Migration Manager for Exchange DirSync – protocolSettings

Migration Manager for Exchange DirSync (QMM) – protocolSettings cannot be configured.

Today I want to share an experience I made with the Dell Migration Manager for Exchange (former QMM EX). After conclusion of the email migration, all Exchange mailboxes should have been deleted in the source environment. The deletion process is defined to hide the mailboxes from the address book (msExchHideFromAddressLists=true) and to deactivate email protocols (ActiveSync, OWA, Pop, Imap, Mapi). But these changes led to an undesired effect in the target environment.
 

Technical context

The setting of the email protocols can be displayed with the PowerShell cmdLet “get-CAS-Mailbox <username>“

This information is saved in the Active Directory attribute “protocolSettings” of the user account. In case this attribute is empty, all protocols are activated. Individual protocols can be deactivated by typing in the protocol name followed by “§0§”. An activated protocol gets a “§1§” appendix. This, however slightly old, Microsoft blog entry provides a nice summary. In our example you can see with ADSIEDIT that protocol POP3 is deactivated: protocolSettings=POP3§0§§§§§§§§§§§

Effects

What happens now when the protocolSettings in the source domain were changed and a directory synchronization with the QMM EX between the source and target domain was established? Exactly – changes to the attribute protocolSettings are transferred to the target domain. In our example this means that not even the newly migrated mailboxes can be used in the target domain. With deactivated email protocols, Outlook cannot connect to the mailboxes. 
 

QMM EX Directory Synchronization – Attributes to skip

With the configuration of the “Attribute to skip” in the QMM directory synchronization it is defined which attribute should be synchronized uni-directionally, bi-directionally or not at all. Unfortunately I had to realize that the attribute protocolSettings cannot be configured (grayed out):

For this issue there is a Quest/ DELL Knowledgebase article. The possibility to skip the attribute protocolSettings was deactivated starting with version 8.6 of the QMM EX.
 

Solution 1 – Quest/DELL custom development

The official solution by Quest/ DELL suggests activating Custom Development via Account Manager (knowledgebase article). A so-called Custom AddIn is developed which prevents the synchronization of the attribute protocolSettings.  
 

Solution 2 – Withdrawal of Reading Rights (unofficial)

Following the path of Custom Development suggested by Quest/ DELL took too long a time in our case, as we were time pressed. We had to develop a plan B. Instead of adapting the configuration of DirSync, we withdrew all reading rights on the attribute protocolSettings from the service account of DirSync in the source domain. Changing the attribute, results in the DirSynch reading it. The Active Directory domain returns the value “ZERO” via LDAP. QMM DirSync interprets that as “empty” and sets the attribute in the target domain as “empty” as well. An empty attribute protocolSettings activates all available email protocols and accidently met the desired configuration.

DirSync has been running with this configuration for 5 weeks and I haven’t been able to detect any negative effects yet.

Configuration of OU permissions