA, ILM can assist. The solution is made up of two components, ILM’s ability to generate DN (distinguished name) values and place them within objects as well as exchange’s ability to limit the search base for a user’s object.
Refer to http://support.microsoft.com/kb/817218 for more information regarding the msExchQueryBaseDN attribute that can restrict the search base for a users address book.
In order to restrict a user’s search base:
Create a new address book that contains the records a user is suppose to see. This could be an empty address book (no records should be seen) or use ILM to populate the AD with great info to base the address book definition on 
.
Include the msExchQueryBaseDN attribute within the AD management agent.
Use ADSIEdit.msc to retrieve the DN for the newly created Address Book. (e.g “CN=No Addresses Available,CN=All Address Lists,CN=Address Lists Container,CN=Exchange,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=company,DC=com”)
Now create an advanced attribute flow rule from the MV object to the CS object you wish to limit the scope of. Since the msExchQueryBaseDN is a reference attribute it is important to create a DN to the correct addressBook object in the configuration partition in Active Directory. To do this simply add the following line of code within the attribute flow rule:
Dim mAgent As ConnectedMAmAgent = mventry.ConnectedMA(“Active Directory”)
csentry(“msExchQueryBaseDN”).value = mAgent.createDN(“CN=No Addresses Available, _
CN=All Address Lists, CN=Address Lists Container, _
CN=Exchange,CN=Microsoft Exchange, CN=Services, _
CN=Configuration, DC=company,DC=com”)
As part of Microsoft’s software + services strategy, we are enhancing the way we build, test and deliver Exchange. On October 1, 2007, we announced Exchange Labs, a new program for testing the next version of Exchange in high-scale services environments.
ExchangeLabs is currently a service offered to educational institutions (more on this later), that is aimed at assisting the Microsoft Exchange team effectively test new versions of Exchange; while at the same time building a service offering that will be used across many of the product offerings in future.
Who can use Exchange Labs?
The initial rollout of Exchange Labs is designed for select schools and universities as part of http://get.live.com/edu. Windows Live @ edu "powered by Exchange Labs", allows these select academic institutions to easily connect students and alumni with e-mail, and integrate these users with existing on-premises Exchange Server deployments that support faculty and staff.
Universities and schools can get more information regarding the deployment of ExchangeLabs at: Getting Started with Exchange Labs.
ExchangeLabs is build on top of the Windows Live ID platform so even though a user on ExchangeLabs has an AD account it is only used for internal Exchange purposes. For all end-user and administrative interaction a Windows Live ID is used. As such, any user that gets a Live ID is now also given access to a host of Windows Live services.
Important: As part of the service your schools / universities custom domain name is added to both ExchangeLabs as well as Windows Live. Thus your students will be using a email / Live ID like “user@mySchool.com”
So what do you get with ExchangeLabs:
For end-users we have:
For school administrators we have:
An very interesting fact is that ExchangeLabs is currently hosted on Exchange 14. The Exchange team is using this platform as a deployment and testing mechanism for revisioned builds. At time of publication of this post ExchangeLabs was running on Revision 2 with Revision 3 being imminent.
In subsequent posts I will address aspects of ILM integrated deployments of ExchangeLabs (EL) as well as some Powershell tips.
At present there are various community forums/newsgroups that you can use to get quality support for ILM 2007 and above. At present these consist of:
The MMSUG user group was founded in Sept 2000 when support was still given for MMS. The group later adopted to include MIIS and most recently ILM 2007 discussions. This group is loved by many because of it’s simple email based communications as well as it’s large membership (2800+). The one major drawback of this group is the fact that it is hosted on Yahoo Groups; as ILM 2007 is a Microsoft product…. (you figure it out). As a result of this no Microsoft product team member post to this forum.
Microsoft did however create it’s own newsgroup a few years ago as well, but this had some problems as well. The most frustrating problem with the old NNTP solution is that content is only kept for a few days (30 if I’m not mistaken). As such Microsoft launched the TechNet forums last year (with MIIS getting it’s own little spot). Advantages of the new forums include:
One of the major points counting against the current MIIS TechNet forum is its lack of email integration (that MMSUG has), as such there are still members of the community the use MMSUG and the MIIS Newsgroup.
(Apart from these points several people get to these other mechanism through simple web search engine queries as well)
It is however the recommendation of Microsoft (and myself) that community member use the MIIS TechNet forums for you support questions. This gives you a way of interacting with skills MIIS MVP’s as well as the product team themselves (who regularly monitor the forum).
Apart from the various community forums there as also been quite a few interesting ILM related websites (from MVP’s of the community). Some of the most interesting ones are listed in my blog roll, but I would like to mention a few of them again:
There are many other sites offering great ILM 2007 related reading, if you’d like to share some of these drop me a line at almeroATputtyqDOTcom.
Updated: Many organisations and customers often express their requirement to effectively report on information contained within the ILM database (MicrosoftIdentityIntegrationServer). Although I would never recommend that direct database access is used for this there are some cases in which information must be pulled from the ILM database itself.
However, since ILM assumes that the MIISServer.exe process has got exclusive access to the database; locking issues could cause you problems. (ILM will generate exceptions when locking occurs.)
In an effort to overcome this, one solution is to read ‘dirty’ data from the SQL database. In this way you run the risk of not having completely accurate information, but you mitigate your risk of causing locking issues.
The following post is a revisit for my original post regarding the use of the SQL hint ‘WITH NOLOCK’.
In an follow-on post I will try to give an example of how simple reporting could be done (as mentioned below), but for now this will serve as the pre-requisite to querying the MicrosoftIdentityIntegrationServer database.
Original Post:
The SQL hint ‘NOLOCK’:
NOLOCK
UsingNOLOCKpolitely asks SQL Server to ignore locks and read directly from the tables. This means you completely circumvent the lock system, which is a major performance and scalability improvement. However, you also completely circumvent the lock system, which means your code is living dangerously. You might read the not-necessarily-valid uncommitted modifications of a running transaction. This is a calculated risk.
Within the MIIS/ILM database, the NOLOCK hint is not used for performance reasons but rather for safe MIIS/ILM operations. It is recommended that the NOLOCK hint is used so that your queries does not lock any data that MIIS/ILM might need during processing thus causing MIIS/ILM to fail or generate errors. Keep in mind that ILM assumes that it has total database control.
So where do you use it…
SELECT object_id
FROM mms_metaverse WITH (nolock)
WHERE (employeeID = @EMPID)
An additional recommendation is that you offset your reporting requirements to an external database. By provisioning all the records within the Metaverse into an external database, most of your reporting requirements can be satisfied without querying the Metaverse directly. This does however have limitations around connector / disconnector reporting.