If you just add the service account to the Exchange Recipient group, you will see the following error event in EventLog (and of course, the run profile will stop/fail with the error stopped-extension-dll-exception).

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException

Message:

“Microsoft.MetadirectoryServices.ExtensionException: Processing data from remote server failed with the following error message: The user “<domain>/<ADMAAccount>” isn’t assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.

So based on the error, it’s clear that you have to add the account used for the Active Directory Management Agent to the Exchange Recipient Administrators group, instead of the FIM Sync Service service account.

My old blog (http://blog.gocloud-security.ch/2009/12/09/bitlocker-and-how-to-change-the-user-pin/) describes a possible solution/approach with a custom service or process that calls the manage-bde command. Now, since a couple of month, there is a much smarter way to allow your Windows standard users to change the BitLocker PIN – MBAM (Microsoft BitLocker Administration and Monitoring)!

MBAM has been released in August 2011 as part of MDOP and integrates different capabilities that have been missed with BitLocker. For example a helpdesk key recovery UI, single recovery keys (the MBAM client will create a new key once a BitLocker recovery key has been exposed), and different audit and compliance reports.

You can find a technical slide deck with all required information about MBAM
on http://media.ch9.ms/teched/na/2011/ppt/WCL317.pptx.

The A Solution for Private Cloud Security is a series of three papers on private cloud security. And is therefore a part of a collection of documents comprise the Reference Architecture for Private Cloud documentation set.

• Private Cloud Solution Hub, http://technet.microsoft.com/en-us/cloud/private-cloud
• Reference Architecture for Private Cloud, http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx
• A Solution for Private Cloud Security, http://social.technet.microsoft.com/wiki/contents/articles/6642.a-solution-for-private-cloud-security.aspx

The current version of the A Solution for Private Cloud Security considers the security aspects of design and create robust and comprehensive private and hybrid cloud environments and consists of the following three papers:

• Blueprint for A Solution for Private Cloud Security
• Design Guide for A Solution for Private Cloud
• Operations Guide for A Solution for Private Cloud

You can download all three documents in Word format as well, on http://gallery.technet.microsoft.com/A-Solution-for-Private-67209ab1.

You can find more information about this free training on http://blogs.technet.com/b/server-cloud/archive/2012/01/20/free-microsoft-private-cloud-training.aspx

And information about System Center 2012 and the new capabilities to build a private cloud can be found on http://blogs.technet.com/b/server-cloud/archive/2012/01/17/system-center-2012-a-true-private-cloud-builder.aspx.

• FIM PowerShell (MA and MV synchronization extension, Workflow activity and modules), http://fim.codeplex.com/
• PowerShell MA 2.0, http://blog.goverco.com/2012/01/powershell-management-agent-updated.html
• MARunScheduler (MASequencer), http://feedproxy.google.com/~r/AdventuresInIdentityManagement/~3/G6rPb2BEEy4/marunscheduler.html
• FIM related projects hosted on CodePlex, http://www.codeplex.com/site/search?query=FIM&ac=3
• …
• …

… and more with a next update!

Oh and yes, a rollup 1 for TMG 2010 SP2 has been published as well: http://support.microsoft.com/kb/2649961

The link that I used in my past blog was the one pointing to the TechNet magazine (http://technet.microsoft.com/en-us/magazine/ff472471.aspx). And one point which really confused me was the following:

Based on another table, the following attributes are required for a mail-enabled user:

Another interesting point is the following:

Now, wait a second… does that mean that I have to set the msExchHomeServerName as well when using Exchange 2010?? And should I use the ExchangeUtils class (of the Microsoft.MetadirectoryServicesEx) and especially the overloaded CreateMailEnabledUser() method? The answer is simple NO – for both questions!

First of all, have a look at the source code of the ExchangeUtils.CreateMailEnabledUser() method (btw, I used the free dotPeek from JetBrains as decompiler):

So no magic! What the CreateMailEnabledUser() method really does is set the two attributes – the mailNickname and targetAddress – that’s all! But there is another important part as well – the objectType = “user”; line. You are fine with that as long as you use the user class (default in Active Directory) when provisioning the user objects. But that’s not the case in the current project (where we use a custom class in the schema) and therefore anyway a no-go for the CreateMailEnabledUser() method!

You can find the online version of the 2nd edition on:

• http://msdn.microsoft.com/en-us/library/ff423674.aspx

But now the reason of this post – in addition to the online version, there is now downloadable PDF version of the 2nd edition. You can download it from:

• http://www.microsoft.com/download/en/details.aspx?id=28362

So the last thing that is missing is a printed version of the book… for those of you who want to read it under the Christmas tree.

“Windows Azure Active Directory is a cloud service that provides identity and access capabilities for applications on Windows Azure and Microsoft Office 365. Windows Azure Active Directory is the multi-tenant cloud service on which Microsoft Office 365 relies on for its identity infrastructure.
 
Windows Azure Active Directory utilizes the enterprise-grade quality and proven capabilities of Active Directory, so you can bring your applications to the cloud easily.  You can enable single sign-on, security enhanced applications, and simple interoperability with existing Active Directory deployments using Access Control Service (ACS), a feature of Windows Azure Active Directory.“

Maybe this indicates the direction of the journey… But anyway, at the moment the Windows Azure Active Directory is just the cloud implementation of AD FS 2.0 (with some custom capabilities).

Read the full article on  http://www.windowsazure.com/en-us/home/tour/access-control/

Articles from Anthony Ho:

• FIM 2010 R2 – Web-Based Password Reset Part 1, http://blogs.technet.com/b/aho/archive/2011/08/01/fim-2010-r2-web-based-password-reset.aspx
• FIM 2010 R2 – Web-Based Password Reset Part 2, http://blogs.technet.com/b/aho/archive/2011/11/29/fim-2010-r2-web-based-password-reset-part-2.aspx
• FIM 2010 R2 – Web-Based Password Reset Part 3, http://blogs.technet.com/b/aho/archive/2011/12/06/fim-2010-r2-web-based-password-reset-part-3.aspx

Articles from Paul Williams:

• Self-service password reset (SSPR) question and answer (QA) gate complexity criteria in FIM 2010 R2, http://blog.msresource.net/2011/11/24/self-service-password-reset-sspr-question-and-answer-qa-gate-complexity-criteria-in-fim-2010-r2/

Articles from Patrick Layani:

• FIM 2010 R2 – Web-Based SSRP using OTP, http://blogs.microsoft.co.il/blogs/patrick/archive/2011/12/06/fim-2010-r2-web-based-sspr-using-otp.aspx

And finally, the Evaluation Guide on TechNet: http://technet.microsoft.com/en-us/library/hh322874(WS.10).aspx