Exchange 2013 PowerShell Service Error


We have a new IDM 4.0.2 AE environment that we are trying to provision
Exchange 2013 mailboxes in.

We created a new IDM 4 Active Directory driver. We installed the IDM
PowerShell Service. We configured the service to run as a service
account in the AD domain. We validated the account permissions by
executing PowerShell commands direct from the PowerShell client on the
server where the IDM service is installed.

When executing a basic Enable-Mailbox command we are getting the
following error:

"[07/30/14 12:17:17.327]:Exchange 2013 ST:
DirXML Log Event -------------------
Driver:
\SEMPRA-IDV-QA-TREE\Sempra-IDV\Services\IDM\DriverSet\Exchange 2013
Channel: Subscriber
Object: \SEMPRA-IDV-QA-TREE\Sempra-IDV\Users\Active\799402
Status: Error
Message: Error completing powershell command. ERROR: The term
'Enable-Mailbox' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again."

We referred to the install doc and a support doc that referred to
required account permissions and installed tools but we confirmed that
to all still be valid in the environment.

We have tried running the IDM service as both a service account and as
the local system account, both approaches resulted in the same error.

Any other reasons why this error would be thrown? It seems the service
isn't loading the PowerShell commands properly but we have communication
to AD via the driver config, communication to Exchange verified through
the PowerShell client, authentication because the driver and the service
successfully start and authorization confirmed through the PowerShell
client.


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=51442

  • gdrtx wrote:

    >
    > We referred to the install doc and a support doc


    Which support doc?
    https://www.netiq.com/support/kb/doc.php?id=7014069
    or
    https://www.netiq.com/support/kb/doc.php?id=7012362


    > that referred to
    > required account permissions and installed tools but we confirmed that
    > to all still be valid in the environment.
    >
    > We have tried running the IDM service as both a service account and as
    > the local system account, both approaches resulted in the same error.


    When you mean a "service account" do you mean a regular AD user with the correct rights assigned in Exchange ("Recipient Management" and "View-Only Organization Management”)

    With "Local System", it is the computer account which needs to have rights assigned in Exchange ("Organizational Management")
    > Any other reasons why this error would be thrown? It seems the service
    > isn't loading the PowerShell commands properly but we have communication
    > to AD via the driver config, communication to Exchange verified through
    > the PowerShell client, authentication because the driver and the service
    > successfully start and authorization confirmed through the PowerShell
    > client.


    Have you looked at this TID?
    https://www.netiq.com/support/kb/doc.php?id=7012362

    Some of the reasons for your error:

    1. Incorrect Exchange rights assigned to the account that the service runs as.
    2. One or more Exchange server lacks the Exchange Management Tools locally installed.

    If you still have problems, I suggest you open a SR and get support to help troubleshoot the issue.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • So yes, we have already found
    https://www.netiq.com/support/kb/doc.php?id=7012362 and that was part of
    the validations already done. So to more specifically answer your
    questions, yes by service account we mean a regular AD user with the
    correct rights assigned as documented in the driver doc and yes, the
    local system account is the computer account that has the documented
    rights assigned. And yes, all Exchange servers have the management
    tools locally installed.

    We ran the Windows PowerShell client from the IDM server where the IDM
    PowerShell Service is installed and created a PowerShell session with
    our target Exchange 2013 box using the AD credentials for our service
    account. Using that client we could execute all Exchange PowerShell
    commands. This validated that the service account had the required
    permissions and that there was no communication issues between the
    servers.

    Now the other link, https://www.netiq.com/support/kb/doc.php?id=7014069,
    has not been attempted yet. That article specifically mentions a
    Windows 2012 Standard server where we are running this on Windows 2008
    R2 Enterprise. Just for the sake of argument we will try that but I
    know the IDM PowerShell Service was installed as administrator but I'm
    not positive about the Exchange Management Tools...

    Thanks


    --
    gdrtx
    ------------------------------------------------------------------------
    gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
    View this thread: https://forums.netiq.com/showthread.php?t=51442

  • gdrtx wrote:

    > target Exchange 2013 box using the AD credentials for our service
    > account. Using that client we could execute all Exchange PowerShell
    > commands. This validated that the service account had the required
    > permissions and that there was no communication issues between the
    > servers


    There is no way to guarantee that the IDM Exchange Service will connect to the same server you tested with. There could be communications issues with one of the other servers.
    Also, are there any older Exchange servers in your environment (2010 for example)? There are some known complexities/issues when you have a mixed-version deployment.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • alexmchugh;247150 Wrote:
    >
    > There is no way to guarantee that the IDM Exchange Service will connect
    > to the same server you tested with. There could be communications issues
    > with one of the other servers.


    Thanks for the heads up. I was curious how that worked since a target
    server was never specified in any of my configurations. I will double
    check to make sure there are no communication issues with any other
    Exchange 2013 servers in the environment.

    alexmchugh;247150 Wrote:
    >
    > Also, are there any older Exchange servers in your environment (2010 for
    > example)? There are some known complexities/issues when you have a
    > mixed-version deployment.


    Uh-oh. This is being done as part of a migration from Exchange 2010 to
    Exchange 2013 so there are some of the old Exchange 2010 servers still
    in place. The plan is to start provisioning to the new servers while
    the Exchange team migrates the existing mailboxes over in batches. If
    mixed-version deployments are known to have issues this could be a
    problem.

    Do you know of any documentation that discusses the issues and possible
    solutions for mixed-version deployments?


    --
    gdrtx
    ------------------------------------------------------------------------
    gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
    View this thread: https://forums.netiq.com/showthread.php?t=51442


  • gdrtx;247160 Wrote:
    > Thanks for the heads up. I was curious how that worked since a target
    > server was never specified in any of my configurations. I will double
    > check to make sure there are no communication issues with any other
    > Exchange 2013 servers in the environment.
    >
    >
    >
    > Uh-oh. This is being done as part of a migration from Exchange 2010 to
    > Exchange 2013 so there are some of the old Exchange 2010 servers still
    > in place. The plan is to start provisioning to the new servers while
    > the Exchange team migrates the existing mailboxes over in batches. If
    > mixed-version deployments are known to have issues this could be a
    > problem.
    >
    > Do you know of any documentation that discusses the issues and possible
    > solutions for mixed-version deployments?

    This should not be a problem with the next release of IDM.

    AD Driver configuration will provide an option to set preferred exchange
    server for use by the powershell service for provisioning if it is
    desired that the provisioning not rely on the exchange server list
    discovered (current default behavior is all Exchange 2010/2013 servers
    are discovered in the farm and the first server would be used for
    exchange provisioning).


    --
    vivekbm
    ------------------------------------------------------------------------
    vivekbm's Profile: https://forums.netiq.com/member.php?userid=528
    View this thread: https://forums.netiq.com/showthread.php?t=51442

  • > AD Driver configuration will provide an option to set preferred exchange
    > server for use by the powershell service for provisioning if it is
    > desired that the provisioning not rely on the exchange server list
    > discovered (current default behavior is all Exchange 2010/2013 servers
    > are discovered in the farm and the first server would be used for
    > exchange provisioning).


    Future tense? It 'will'? Or is it there, and we do not know about it yet?



  • Its addressed and ready for the next release.


    --
    vivekbm
    ------------------------------------------------------------------------
    vivekbm's Profile: https://forums.netiq.com/member.php?userid=528
    View this thread: https://forums.netiq.com/showthread.php?t=51442


  • Has there been any movement on this since July of Last year? I've got
    the same issue. Any resolutions? Or has there been a patch released
    that addresses this?

    Thanks,


    --
    folboteur
    ------------------------------------------------------------------------
    folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
    View this thread: https://forums.netiq.com/showthread.php?t=51442


  • Has there been any movement on this since July of Last year? I've got
    the same issue. Any resolutions? Or has there been a patch released
    that addresses this?

    Thanks,


    --
    folboteur
    ------------------------------------------------------------------------
    folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
    View this thread: https://forums.netiq.com/showthread.php?t=51442


  • folboteur;257213 Wrote:
    > Has there been any movement on this since July of Last year? I've got
    > the same issue. Any resolutions? Or has there been a patch released
    > that addresses this?
    >
    > Thanks,


    IDM 4.5 that was released late last year (Oct. I think) added the
    support to specify a target Exchange server to resolve these types of
    conflicts. My issue was resolved in IDM 4.0.2 by removing the old
    version of Exchange from the environment after it was no longer needed.


    --
    gdrtx
    ------------------------------------------------------------------------
    gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
    View this thread: https://forums.netiq.com/showthread.php?t=51442