Professional Documents
Culture Documents
Deploying
Exchange 2000 Active
Directory Connector
Acknowledgments
Chapter 1...................................................................................10
What Is Active Directory Connector?.......................................10
What Does ADC Consist Of?................................................................ .....10
Versions of ADC............................................................... ........................10
Exchange 2000 and Active Directory......................................... ..............11
Connection Agreements............................................ ..............................12
Using a Single One-Way Connection Agreement to Export the Entire
Organization......................................................................... ...................12
Configuration Connection Agreements and the Site Replication Service. 13
Chapter 2..................................................................................16
Deployment Planning .............................................................16
Questions to Ask Before Deploying Active Directory Connector...............16
How Many Exchange Sites Does the Organization Have?...................16
How Many Active Directory Domains Are Being Planned?..................17
Will Master/Account Domains Be Upgraded Before ADC Is Deployed?
........................................................................... ...............................18
How Is the Container Structure in the Existing Exchange System
Defined?......................................................................................... ....20
Chapter 3...................................................................................22
Technical Planning...................................................................22
Exchange Server Versions........................................ ...............................22
Schema Updates................................................................................... ...22
Installing Exchange Server 5.5 on a Windows 2000 Server.....................23
Where Should ADC Be Installed?.............................................................. 24
Deploying Multiple ADC Servers.................................... ..........................25
ii Understanding and Deploying Exchange 2000 Active Directory Connector
LDAP Ports and Protocols....................................................... ..................25
Planning Your Connection Agreements....................................................26
Scenario 1: Two Active Directory Domains, Three Exchange Sites.....26
Scenario 2: Simple Mapping...................................................... .........30
Scenario 3: One Domain, Multi-Site, Split Containers.........................32
Public Folder Connection Agreements..................................................... .46
Chapter 4...................................................................................48
Resource Usage.......................................................................48
Server Resources Consumed by ADC................................................ .......48
Network Consumption.................................................. ...........................48
Using the Site Replication Service with Exchange 2000 Server...............50
Downstream Replication Traffic.............................................................. ..51
Chapter 5...................................................................................52
How Active Directory Connector Works...................................52
Initial Replication................................................................ .....................52
Detecting Changes in the Exchange Directory..................................... ....52
Detecting Changes in Active Directory....................................................53
Object Class Mapping and Attributes....................................... ................53
Duplicate Object Detection........................................................... ...........55
Schema Discovery................................................................ ...................56
Chapter 6 ..................................................................................57
How to Implement Active Directory Connector.......................57
ADC Installation..................................................................... ..................57
Configuring Attribute Replication and Object Matching...........................58
Creating Connection Agreements........................................ ....................60
Creating Public Folder Connection Agreements.......................................69
Chapter 7...................................................................................73
After Installation......................................................................73
How Active Directory Connector Finds, Matches, and Links Objects........73
Replicated Objects in Active Directory...................................... ...............75
Replicated Objects in the Exchange Directory.........................................77
Primary vs. Non-Primary Connection Agreements...................................78
Chapter 8...................................................................................81
Troubleshooting.......................................................................81
Event Logs................................................................................. ..............81
Event Logging................................................................ ....................82
Table of Contents iii
Directory Inconsistencies................................................................ .........83
Additional Troubleshooting.................................................. ...............83
Best Practices When Using Diagnostic Logging..................................84
Failure to Write to an Object........................................................... ....84
Failure to Match an Object.................................. ...............................84
Troubleshooting Failures-to-Match.............................................. ........85
Failed.ldf File............................................................... .......................85
Ldif.err File.............................................................. ...........................85
Chapter 9...................................................................................86
Advanced Configuration..........................................................86
Tools............................................................................ ............................86
Changing the LDAP Search Filter Rule............................................... .......87
Changing the Attribute Mapping Table........................................... ..........88
Appendixes
..................................................................................................89
Appendix A ...............................................................................90
Schema Updates Made by the Exchange 2000 Server Active
Directory Connector................................................................90
Appendix B................................................................................94
Manipulating Mailbox to Active Directory Account Replication 94
Appendix C ...............................................................................95
Attributes of a Connection Agreement....................................95
General Attributes....................................................................... .......95
Windows Server-Specific Attributes............................................ ........97
Exchange Server-Specific Attributes..................................................99
Appendix D..............................................................................102
ADC Matching Rules..............................................................102
Format of ADC Matching Rules........................................... ..............104
Modifying Object Matching Rules.....................................................105
Appendix E..............................................................................107
Viewing and Modifying the Attribute Mapping.......................107
Changing the Attribute Mapping Rules Manually...................................109
Syntax of Schema Map Files........................................................ .....109
Validating Object-Class Matches......................................................113
Unmerged Attribute Cleanup............................................. ....................113
iv Understanding and Deploying Exchange 2000 Active Directory Connector
Specifying an Authoritative Attribute Source.........................................114
Appendix F...............................................................................115
Move Server Wizard..............................................................115
Appendix G..............................................................................117
Replicating Distribution Lists and Groups..............................117
Exchange 5.5 Distribution Lists........................................... .............117
Windows NT 4.0 Groups ............................................ ......................117
Windows 2000 Groups ...................................... ..............................117
Distribution Groups vs. Security Groups...................................... .....118
Windows 2000 Domain Modes and Group Restrictions.....................118
Active Directory Connector and Distribution Lists............................118
Access Control Lists and Groups......................................................118
Token Augmentation........................................... .............................119
Converting Universal Distribution Groups to Universal Security Groups
......................................................................... ...............................119
Disconnecting User Domain Upgrades from Exchange 2000
Deployment.......................................................... ...........................119
Added Complexity from Disabled Users and Mailbox Rights.............120
Moving Groups from a Mixed-mode Domain to a Native-mode Domain
......................................................................... ...............................120
Appendix H..............................................................................122
Four Test Topologies..............................................................122
Appendix I................................................................................126
Inter-Organization Connection Agreement............................126
Arbitrating Changes....................................................................... ........126
Replication Loop Prevention.............................................. ...............128
Additional Registry Keys for ADC................................. ..........................129
Appendix J................................................................................131
Additional Resources.............................................................131
Technical Articles.............................................. ...............................131
Resource Kits....................................................... ............................131
Microsoft Knowledge Base Articles........................................ ...........131
I N T R O D U C T I O N
Overview
Organizations deploy Active Directory Connector (ADC) for four main reasons:
• To take advantage of the rich information about users in the Microsoft® Exchange directory
by replicating it (rather than re-entering it) to the Microsoft Active Directory® directory
service (replicating may be either for Active Directory testing purposes or for the production
environment).
• To replicate existing Microsoft Exchange Server version 5.5 directory data to Active
Directory so that new third-party applications can take advantage of it.
• To create an environment in which both Active Directory and the Exchange directory can be
managed from one management application.
• To make it possible to deploy Exchange 2000 Server while coexisting with the installed
Exchange environment.
If any of the preceding reasons apply to your organization, use this book to plan and carry out
your deployment of ADC.
If none of these reasons apply to your organization, you may not need to deploy ADC. For
example, Exchange 5.5 can run efficiently without ADC, even when the domains and servers
have been upgraded to Microsoft Windows® 2000 Server and Active Directory. Active Directory
continues to provide authentication services for Exchange just as Microsoft Windows NT®
Server version 4.0 did, and Microsoft Outlook® continues to use the directory service in
Exchange.
This book provides an example of an implementation of ADC, including screen shots.
Note
The information in this book is based on Microsoft Windows 2000 Server Service
Pack (SP) 2 and Microsoft Exchange 2000 Server SP2.
Active Directory Connector (ADC) is the component that synchronizes the Microsoft®
Windows® 2000 version of the Active Directory® directory service with the Microsoft Exchange
Server version 5.5 directory. This synchronization aids in the implementation of Active Directory
for organizations that have already deployed Exchange 5.5. ADC is a necessary component for
achieving coexistence between Exchange Server 5.5 and Exchange 2000 Server.
ADC:
• Uses the Lightweight Directory Access Protocol (LDAP) application programming interface
(API) to perform fast replication between the two directories.
• Hosts all active replication components in Active Directory.
• Only replicates objects that have changed, whenever possible, to minimize replication
traffic.
• Maintains object fidelity through replication (for example, the Active Directory Group object
maps to the Exchange Distribution List object).
• Hosts multiple connections on a single Active Directory server and manages these through
connection agreements.
Versions of ADC
The basic replication functionality of ADC is included with Windows 2000. However, when you
install Exchange 2000, an update is installed.
Chapter 1: What Is Active Directory Connector? 11
Connection Agreements
Installing ADC on a server defines a service within Windows 2000. To establish a relationship
between an existing Exchange site and Active Directory, you must configure a connection
agreement. The connection agreement holds information, such as the server names to contact for
replication, object classes to replicate, target containers, and the replication schedule.
It is possible to define multiple connection agreements on a single ADC server, each of which
can go from Active Directory to a single Exchange site or to multiple Exchange sites. For optimal
performance, it is recommended that each ADC server manage no more than 50 to 75 individual
connection agreements, depending on the specifications of the computer and the number of
objects in each directory. In enterprise environments, you may want to deploy multiple ADC
servers to improve performance, especially when there are multiple geographic locations that
contain Exchange servers and domain controllers.
Before installing Exchange 2000, you must reconfigure the connection agreements to allow for
two-way replication for, at a minimum, the site where you are going to install the Exchange 2000
server. The mixed site needs to be removed from the list of export containers on the From
Exchange tab of the one-way connection agreement, because that site now has its own two-way
connection agreement. You can create multiple connection agreements (on the same ADC server,
if you prefer) if multiple Exchange sites exist in the Exchange 5.5 directory.
Configuration Connection
Agreements and the Site
Replication Service
A Recipient Connection Agreement replicates recipient objects, such as mailboxes, distribution
lists, and contacts, between the Exchange 5.5 directory and Active Directory; however, when an
Exchange 2000 server belongs to an existing Exchange 5.5 site, configuration information must
be replicated. This replication allows the Exchange 2000 server to be represented in the
Exchange site server list so that earlier versions of Exchange can send and receive messages as
14 Understanding and Deploying Exchange 2000 Active Directory Connector
seamlessly as if the new server were running Exchange 5.5. Additionally, gateway or route
information must be replicated between the two directories to allow Exchange 2000 servers to
send messages to specialized connectors that exist on the Exchange 5.5 servers and vice versa.
All configuration information is replicated through a unique instance of a connection agreement,
which is known as a configuration connection agreement or Config CA.
Unlike standard connection agreements, Config CAs are configured automatically by Exchange
Server rather than having to be instantiated manually. Additionally, the agreement for replicating
configuration-naming context data is between Active Directory and the Exchange Site
Replication Service (SRS) rather than between Active Directory and Exchange Server 5.5. The
SRS is a component installed by Exchange 2000 Server and is similar to the Exchange 5.5
directory service, although the Name Service Provider Interface (NSPI) is disabled, so clients do
not connect directly to the SRS to perform address book operations. When an Exchange 2000
server is installed into an Exchange 5.x site, the SRS is used for intra-site directory replication
over remote procedure calls (RPCs). If an Exchange 5.5 directory-replication bridgehead server
is upgraded to Exchange 2000, the SRS provides mail-based directory replication to downstream
Exchange 5.x sites.
Config CAs are named "ConfigCA_SRSNAME", where SRSNAME is the name of the SRS with
which the Config CA is associated. You can use the Active Directory Connector Management
snap-in to view the properties of Config CAs; however, most properties are read-only and cannot
be modified. Like a standard Exchange directory service, the SRS supports direct LDAP calls
and listens on port 379 to avoid port contention with other LDAP services running on the
computer.
Figure 1.3 Exchange Server 5.5 and Exchange 2000 Server co-existence
with the Site Replication Service
After replication, all Exchange 5.x sites are represented in Active Directory as administrative
groups. Exchange 2000 servers in the administrative group are represented in the Exchange 5.x
site. Typically, there is only one Config CA and Site Replication Service per mixed site. The Site
Replication Service is on the first Exchange 2000 server installed into an Exchange 5.5 site or the
first one to be upgraded. However, additional Site Replication Services can be created in a site by
Chapter 1: What Is Active Directory Connector? 15
upgrading an Exchange 5.5 server that is the bridgehead of a Directory Replication Connector, or
by using Exchange System Manager to create a new Site Replication Service on an existing
Exchange 2000 server in the site.
C H A P T E R 2
Deployment Planning
Before you deploy Active Directory Connector (ADC) and its connection agreements, it is vitally
important that you consider all of the organization's business requirements to avoid problems
later on. ADC can be configured to make fundamental changes to directories (including deleting
objects). Therefore, incorrect deployment could result in destabilization of the existing
Microsoft® Exchange infrastructure.
Caution
Although ADC allows you to create Enabled Windows User, Disabled Windows User,
or Contact objects in Active Directory, you should never configure ADC to create
Enabled Windows User or Contact objects. Contact objects cannot be merged into
Enabled Windows User objects later. The accounts created by ADC are not meant to
be logged on to as security principals; they are merely placeholders for the Exchange
mailbox attributes. Using enabled accounts will not allow users to access the
mailboxes with their Windows NT 4.0 accounts, or to later merge with the upgraded
or migrated accounts. Additionally, the disabled users created by ADC should not be
enabled and used for logon, unless specific steps are taken to update the mailbox
rights and msExchMasterAccountSID that are set on the user. You must either
upgrade the Windows NT 4.0 domain, or use a domain migration utility that can
migrate SIDHistory, to bring the Windows NT 4.0 accounts into Active Directory. For
more information about the disabled accounts, see Microsoft Knowledge Base article
316047, "XADM: Addressing Problems That Are Created When You Enable ADC-
Generated Accounts" (http://support.microsoft.com/?kbid=316047).
Now that the disabled user is representing the mailbox in Active Directory, it is possible to move
the mailbox to an Exchange 2000 server using the Active Directory Users and Computers MMC
snap-in. At this point, because of the "Associated External Account" Information Store
permissions and msExchMasterAccountSID, the Windows NT 4.0 user can log on to the
Exchange 2000 mailbox.
At some point, before or after the mailbox is moved to Exchange 2000, the Windows NT account
must be upgraded or migrated. To upgrade the domain, the primary domain controller needs to be
upgraded to Windows 2000. Backup domain controllers do not need to be upgraded immediately,
because a mixed-mode domain supports Windows NT 4.0 backup domain controllers. When you
upgrade, the Security Accounts Manager (SAM) account database is upgraded directly, and the
user accounts in Active Directory keep the same SID that the Windows NT 4.0 account had.
To migrate the users into Active Directory, there are a variety of domain migration tools, such as
the Active Directory Migration Tool. The main requirement is that the tool supports migrating
SIDHistory. SIDHistory adds the SID of the Windows NT 4.0 user onto the newly created Active
Directory user to allow the Active Directory user to access the same resources that the
Windows NT 4.0 user could, by adding the Windows NT 4.0 SID to the user's token.
After the Windows NT accounts have been upgraded or migrated, you will have two accounts in
Active Directory — the disabled user account created by ADC with all the mail attributes and
msExchMasterAccountSID, and the enabled user account, either upgraded or migrated with
SIDHistory. To merge the two accounts together, and stamp all the mail attributes onto the
enabled account, use the Active Directory Cleanup Wizard (ADClean). ADClean looks for
enabled accounts whose objectSID or SIDHistory match the msExchMasterAccountSID of the
disabled users. When it finds a match, it merges the mail attributes onto the enabled users, and
then deletes the disabled user.
20 Understanding and Deploying Exchange 2000 Active Directory Connector
Figure 2.1 Choosing recipient containers to export from Exchange Server 5.5
For example, suppose that an Exchange site has three containers: Recipients, Distribution Lists,
and External Addresses.
• To retain the same structure in Active Directory, create a single connection agreement. The
source container in the Exchange directory is the site because the subcontainers can be
created automatically in Active Directory and populated. Note that ADC will only create a
subcontainer if there are objects (mailboxes, distribution lists, custom recipients) within the
source subcontainer for which ADC has to create a new object in the source directory.
Chapter 2: Deployment Planning 21
• To consolidate all three Exchange containers into a single container or organizational unit in
Active Directory, create a single connection agreement and choose each of the three
containers as the source individually.
• To have complete control over each container (specifying target container or organizational
unit replication times and deletion variables), create three separate connection agreements.
Note
To change the model completely so that the Active Directory structure represents the
business model, configure a single connection agreement, choose the containers
individually or choose the site level, and then replicate them to a dummy target
container or organizational unit in Active Directory. After the objects have been
replicated, you can use Active Directory Users and Computers to move those objects
(by right-clicking the object) to the correct container or organizational unit. ADC
retains the relationship between the two objects even though they have been
moved. This relationship is maintained because of the match between the object and
the globally unique identifier (GUID). If you use this approach, remember to include
the new container or organizational unit as an export container on the From
Windows tab of the two-way connection agreement. Otherwise, changes made to
the object in Active Directory are not replicated back to the Exchange directory.
Note
It is not recommended that you create a special container in Exchange 5.5 to hold
new objects that are created in Active Directory. For example, do not create an
"Exchange 2000 mailboxes" container in Exchange 5.5 and use that as the default
destination on the From Windows tab. Instead, use the Recipients container as the
default destination (where new objects are created in Exchange if no match can be
found). There are two reasons for this:
It does not make sense to separate mailboxes in Exchange 5.5 based on whether
they are Exchange 5.5 or Exchange 2000 mailboxes. This approach does not work
because there is no way to move objects between containers in Exchange 5.5.
Eventually, all of the mailboxes will be moved to Exchange 2000, even if they are in a
container that originally held only Exchange 5.5 mailboxes.
The Exchange 5.5 directory structure has a limited lifetime. As soon as all of the
Exchange 5.5 servers have been upgraded, the Exchange 5.5 directory will no longer
be used.
Using the Recipients container as the default destination will simplify administration
and connection agreement configuration.
C H A P T E R 3
Technical Planning
Chapter 3 presents information you should be familiar with as you plan your deployment of
Active Directory Connector (ADC). Three detailed scenarios are provided to illustrate how to
deploy connection agreements correctly. A section on the public folder connection agreement
describes this special type of connection agreement.
Schema Updates
When the Exchange 2000 ADC is configured with a two-way connection agreement in the
Exchange 5.5 site, the schema version is checked and updated as required. If you upgrade one of
the servers in the site to Exchange 5.5 SP3, the schema is up-to-date; if not, the directory service
on the target Exchange bridgehead server is stopped, the new schema updates are added, and the
service is started again. The actual schema changes are listed in Appendix A, "Schema Updates
Made by the Exchange 2000 Server Active Directory Connector."
Note
You need Schema Admin permissions to update the schema.
Chapter 3: Technical Planning 23
Installing Exchange
Server 5.5 on a
Windows 2000 Server
Some customers may want to deploy Exchange 5.5 on Microsoft Windows® 2000 Server. This is
possible, but Exchange 5.5 SP3 or later should be installed to support this configuration fully.
After the Exchange 5.5 installation, you may notice that the Active Directory® directory service
contains no information about Exchange. Also, when you try to create new User objects in
Active Directory Users and Computers, you are not prompted to create a Mailbox object. On
Microsoft Windows NT® 4.0, Setup for Exchange Server installs the mailumx.dll library to
support User Manager for Domains. With this DLL in place, the Exchange Administrator and
User Manager programs appear to be linked together. Because Windows 2000 uses a different
administration architecture, this linking is no longer possible through the installed DLL.
If you use the Exchange Administrator program to create Active Directory User objects
automatically, only a small set of fields is populated. The Active Directory display name is set to
the mailbox display name, and the Security Accounts Manager (SAM) account name is set to the
selected logon name.
For Active Directory to recognize the existence of an Exchange 5.5 installation, ADC must be
installed. Even if you haven't configured any connection agreements, ADC should appear in
Active Directory Sites and Services Manager and all Active Directory User and Contact objects
should have the following new configuration options:
• E-mail Addresses tab
• Exchange Tasks, Create Mailbox
After ADC is installed, when creating User objects, the wizard prompts you to create an
Exchange mailbox. However, if you have not configured a connection agreement that exports the
organizational unit the user is in to Exchange 5.5, these options are unavailable.
Note
The new options available after ADC installation are supported only on servers and
workstations that have the ADC manager component or Exchange 2000 System
Manager installed directly on them. The new functionality is in an MMC extension
named maildsmx.dll.
24 Understanding and Deploying Exchange 2000 Active Directory Connector
Figure 3.1 Creating an Exchange mailbox using Active Directory Users and
Computers
Figure 3.2 Synchronizing multiple Exchange Server 5.5 sites with ADC
(Windows)
Advanced tab:
Advanced tab:
Figure 3.3 demonstrates the connection agreements. You may find it helpful to sketch the
containers and connection agreements when you plan an ADC configuration.
Advanced tab:
Figure 3.4 Two Exchange Server 5.5 sites and a single Active Directory
domain
There are four existing Windows NT 4.0 account domains that hold all user accounts. All
Exchange mailboxes in the organization have the primary Windows NT account in one of the
four domains. The administrators have created a single new Windows 2000 domain,
northwindtraders.com, which they plan to migrate all Windows NT accounts into using a third-
party migration tool that supports migrating SIDHistory. Exchange 2000 will be installed, and
users moved from Exchange 5.5 to Exchange 2000, before the Windows NT migration is
completed.
Currently, direct RPC connectivity to the server where the ADC service is installed is not
available at all sites. Additionally, the Exchange environment is not managed centrally, so setting
up connection agreements to all 20 sites directly is not possible until administrators in the remote
sites can coordinate access. Both of these issues will be resolved before the remote sites are ready
to upgrade to Exchange 2000.
Business and Technical Requirements for Active Directory
• All information from the entire Exchange directory needs to be integrated into Active
Directory as soon as possible. Exchange 2000 servers will be installed into the Seattle and
Boston sites.
• The business has already designed an organizational unit structure for Active Directory
based on business units (Sales, Marketing, Research, and Support). Under each business unit
are organizational units named Users and Groups. The migration tool will use information
about the Windows NT 4.0 accounts to create the new accounts in the appropriate
organizational unit. The company has an automated tool to move the groups created by ADC
under the appropriate business unit.
• The business does, however, want to keep the SMTP contacts in a different organizational
unit in Active Directory, which is called External and will reside in the northwindtraders.com
domain. All custom recipients from all sites should be in this container.
• The Northwind Traders administrators should be able to create a user in any business unit
Users container, and put that user's mailbox on an Exchange 2000 server at any site that has
an Exchange 2000 server installed.
• Any new mail-enabled groups created in Active Directory should be replicated to the Seattle
site.
• Any new Contacts created in the External organizational unit should be replicated to the
Seattle site.
Solution
Deploy one ADC server, initially with six connection agreements: two two-way for Seattle, two
two-way for Boston, and two one-way connection agreements to replicate the remaining
Exchange 5.5 sites into Active Directory. Create a new container in Active Directory named
ExchangeTemp, and use this as the default destination for all mailboxes and distribution lists
from Exchange.
34 Understanding and Deploying Exchange 2000 Active Directory Connector
As another Exchange site such as Washington or Miami prepares to deploy Exchange 2000, set
up two new connection agreements for that site and remove that site from the two existing one-
way connection agreements. See Table 3.4 for information about connection agreement
configuration for this scenario.
Advanced tab:
Advanced tab:
Advanced tab:
Primary to Exchange
organization
Figure 3.10 Pure Exchange 5.5 Custom recipient from Exchange to Windows
This connection agreement configuration will set up Boston and Seattle for two-way replication
to allow Exchange 2000 to be deployed, and also ensure that all objects in the other sites are
represented in Active Directory. When the Washington site is preparing to install Exchange 2000,
the Northwind Traders administrators make the following changes to the connection agreement
setup:
1. On the "Pure Exchange 5.5 Mailbox/Distribution List from Exchange to Windows" and
"Pure Exchange 5.5 Custom Recipient from Exchange to Windows" connection agreements,
remove the Washington containers from the Exchange export containers.
2. Create two new connection agreements for Washington: one for mailboxes/distribution lists
and one for custom recipients.
Chapter 3: Technical Planning 43
Table 3.7 shows the configuration for these new connection agreements.
Advanced tab:
Primary to Exchange No No
organization
Figures 3.11 and 3.12 represent the two new connection agreements.
• Any new mail-enabled groups created in Active Directory will be created in the
Seattle/Recipients container, not the Seattle/Distribution List container. If Northwind Traders
wants the distribution lists to be created in the Distribution List container, they will need to
create additional connection agreements to handle only Group objects, and set the default
destination to Exchange to the Distribution List container.
Resource Usage
Chapter 4 provides information about the server resources that are consumed by Active Directory
Connector (ADC), network resources that are consumed when ADC is running, and factors that
affect how many resources are consumed.
Network Consumption
For large Microsoft® Exchange Server and Microsoft Active Directory® directory service
deployments, you must plan carefully for any additional overhead that ADC and its connection
agreements produce. The following information is especially important if you need to size
servers and network capacity accurately. This information is even more important when the ADC
server, the Active Directory server, and the server running Microsoft Exchange Server
version 5.5 are connected over relatively slow connections.
Table 4.1 indicates the number of network frames and total traffic sent between the different
components. In the following scenarios, a change is made to the phone number on User objects
in Active Directory. Similarly, changes are made to the phone number field in the Exchange
Chapter 4: Resource Usage 49
directory objects. In these samples, ADC is running on a member server. If your deployment
places ADC and the global catalog on the same computer, disregard the network communications
between ADC and the global catalog in the table.
Totals
(frame
ADC to Global ADC to Exchange s and
Global Catalog Exchange 5.5/SRS to wire
Test Catalog to ADC 5.5/SRS ADC size)
Three changes in the 107 frames 122 frames 37 frames 30 frames 296
Exchange Server 5.5 frames
43 KB 115 KB 12 KB 12 KB
directory service 182 KB
50 Understanding and Deploying Exchange 2000 Active Directory Connector
The conclusions drawn from the information in Table 4.1 are as follows:
• When the two directories are static, only a small amount of data is passed between all
components. However, the majority of this small traffic is between the ADC server and the
global catalog. The connection agreement performs the following actions on each
synchronization cycle:
• Checks to determine whether the Exchange 5.5 or Active Directory schema has
changed.
• Enumerates the Exchange 5.5 organizational units (sites) to determine which are
writable.
• Enumerates all servers in the local Exchange 5.5 site.
• Determines the list of domains in the target forest.
• Exports any updates.
• Changes made in the Exchange 5.5 directory cause a greater amount of data to be moved
over the network relative to changes in Active Directory.
• Replication data from Active Directory to the Exchange directory is linear. When there are
one or more changes to be replicated, use the following calculation:
121 kilobyte (KB) bind + 11 KB per changed object
• Replication data from the Exchange directory to Active Directory is linear. When there are
one or more changes to be replicated, use the following calculation:
140 KB bind + 14 KB per changed object
Downstream Replication
Traffic
As the connection agreement replicates data between the two environments, the objects
replicated also change, causing replication in the native directory. You must take this into account
before configuring each connection agreement.
Be aware that when you install a two-way connection agreement between Active Directory and
an Exchange site (or a one-way connection agreement to Exchange), the connection agreement
modifies and adds attributes to each Exchange directory object it comes in contact with. Because
Exchange supports only object-based replication, those directory objects must be replicated again
to the rest of the Exchange organization. For a large deployment of many Exchange sites, you
should plan the deployment of connection agreements carefully. One method is to deploy them
on weekends when there is potentially more bandwidth available on the network.
At a basic level, for each Exchange directory object changed on a server, approximately 5 KB of
data is sent to all other servers within the site. For replication between sites, each object
compresses to about 1 KB. For more information, see Directory Replication and Background
Traffic for Microsoft Exchange 5.5 on TechNet at
http://go.microsoft.com/fwlink/?LinkId=20532.
C H A P T E R 5
Chapter 5 describes the processes that occur when Active Directory Connector (ADC)
synchronizes the Microsoft® Exchange Server version 5.5 directory and the Active Directory®
directory service.
Initial Replication
When the connection agreement for ADC is initially executed, the stored update sequence
number (USN) on the connection agreement is set to 0. Thus, ADC functions as if the agreement
is being run for the first time. Additionally, each connection agreement has its own signature,
which is computed at connection agreement configuration time. Active Directory objects
replicated into the Exchange directory have the same DSA-Signature attribute as the legacy
Microsoft Exchange 5.5 bridgehead server, although the Replication-Signature attribute of the
object matches the computed value of the connection agreement signature. When an
Active Directory object is replicated into the Exchange directory, the Object-Version attribute,
which is standard to Exchange, is either set to 1 (if it is a new object), or incremented by 1 (if a
modification is taking place).
Before the Lightweight Directory Access Protocol (LDAP) write is made, the current value of the
Object-Version attribute (if it exists) is read, incremented by 1, and then written into the
Replicated-Object-Version attribute also on the Exchange directory object. Thus, if ADC has just
modified an object, both the Object-Version and Replicated-Object-Version attributes are the
same.
• An Exchange 5.5 Mailbox object mapped to an Active Directory account appears in the
Exchange directory as a Mailbox object, and maps to Active Directory as a mailbox-enabled
user (the msExchHomeServerName attribute is set). The Object-GUID attribute of the
Exchange Mailbox object is set to the globally unique identifier (GUID) of the
Active Directory object, and the legacyExchangeDN attribute of the Active Directory object
54 Understanding and Deploying Exchange 2000 Active Directory Connector
is set to the distinguished name of the correlating object in the Exchange directory. All
directory attributes from the two objects, such as telephone number, postal address, and so
on, are merged and populated to both directory objects.
• A Distribution List object in the Exchange directory appears in Active Directory as a mail-
enabled Group object (type: Distribution, scope: Universal). Because the Distribution List
object may appear in Active Directory before the membership objects exist, any orphaned
members are binary-encoded and written to the unmergedAtts attribute in the corresponding
entry of the Group object. This ensures that membership changes to the Active Directory
Group object replicate back to the Exchange directory successfully. The unmerged attributes
are removed and resolved only after a full replication of the object is initiated.
• A custom recipient (of any address type) in the Exchange directory appears as a mail-
enabled Contact in Active Directory.
For a list of objects replicating from Active Directory to the Exchange directory, see the
following fidelity class table.
Schema Discovery
When replicating data between two different systems, the format and restrictions for the data may
be different for each system. For example, Active Directory supports 8-bit Unicode
transformation format (UTF-8) in the object name, but the corresponding entry in the Exchange
directory, in this case, the distinguished name, supports only teletext characters. Schema
discovery allows ADC to resolve the restrictions imposed by the target directory and perform the
necessary conversion. Schema discovery accommodates the following discrepancies:
• Data format and presentation (for example, UTF-8 and teletext)
• Field length restrictions
• Mandatory and optional attribute mapping
• Single-value to multivalue field mappings (and vice versa)
C H A P T E R 6
ADC Installation
The first step in using Active Directory Connector is to install it from the Microsoft®
Exchange 2000 Server CD. The following steps lead you through the installation process:
1. Start the Microsoft Active Directory Connector Setup program. You can find it in the
\Valupack\mgmt\adc directory on the Microsoft Windows® 2000 Server Installation CD, or
in the \Adc\i386 directory on the Exchange 2000 CD. You must have Enterprise
Administrator permissions to install the ADC. Additionally, unless the schema has already
been extended with the "setup /schemaonly" switch (that is, you ran setup.exe/schemaonly
instead of setup.exe when you set up ADC), you will also need Schema Admin permissions.
The Setup program starts the ADC Installation Wizard (as shown in Figure 6.1). Follow the
steps in the wizard to install ADC.
58 Understanding and Deploying Exchange 2000 Active Directory Connector
2. Install both Active Directory Connector and the Active Directory Connector Manager and
click Next.
3. Enter the installation directory and click Next.
4. Enter the Site Services Account name and password and click Next.
Configuring Attribute
Replication and Object
Matching
You may have business and technical reasons for not wanting to replicate all attributes on objects
between Exchange and the Microsoft Active Directory® directory service. Use the property
sheets of ADC to prevent certain attributes from replicating. Figures 6.2 and 6.3 show the tabs
used to configure attribute replication and object matching.
Additionally, by default, ADC attempts to match objects between the two directories based on the
Assoc-NT-Account field. (This is the primary Microsoft Windows NT® account field in the
Exchange 5.5 Administrator program). In the majority of cases, this default is fine. However, in
other situations you might want to change the object matching rules (for example, match the
Exchange alias name to the Active Directory user name). You can specify the attribute-mapping
rules, and you can also define an ordered list of rules.
Chapter 6 : How to Implement Active Directory Connector 59
Creating Connection
Agreements
To begin replicating data, a connection agreement must be created. The following steps
demonstrate how to create a connection agreement.
To create a recipient connection agreement
1. Open the Exchange Active Directory Connector and highlight an Active Directory
Connector server. Click Action, click New, and then click Recipient Connection
Agreement.
2. On the Properties property sheet, click the General tab. In the Name field, enter a
descriptive name for the connection agreement. In the Replication Direction section,
indicate whether the replication direction is one-way or two-way. In the Active Directory
Connector Service section, specify the server to run the connection agreement. In most
circumstances, this will be the local server. Figure 6.4 shows the General tab.
3. Click the Connections tab, and, if necessary, change the Lightweight Directory Access
Protocol (LDAP) port for the Exchange directory. You must do this if the default LDAP port
has been changed on the Exchange server, or if the connection agreement endpoint is the Site
Chapter 6 : How to Implement Active Directory Connector 61
Replication Service (SRS). You can verify these settings by looking at the LDAP protocol in
the Protocols container in the Exchange 5.5 Administrator program. Figure 6.5 shows the
Connections tab.
You also use the Connections tab to enter credentials that the connection agreement will use
to connect to the Exchange 5.5 directory and the Active Directory domain controller. Ensure
that the accounts that you specify have write permissions to the site or domain that you are
connecting to.
4. Select the activation schedule for directory replication. During active hours, the connection
agreement checks for and processes changes once every 5 minutes. Because the ADC
connection agreement is most often used for mixed-vintage Exchange sites, the 5-minute
period aligns with the normal intra-site directory replication latency timer. Figure 6.6 shows
the Schedule tab.
Note
The setting of Always equates to every 5 minutes, 24 hours a day, 7 days a
week. Previous releases of Exchange Server used Always to indicate every
15 minutes.
Select the Replicate the entire directory the next time the agreement is run check box to
set the following attributes on the connection agreement:
• msExchServer1HighestUSN
0 (For connection agreements that replicate from Windows)
• msExchServer2HighestUSN
0 (For connection agreements that replicate from Exchange)
• msExchDoFullReplication
True
Chapter 6 : How to Implement Active Directory Connector 63
Forcing a replication of the entire directory causes all directory objects to be checked for
consistency. If there are any discrepancies between the directories, objects are updated as
appropriate. However, if objects are consistent, they are not replicated again.
5. Click the Advanced tab. The settings on this tab determine the finer details of how ADC
works.
In Paged Results, enter the number of Windows or Exchange Server entries per page.
Usually, you do not need to change LDAP page sizes. Although the default value of
20 entries per paged result may appear to be quite low, it does pace the processor to be kept
busy continually while receiving changes, rather than overly busy or not at all busy.
Figure 6.7 shows the Advanced tab.
The other options on the Advanced tab are very important. The check boxes indicating
primary connection agreements control what happens when replication cannot find a match
between associated objects in the two directories. Although two of the three check boxes
look similar, they perform slightly different functions.
• This is a primary Connection Agreement for the connected Exchange
Organization.
This option controls whether ADC should create a new object when it replicates a new
object from Windows, if it cannot find a matching object or determine which site the object
should be created in.
64 Understanding and Deploying Exchange 2000 Active Directory Connector
This is important when you have more than one connection agreement set up to different
sites, both exporting the same container from Active Directory. For each container you are
exporting from Windows, you should have exactly one connection agreement set as primary.
For detailed information about this check box, see "Primary vs. Non-Primary Connection
Agreements" in Chapter 7.
• This is a primary Connection Agreement for the connected Windows Domain
This check box is associated with the setting for replicating Mailbox, Distribution List, and
Custom Recipient objects that do not have an existing matching object in Active Directory.
Implicitly, this check box controls whether an object is created in the domain if a match
cannot be found. As with the Primary Exchange option, you should have exactly one primary
connection agreement handling each Exchange container that you want to replicate.
• This is an Inter-Organizational Connection Agreement
For information about this option, see Appendix I, "Inter-Organization Connection
Agreement."
6. Click the Deletion tab. The settings on this tab determine what happens when directory
objects are deleted from source and target directories.
By default, objects deleted from each directory are not propagated to the destination
directory. Instead, the deletions are held in the following directories on the ADC server:
\<%windir%>\MSADC\Connection Agreement name
Table 6.1 shows the names of the files created by ADC for deletions.
Table 6.1 Files created by ADC for deletions
File name Purpose
Win2000.ldf Entries deleted from the Exchange directory
Ex55.csv Entries deleted from Active Directory
If you decide not to propagate deletions, it can cause additional management overhead
because the system administrator must look through the files that were created and import
them into the adjacent directory. If several hundred changes are occurring and you have tight
control over who can delete Directory objects, you may opt to enable deletion propagation.
If you decide to enable deletions through the user interface, be very careful of the changes
that you make to each directory. For example, deleting a Custom Recipient object in
Exchange deletes the related Active Directory object, which may be a mail-enabled Contact
or User object representing an account from a different domain.
Chapter 6 : How to Implement Active Directory Connector 65
After a mailbox is deleted, either by using Active Directory Users and Computers or if ADC
deletes the mailbox, you may see two special values in the legacyExchangeDN value:
• ADCDisabledMailByADC. Indicates that the Exchange 5.5 mailbox was deleted and
the Active Directory object is an enabled user object.
• ADCDisabledMail. Indicates that Active Directory Users and Computers was used to
delete the user's mailbox.
Note
You may want Contact object deletions to be propagated, but may not want
Mailbox object deletions to be propagated. To improve the granularity of deletion
control in Exchange 2000 Server, you can configure multiple connection
agreements with different options.
7. Click the From Windows tab. The settings on this tab determine which containers or
organizational units are sent to the Exchange directory and specify the default destination
container where they are received in the Exchange 5.5 site. Use the Add button to add
multiple containers. If a complex hierarchy exists within the Active Directory domain, you
do not have to select each organizational unit individually; you can select the top-level
domain as the source. However, doing that assumes that you want to retain that hierarchy.
When replicating to Exchange, ADC creates those containers automatically. The containers
are only created if there are objects within those containers, and ADC must create a new
object in Exchange to match it.
8. Click the From Exchange tab. The settings on this tab specify which containers to replicate
from the Exchange directory.
9. Click Add and either select the Site object, or choose each recipient container individually
as the export containers, to replicate all containers in the site. Click Modify, and then in
Default destination, enter the default destination container in Active Directory. In Objects,
select the check boxes for the different types of object classes to replicate from the Exchange
directory. As with the From Windows tab described in Step 7, by doing this you specify the
default target container for objects that cannot be mapped.
Caution
As with the Default destination in Exchange 5.5, do not set the default
destination for Active Directory at the domain level. This will cause new objects
created in Active Directory to be directly under the domain object instead of in
an organizational unit or container, which will make the objects hard to manage
using Active Directory Users and Computers. Instead, always ensure that the
Default destination is a location where you actually want objects to be created.
68 Understanding and Deploying Exchange 2000 Active Directory Connector
With a two-way connection agreement, ADC requires that the default destination to
Exchange must also be listed as an export container on the From Exchange tab, and vice
versa with the default destination to Windows. This ensures that any new objects ADC
creates can replicate back to the original directory. Always ensure that any containers in
Exchange or Active Directory that you want to replicate out are listed as export containers.
Only containers from one Exchange site can be selected in a single connection agreement if
the agreement is configured to write to the Exchange directory. If multiple Exchange sites
are deployed, you also need to establish multiple connection agreements.
10. Start ADC. You can start ADC from the Computer Management MMC console or from a
command prompt by typing net start msadc.
Note
You must be a member of Administrators, Server Operators, or otherwise have
permissions to start and stop services.
11. After ADC starts, new objects are populated in both Active Directory and the Exchange
directory. To monitor the progress of a connection agreement, either look at the Performance
Monitor counters or monitor the application log.
From here, you can create additional connection agreements and enable them without having
to stop and restart the MSADC service. Changes are implemented dynamically.
Chapter 6 : How to Implement Active Directory Connector 69
2. In the Properties dialog box for the public folder connection agreement, click the General
tab. In the Name field, enter a descriptive name for the connection agreement. In the
Replication Direction section, indicate whether the replication direction is one-way or two-
way. In the Active Directory Connector Service section, specify the server to run the
connection agreement. In most circumstances, this will be the local server. Figure 6.10
shows the General tab.
Note
Public folder connection agreements must be two-way.
70 Understanding and Deploying Exchange 2000 Active Directory Connector
3. Click the Connections tab, and, if necessary, change the Lightweight Directory Access
Protocol (LDAP) port for the Exchange directory. You must do this if the default LDAP port
has been changed on the Exchange server, or if the connection agreement endpoint is the Site
Replication Service (SRS). You can verify these settings by looking at the LDAP protocol in
the Protocols container in the Exchange 5.5 Administrator program. Figure 6.11 shows the
Connections tab.
4. Select the activation schedule for directory replication. During active hours, the connection
agreement checks for and processes changes once every 5 minutes. Because the ADC
connection agreement is most often used for mixed-vintage Exchange sites, the 5-minute
period aligns with the normal intra-site directory replication latency timer. Figure 6.12 shows
the Schedule tab.
Note
The setting of Always equates to every 5 minutes, 24 hours a day, 7 days a
week. Previous releases of Exchange Server used Always to indicate every
15 minutes.
Chapter 6 : How to Implement Active Directory Connector 71
Select the Replicate the entire directory the next time the agreement is run check box to
set the following attributes on the connection agreement:
• msExchServer1HighestUSN
0 (For connection agreements that replicate from Windows)
• msExchServer2HighestUSN
0 (For connection agreements that replicate from Exchange)
• msExchDoFullReplication
True
Forcing a replication of the entire directory causes all directory objects to be checked for
consistency. If there are any discrepancies between the directories, objects are updated
as appropriate. However, if objects are consistent, they are not replicated again.
5. Click the Advanced tab. The settings on this tab determine the finer details of how ADC
works.
72 Understanding and Deploying Exchange 2000 Active Directory Connector
In the Paged Results section, enter the number of Windows or Exchange Server entries per
page. Usually, you do not need to change LDAP page sizes. Although the default value of 20
entries per paged result may appear to be quite low, it does pace the processor to be kept
busy continually while receiving changes, rather than overly busy or not at all busy.
Figure 6.13 shows the Advanced tab.
The other options on the Advanced tab are very important. The check boxes indicating
primary connection agreements control what happens when replication cannot find a match
between associated objects in the two directories. Only one of the three check boxes is
available: This is a primary Connection Agreement for the connected Windows Domain.
• This is a primary Connection Agreement for the connected Windows Domain
This check box is associated with the setting for replicating public folder objects that do not
have an existing matching object in Active Directory. Implicitly, this check box controls
whether an object is created in the domain if a match cannot be found.
6. Click the Deletion tab. The settings on this tab determine what happens when directory
objects are deleted from source and target directories. By default, unlike recipient connection
agreements, objects deleted from each directory are propagated to the destination directory.
C H A P T E R 7
After Installation
Chapter 7 describes how Active Directory Connector (ADC) finds, matches, and links objects,
how Active Directory and the Exchange 5.5 directory handle replicated objects, and explains the
differences between primary and non-primary connection agreements.
Figure 7.1 is a flow chart that describes how ADC matches objects from Exchange Server 5.5 to
Active Directory.
Figure 7.1 How ADC matches objects from Exchange Server 5.5 to Active
Directory
Chapter 7: After Installation 75
Now that ADC has properly linked an Exchange 5.5 Mailbox object with Active Directory, the
User object has many new fields populated. In addition to the attributes that are brought over
from the Exchange 5.5 object, ADC sets the following attributes:
msExchADCGlobalNames
Attribute syntax: multivalued Unicode string
Set on a target object to identify which source object to match to. For more information, see
Microsoft Knowledge Base article 316280, "XADM: A Description of the 'ADC Global
Names' Attribute" (http://support.microsoft.com/?kbid=316280).
legacyExchangeDN
Attribute syntax: single-valued case-insensitive string
The Exchange 5.5-style distinguished name of the Exchange 5.5 object that this object is
matched to. For example: /o=ORG/ou=SITE/cn=Recipients/cn=RDN
msExchHomeServerName
Attribute syntax: single-valued Unicode string
Contains the Exchange 5.5-style distinguished name of the server that the user's mailbox is
on.
For example: /o=ORG/ou=SITE/cn=Configuration/cn=Servers/cn=SERVER-NAME
replicationSignature
Attribute syntax: single-valued octet string
Set to the objectGUID of the connection agreement that replicated to this object.
msExchHideFromAddressLists
Attribute syntax: Boolean
Set to True if the Exchange 5.5 object is hidden from the address book.
Chapter 7: After Installation 77
showInAddressBook
Attribute syntax: multivalued distinguished name
Set only if Microsoft Exchange 2000 Server is installed in the forest. Unless
msExchHideFromAddressLists is set, ADC adds the distinguished name of the default global
address list (GAL) to ensure that the object will be visible in the Exchange 2000 GAL.
msExchMailboxGuid
Attribute syntax: single-valued octet string
Set to a new, random GUID for use later when the mailbox is moved to Exchange 2000.
Figure 7.2 How ADC matches objects from Active Directory to Exchange
Server 5.5
Troubleshooting
Chapter 8 provides information to help you resolve issues that can arise with your Active
Directory Connector (ADC) deployment. Descriptions are included for each category of
diagnostic logging, as are troubleshooting tips for several common issues.
Event Logs
If you find that operations are failing to complete, you can increase the logging level for several
categories. Increasing the logging level generates more information in the event log. To change
diagnostic logging options, start the Active Directory Connector Management snap-in for the
Active Directory Connector (ADC) server that requires troubleshooting, and click the Diagnostic
Logging tab.
Event Logging
The ADC event log has five categories of messages, as shown in Table 8.1. Each category has
four levels of logging, as shown in Table 8.2.
Category Description
Attribute Indicate events that occurred while mapping attributes between the Active
mapping Directory® directory service and the Microsoft Exchange Server version 5.5
directory.
LDAP Indicate events that occurred while accessing the directory using Lightweight
operations Directory Access Protocol (LDAP).
Service Indicate events that occurred when the service was started and stopped.
controller
Level Description
None Default logging level. Logs only critical events and error events, including starting
and stopping the service, and component installation.
Minimum Logs events including the success or failure of adding or removing a user account,
errors encountered when establishing LDAP sessions, and errors updating the
directory.
Medium Logs events including those associated with the existence of specific objects in the
directory.
Chapter 8: Troubleshooting 83
Level Description
Maximum Logs all events and provides a complete record of the operation of ADC and the
status of replication. Unless you are troubleshooting a problem, avoid using the
Maximum logging level because it logs a large amount of information and can
affect server performance.
Directory Inconsistencies
Your first reaction to resolving replication problems may be to tear down connections and start
again. Although this is a safe operation in some systems, with Active Directory Connector be
cautious if you destroy a connection agreement and then re-establish it. Normally, deleting and
re-creating connection agreements does not resolve replication issues.
If there are minor discrepancies between the two directories, open the Active Directory
Connector snap-in, select the connection agreement in question, and on the Task menu, click
Replicate now. If this does not resolve the issue, and only one of two objects appears to be out-
of-date, try modifying one of the attributes on the object. If there are major directory
inconsistencies, on the Schedule tab, select the Replicate entire directory check box for the
connection agreement.
If you intend to clean up the directories and reconfigure replication completely, you must also
remove msExchADCGlobalNames from all objects that have been replicated in both directories.
(For more information about how to correct mismatched accounts, see Microsoft Knowledge
Base article 256862, "XADM: How to Correct Mismatched Accounts After Active Directory
Connector Replication" (http://support.microsoft.com/?kbid=256862).
Additionally, it is recommended that when the new connection agreements are set up, you set
deletions to write to a file (as shown in Table 6.1) to avoid the inadvertent deletion of objects.
Additional Troubleshooting
Several common failures or issues may occur after ADC has been implemented:
• The connection agreement fails to replicate all or some objects.
• The connection agreement fails to update all or some objects.
• The connection agreement fails when attempting to match an object and
a duplicate object is created.
• The connection agreement appears to fail when attempting to match an object.
• ADC causes an exception.
There are some common troubleshooting tips and tricks to resolve these issues, which are
discussed in the following sections.
84 Understanding and Deploying Exchange 2000 Active Directory Connector
Troubleshooting Failures-to-Match
Typically, troubleshooting failures-to-match involves connecting to the Exchange 5.5 directory
with the LDP utility and dumping the object and the Assoc-NT-Account to a text file. Next,
connect to Active Directory with LDP to find both the object that was expected to match, and the
object either created or matched to. Then dump both objects, the SID and/or SIDHistory, to a text
file. Review all of the text files and compare the SID, msExchADCGlobalNames, and/or
SIDHistory manually to verify whether or not the Assoc-NT-Account from the Exchange 5.5
mailbox matches the objectSID or SIDHistory of the Active Directory user.
Failed.ldf File
During replication between Exchange 5.5 and Active Directory, if ADC fails to replicate to a
target directory, a Failed.ldf file is written. This file is located by default in
<installDrive>\Program Files\MSADC\MSADC\<NameOfCA>. Two files may be created and
appended during failures, EX55-2Failed.ldf and Win2000Failed.ldf. Both files log failures and
contain additional information regarding what may be the root cause of the failure. You can open
.ldf files with a text editor.
Ldif.err File
The Ldif.err file is created during setup. It records errors that may have occurred during schema
import.
C H A P T E R 9
Advanced Configuration
The configuration of the connection agreements allowed through the Microsoft Management
Console (MMC) interface is sufficient for most deployments, both small and large. However, in
deployments where there is a very complex Exchange site or Active Directory® topology, you
can make some advanced customizations to Active Directory Connector (ADC). This chapter
details two of the most common areas of customization.
It is important that you thoroughly test and document any advanced customizations to ensure
good supportability. Testing the behavior of any changes described in this chapter, including
Lightweight Directory Access Protocol (LDAP) search filters, schema mapping, and object
matching rules, is the responsibility of the customer. Microsoft cannot support issues that arise as
a result of modification in any of these areas. If you have made any of these customizations and
subsequently call Microsoft Product Support Services about problems with Microsoft®
Exchange 2000 Server, be sure to let the Product Support Services staff know about the changes
that you have made.
Tools
Several tools are available to make the configuration changes detailed in this chapter. Two of
these tools are the Active Directory Administration Tool Ldp utility (ldp.exe) and the
Active Directory Service Interfaces editor (ADSIEdit.msc). Both tools are included in the
Microsoft Windows 2000 Server Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=6545).
Following are instructions for using the tools:
• ldp.exe Use the Connect option to contact the Active Directory server, and then bind to
Active Directory as an administrator account. After authentication occurs, on the View
menu, click Tree, and then type the LDAP path to the configuration naming context. For
example, if the domain name is corp.example.com, the LDAP path to type is:
cn=Configuration,dc=corp,dc=example,dc=com
To expand and collapse subcontainers and their object members, double-click containers in
the left pane. To locate the Active Directory Connector resources, expand the Services node,
then Microsoft Exchange, and finally Active Directory Connections.
Chapter 9: Advanced Configuration 87
• ADSIEdit.msc Install the Microsoft Windows® 2000 Server Resource Kit. Alternatively,
you can register the ADSIEdit.dll library (as an in-process server) using Regsvr32.exe, and
then open ADSIEdit.msc, which is an MMC snap-in. The ADSI editor provides an easy–to–
use graphical user interface (GUI), but it is not as powerful as the Ldp utility (ldp.exe).
The rules query for all recipient objects in the directory (organizationalPerson is a mailbox,
remote-address is a custom recipient, and groupOfNames is a distribution list). The vertical bar,
or pipe, at the beginning of the string indicates this is an OR filter.
Note
For more information about LDAP search filters, see RFC 2254 at
http://www.faqs.org/rfcs/rfc2254.html.
With tools such as ldp.exe, you can modify this rule so that the connection agreement uses a
more granular search criterion than the default when replicating objects between the two
directories. For example, you can configure a specific connection agreement to replicate the
Exchange mailbox objects in the Sales and Marketing departments to Active Directory:
(&(objectClass=organizationalPerson)(|
(department=Sales)(department=Marketing)))
Or, you can have a connection agreement that replicates only users whose last name starts with
the letter A:
(&(objectClass=organizationalPerson)(sn=a*))
88 Understanding and Deploying Exchange 2000 Active Directory Connector
The schema updates shown in the following tables are applied to a Microsoft® Exchange Server
version 5.5 site when a Microsoft Exchange 2000 Server Active Directory Connector (ADC) is
installed and configured to write to that site. These updates are also applied to a site when a
server is upgraded to Exchange Server 5.5 Service Pack (SP) 3. You must have Schema Admin
permissions to update the schema.
Attribute Value
MayContai 1.2.840.113556.1.2.61
n 8
MayContai 1.2.840.113556.1.2.61
n 9
MayContai 1.2.840.113556.1.2.62
n 0
MayContai 1.2.840.113556.1.2.62
n 1
Attribute Value
objectClass Attribute-Schema
AccessCategory 1
Appendix A : Schema Updates Made by the Exchange 2000 Server Active Directory Connector 91
Attribute Value
AttributeID 1.2.840.113556.1.2.621
AttributeSyntax 2.5.5.12
IsSingleValued FALSE
AdminDisplayName ADC-Global-Names
description msExchADCGlobalNam
es
OMSyntax 64
Heuristics 5
ExtendedCharsAllowed 0
SearchFlags 1
Attribute Value
objectClass Attribute-Schema
AccessCategory 1
AttributeID 1.2.840.113556.1.2.61
8
AttributeSyntax 2.5.5.10
IsSingleValued FALSE
AdminDisplayName Object-GUID
description objectGUID
MAPIID 35949
OMSyntax 4
92 Understanding and Deploying Exchange 2000 Active Directory Connector
Attribute Value
Heuristics 3
ExtendedCharsAllowed 0
SearchFlags 1
Attribute Value
objectClass Attribute-Schema
AccessCategory 1
AttributeID 1.2.840.113556.1.2.61
9
AttributeSyntax 2.5.5.10
IsSingleValued TRUE
AdminDisplayName Replication-Signature
description Replication-Signature
MAPIID 35950
OMSyntax 4
Heuristics 3
ExtendedCharsAllowed 0
SearchFlags 0
Attribute Value
objectClass Attribute-Schema
AccessCategory 1
Appendix A : Schema Updates Made by the Exchange 2000 Server Active Directory Connector 93
Attribute Value
AttributeID 1.2.840.113556.1.2.62
0
AttributeSyntax 2.5.5.10
IsSingleValued FALSE
AdminDisplayName Unmerged-Attributes
description unmergedAtts
MAPIID 35951
OMSyntax 4
Heuristics 3
ExtendedCharsAllowed 0
SearchFlags 0
Attribute V
alu
e
RangeUppe 2506
r
Attribute Value
Description userSMIMECertificat
e
Heuristics 19
A P P E N D I X B
In most Microsoft® Exchange Server version 5.5 environments, there are multiple mailboxes
with the same primary Microsoft Windows NT® 4.0 Server account associated with them. In the
Microsoft Active Directory® directory service, a mailbox is not a directory object, it is an
attribute of a User or Group object. A mailbox-enabled object can have only one mailbox
attribute associated with it. Therefore, for two Exchange 5.5 mailboxes that have the same
primary Windows NT account associated with them to be replicated successfully to Active
Directory, all mailboxes except one need to be marked as resource mailboxes. One account is
either created enabled or matched to an existing Active Directory user account, and the other
mailbox is replicated in as a disabled user account (that is, if Active Directory Connector (ADC)
is set to create disabled users).
Example
In Exchange 5.5 there are two mailboxes: Mailbox1 and Mailbox2. The primary Windows NT
account is User1. When ADC replicates the first mailbox, the attributes of that mailbox will be
set on the Active Directory-enabled user account. Assuming Mailbox1 is replicated first, then
User1 will have its mailbox and other attributes set to match Mailbox1. When Mailbox2 is then
picked up and replicated in, a disabled user account is created with the name of the mailbox alias,
and User1 is the mailbox owner. However, a key attribute, named msExchMasterAccountSid, is
not set on the disabled user because it is already in use on the User1 account.
Solution
Force a disabled user account for Mailbox1. The default for ADC when replicating in two
mailboxes with the same Windows NT account is to link to an enabled user account, and then
create a disabled Active Directory account for the other mailbox.
To link Mailbox2 to User1, and have Mailbox1 be linked to a disabled user account whose
primary mailbox owner is User1, do the following: On the properties of Mailbox1, Custom
Attribute-10, type NTDSNoMatch. This forces a disabled user account for Mailbox1 and
Mailbox2 to be linked to the enabled User1 account. When you set NTDSNoMatch on a mailbox,
this also ensures that the msExchMasterAccountSid value is set on the disabled user. ADC sets
msExchMasterAccountSid to "SELF", which is a reference to the objectSID of the disabled user
itself.
A P P E N D I X C
Attributes of a Connection
Agreement
Use the Ldp utility (ldp.exe) to look at the attributes of the connection agreement in ADC. The
connection agreement objects are located at:
cn=Name of CA,cn=Active Directory Connections,cn=Microsoft Exchange,
cn=Services,cn=Configuration,dc=<domain>
The connection agreement is divided into three groups of attributes:
• General Attributes. Connection agreement object attributes (first section of the output
when viewed with ldp.exe).
• Exchange Server-specific Attributes. Attributes and values associated with the target
Microsoft® Windows® 2000 domain controller. The name of each attribute begins with the
prefix msExchServer1.
• Windows Server-specific Attributes. Attributes and values associated with the target
Microsoft Exchange Server version 5.5 server. The name of each attribute begins with the
prefix msExchServer2.
General Attributes
msExchHomeSyncService
Attribute syntax: single-valued distinguished name
The distinguished name of the ADC service that is responsible for running this connection
agreement.
msExchCASchemaPolicy
Attribute syntax: single-valued distinguished name
The distinguished name of the ADC policy that this connection agreement uses, which
contains the schema maps, object matching rules, and other configuration data.
Normally set to CN=Default ADC Policy,CN=Active Directory Connections,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC<domain>
96 Understanding and Deploying Exchange 2000 Active Directory Connector
versionNumber
Attribute syntax: single-valued integer
The version number of the connection agreement. This is used, for example, to ensure that a
Windows 2000 ADC does not try to run an Exchange 2000 Config CA. As of Exchange
2000 Server SP2, the current value is 16908295, or 0x01020008. Connection agreements
created with the commercially released or SP1 version will have a slightly different value.
ActivationStyle
Attribute syntax: single-valued integer
Controls the connection agreement replication.
0 = Never, 1 = selected times, 2 = Always
ActivationSchedule
Attribute syntax: single-valued octet string
A bitmap of when the connection agreement is scheduled to run. Each bit is one 15-minute
increment. Begins at 12:00 A.M. (midnight) through 11:45 P.M.
msExchADCOptions
Attribute syntax: single-valued integer
A set of flags that control ADC replication. The flags are:
0x00000004 Replicates secured objects from Active Directory.
0x00000008 Indicates an inter-organizational connection agreement.
0x00000800 Replicates memberships of hidden distribution lists.
0x00001000 Replicates from Windows first on a two-way connection agreement.
msExchDoFullReplication
Attribute syntax: Boolean
If True, all objects will be synchronized on the next replication cycle.
msExchIsBridgeheadSite
Attribute syntax: Boolean
Specifies whether "This is a primary Connection Agreement for the connected Exchange
Organization." is selected, and thus whether ADC can create new objects in the
Exchange 5.5 directory.
msExchRemotePrivateISList
Attribute syntax: single-valued Unicode string
Contains a list of the Exchange distinguished names of all of the private Information Stores
in the site, separated by the § symbol (Hex 0x00A7).
msExchRemoteServerList
Attribute syntax: single-valued Unicode string
Contains a list of the Exchange distinguished names of the message transfer agent (MTA)
objects for all servers in the site, separated by the § symbol (Hex 0x00A7).
Appendix C : Attributes of a Connection Agreement 97
msExchReplicateNow
Attribute syntax: Boolean
If True, ADC performs a replication cycle immediately for this connection agreement. This
flag is usually set by the Active Directory Connector Management snap-in. Because it exists
within the configuration naming context that is replicated around the forest, you can set this
value remotely.
msExchIsConfigCA
Attribute syntax: Boolean
Specifies whether or not a connection agreement is a Config CA. Do not modify.
msExchExchangeSite
Attribute syntax: single-valued Unicode string
Contains the Exchange 5.5 distinguished name of the site that the Exchange server is in.
For example: ou=Site,o=org
msExchInterOrgAddressType
Attribute syntax: single-valued Unicode string
For inter-organizational connection agreements, controls whether or not Custom
Recipients/Contacts retain their existing targetAddress when replicated, or if the
targetAddress is updated to the primary SMTP address of the object.
msExchSynchronizationDirection
Attribute syntax: single-valued integer
Specifies whether the connection agreement is one-way Exchange to Windows, one-way
Windows to Exchange, or two-way.
0 = Two-way, 1 = Windows to Exchange, 2 = Exchange to Windows
msExchADCObjectType
Attribute syntax: single-valued integer
Specifies whether a connection agreement is a user connection agreement or a Config CA.
0 = User CA, 1 = Config CA
msExchServer1AuthenticationCredentials
Attribute syntax: single-valued Unicode string
The credentials for connecting to the Windows server.
For example: Domain\User name
msExchServer1AuthenticationType
Attribute syntax: single-valued integer
Specifies the authentication protocol to be used.
4 = NTLM (Windows Challenge/Response)
msExchServer1DeletionOption
Attribute syntax: single-valued integer
Specifies whether ADC will replicate deletes from Exchange to Windows.
0 = Replicate deletes, 1 = write deletes to an .ldf file
msExchServer1ExportContainers
Attribute syntax: multivalued Unicode string
Specifies which containers to export from Windows, using the distinguished name of the
container.
msExchServer1Flags
Attribute syntax: single-valued integer
Special flags that apply when replicating with Windows. Defaults to 0.
0x2 = Do not overwrite RDN with the Exchange 5.5 Alias attribute. For more information
about this flag, see Microsoft Knowledge Base article 269843, "XADM: ADC Overwrites
Display Name with Exchange Server 5.5 Display Name"
(http://support.microsoft.com/?kbid=269843).
msExchServer1HighestUSN
Attribute syntax: single-valued large (64 bit) integer
The highest update sequence number (USN) last found against the Windows 2000 domain
controller that the connection agreement is replicating with. ADC uses this value to
determine which objects it has already replicated from Active Directory.
msExchServer1HighestUSN
Attribute syntax: multivalued Unicode string
Keeps track of the highest USN of all of the domain controllers in the forest. By keeping
track of the USN values on all servers that correspond with the highest USN on the local
server, if the connection agreement is pointed to a different domain controller, ADC will not
have to do a full replication from Windows.
Note
If your organization has more than 800 domain controllers in the forest, you may
need to set a registry key to control how many values are stored in this attribute.
For more information about this problem, see Microsoft Knowledge Base article
314950, "XADM: The ADC Does Not Work in an Environment That Contains More
Than 800 Domain Controllers" (http://support.microsoft.com/?kbid=314950).
msExchServer1ImportContainer
Attribute syntax: single-valued Unicode string
Appendix C : Attributes of a Connection Agreement 99
Specifies the distinguished name of the default destination in Active Directory where ADC
should create new objects.
msExchServer1LastUpdateTime
Attribute syntax: single-valued Generalized-time attribute
Timestamp in Coordinated Universal Time (Greenwich Mean Time) of the last change from
the source Active Directory container that the connection agreement is aware of.
Note
This value is stored only for backward-compatibility reasons, and it is no longer
used. It may not accurately reflect the last update time.
msExchServer1NetworkAddress
Attribute syntax: single-valued Unicode string
The host name of the domain controller that is the Windows endpoint of the connection
agreement.
msExchServer1PageSize
Attribute syntax: single-valued integer
Specifies the Lightweight Directory Access Protocol (LDAP) page size to use when
replicating with Active Directory. The default value is 20.
msExchServer1Port
Attribute syntax: single-valued integer
Specifies the LDAP port to use when connecting to the Active Directory server. The default
port is 389.
msExchServer1SearchFilter
Attribute syntax: single-valued Unicode string
Specifies the LDAP search filter that ADC uses when searching for objects to export from
Active Directory. The value will differ depending on the objects being exported and the type
of connection agreement. For example, for a User connection agreement that is set to
replicate users, groups, and contacts, the value is: (|
(objectClass=user)(objectClass=contact)(objectClass=group))
msExchServer1SSLPort
Attribute syntax: single-valued integer
Specifies the LDAP port used for Secure Sockets Layer (SSL) communications with the
Active Directory server. The default port is 636.
msExchServer1Type
Attribute syntax: single-valued integer
Specifies the type of server.
0 = Active Directory domain controller
msExchServer2NetworkAddress
Attribute syntax: single-valued Unicode string
The host name of the Exchange server or SRS that is the Exchange endpoint of the
connection agreement.
msExchServer2PageSize
Attribute syntax: single-valued integer
Specifies the LDAP page size to use when replicating with Exchange. The default value is
20.
msExchServer2Port
Attribute syntax: single-valued integer
Specifies the LDAP port to use when connecting to the Exchange server or SRS. The default
port is 389; however, when replicating with an SRS the port is 379. If the Exchange 5.5
server's LDAP port has been changed from 389 to a different value, this attribute must be
changed too.
msExchServer2SearchFilter
Attribute syntax: single-valued Unicode string
Specifies the LDAP search filter that ADC uses when searching for objects to export from
Exchange. The value will differ depending on the objects being exported and the type of
connection agreement. For example, for a User connection agreement that is set to replicate
mailboxes, distribution lists, and custom recipients, the value is: (|
(objectClass=organizationalPerson)(objectClass=remote-
address)(objectClass=groupOfNames))
msExchServer2SSLPort
Attribute syntax: single-valued integer
The LDAP port used for SSL communications with the Exchange server. The default port is
636.
msExchServer2Type
Attribute syntax: single-valued integer
Specifies the type of server.
1 = Exchange 5.5 server or SRS.
A P P E N D I X D
Active Directory Connector (ADC) can identify objects in two directories, determine whether
they should be linked, and then either write to the objects so that they are linked, or if the
connection agreement is set as primary, create a new object. ADC uses matching rules when
replicating objects. When replicating from Microsoft® Exchange Server version 5.5 to the Active
Directory® directory service, ADC matches when the primary Microsoft Windows NT® Server
account matches the security identifier (SID) or SIDHistory of the Active Directory user.
Assoc-NT-Account = ObjectSid
Assoc-NT-Account = SIDHistory
Important
The only object matching rules tested extensively by Microsoft are the default
matching rules. Microsoft does not support custom object matching rules. You must
test any modifications in a lab environment to ensure that any custom matching rule
behavior meets your needs.
Use ADSIEdit or ldp.exe to view the matching rules. The matching rules are stored on the
Default ADC Policy object in the following container in Active Directory:
CN=Active Directory Connections,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<Domain>,DC=<com>
Appendix D: ADC Matching Rules 103
When ADC reads these attributes and determines that no custom matching rules have been
added, it uses the following set of matching rules.
Table D.2
N
ObjectMatch
ame
Objectmatch#person$Public
Folder$Top#publicFolder$top#distinguishedName#legacyExchangeDN$$exchange_dn#si
d_Match#ObjectMatch###AssocNTAccount#ObjectSID#sid_match
EscapeBinaryBlob#ObjectMatch##user$organizationalPerson$person$top#Extension
Attribute10#"NTDS Contact"#veto
previous#ObjectMatch##user$organizationalPerson$person$top#Extension
Attribute10#"NTDSNoMatch"#veto
previous#ObjectMatch###user$organizationalPerson$person$top#Extensi
on-Attribute-9#"Resource"#veto-
previous#ObjectMatch###NotNULL#legacyExchangeDN#veto
Previous#ObjectMatch###AssocNTAccount#sidhistory#sid_match
EscapeBinaryBlob#ObjectMatch##user$organizationalPerson$person$top#Extension
Attribute10#"NTDS Contact"#veto
previous#ObjectMatch##user$organizationalPerson$person$top#Extension
Attribute10#"NTDSNoMatch"#veto
previous#ObjectMatch###user$organizationalPerson$person$top#Extensi
on-Attribute-9#"Recource"#veto-
previous#ObjectMatch###NotNULL#legacyExchangeDN#veto
Previous#ObjectMatch#$$rootdelimiter#dc#ObjectMatch#$$deletionattribute#IsDele
ted#
In the preceding example, a string has been added that specifies that if custom attribute 9 has a
value of AddedNoMatch, the previous matching rule should be ignored. This creates a disabled
user account for the Exchange Server 5.5 mailbox. Note that the line is added twice. The first
occurrence overrides a match on objectSID, and the second overrides a match on SIDHistory.
If you want to edit the object matching rules, perform the following steps:
1. Edit the original matching rules, provided at the beginning of this section, so that the new
matching string is included. Use a text editor with wordwrap turned off, so that no special
characters are included other than the carriage returns.
2. Start ADSIEdit and connect to the Active Directory Connections container.
3. Expand the Configuration node and then expand the second Configuration node.
4. Expand Services, expand Exchange, and then expand Active Directory Connections.
5. Right-click CN=Default ADC Property, and then click Properties.
6. In the Select the property to view list, choose msExchServer2ObjectMatch.
7. Paste the entire object matching rules string into the Edit Attribute box.
8. Click Set, click Apply, and then click OK.
9. Restart the ADC service.
A P P E N D I X E
The Active Directory Connector (ADC) schema map is stored in the Default ADC Policy entry in
the Configuration container of the Microsoft® Active Directory® directory service. This entry is
found in Active Directory at the following location:
CN=Default ADC Policy,CN=Active Directory Connections,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=dcname
The schema map has two attributes:
• msExchServer1SchemaMap Represents mapping from Active Directory to Microsoft
Exchange Server 5.5.
• msExchServer2SchemaMap Represents mapping from Exchange Server 5.5 to
Active Directory.
Because the Exchange 5.5 and Active Directory schemas are different, a set of rules is needed to
allow the attributes in both directories to be populated properly. The primary purpose of the
attribute mapping rules is to provide this set of rules.
These attributes are populated when you install the first ADC in a forest. Two files named
Remote.map and Local.map store the information that is imported to the ADC schema map. The
Remote.map file contains the values for the msExchServer1SchemaMap attribute, and the
Local.map file contains the values for the msExchServer2SchemaMap attribute.
These files are located on the Microsoft Windows® 2000 Server CD in the folder
Valueadd\Msft\Mgmt\Adc. If you want to edit these files before you install ADC, copy
everything in the Valueadd\Msft\Mgmt\Adc folder to a temporary folder, make the necessary
changes to the files, and then install ADC from the temporary folder.
The ADC Setup program does not replace these attributes if the Default ADC Policy entry
already exists. If you have already installed ADC and you want to make changes to these files,
you must delete all of the connection agreements, as well as the Default ADC Policy entry,
before you run the ADC Setup program.
You can also replace the attributes by using a tool that loads a file into an attribute, such as the
Lightweight Directory Access Protocol (LDAP) Data Interchange Format Data Exchange
(LDIFDE) tool. First you need to encode the file in a Base64 format. For more information about
how to Base64 encode, see Microsoft Knowledge Base article 191239, "Sample Base 64
Encoding and Decoding" (http://support.microsoft.com/?kbid=191239).
108 Understanding and Deploying Exchange 2000 Active Directory Connector
To view and/or modify the attribute mapping, you need to use a utility, such as ADSIEdit or
ldp.exe, that can read/write to Active Directory. You will also need read/write permissions to the
Active Directory Connections container. It is suggested that you use ADSIEdit to modify the
mapping attributes. You must have permissions to view and modify the configuration naming
context, such as Enterprise Admin or Full Exchange Administrator.
To use ldp.exe to view or modify the attribute mapping between
Exchange 5.5 and Active Directory
1. Connect to a domain controller on port 389.
2. Click Options, click General, and change Value Parsing from String to Binary.
3. Navigate the directory hierarchy to the Active Directory Connections container.
4. Right-click Default ADC Policy and click Search. This should populate the Base
distinguished name to be equal to the distinguished name for the Default ADC Policy
container.
5. On filter type "(objectClass=*), choose Base for Scope, then click Options. In the Attribute
field type msExchServer2SchemaMap. Click OK, then click Run.
This will display the entire attribute mapping for Exchange Server 5.5 to Active Directory to the
right side of the screen. To view the attribute mapping for Active Directory to Exchange 5.5,
complete the preceding steps, but type msExchServer2SchemaMap instead of
msExchServer1SchemaMap.
ADSIEdit is a more intuitive interface for making changes to the attribute mapping. ADSIEdit
provides a non-hexadecimal format, which means that the attribute mapping is now readable and
editing is easier.
To view or edit the mapping attributes using ADSIEdit
1. Connect to a domain controller with ADSIEdit.
2. Traverse the directory hierarchy to the Active Directory Connections container.
3. Click the Active Directory Connections node.
4. Right-click CN=Default ADC Policy, and then click Properties.
5. On the Attributes tab, click the Select a property to view drop-down list. Choose
msExchServer1SchemaMap to display the attribute mapping for Active Directory to
Exchange Server 5.5 replication in the Value field.
6. Put the cursor at the beginning of the value and highlight the entire string. Copy and paste
the string to a text file. Turn off wordwrap before you paste the string.
To view and or change the attribute mapping from Exchange Server 5.5 to Active Directory,
complete the preceding steps, but choose msExchServer2SchemMap.
Appendix E: Viewing and Modifying the Attribute Mapping 109
The first field in the schema map syntax is a comment, and you can ignore it. The second and
third fields are the source and target object class. You can omit these fields if you want the rule to
apply to all entries, or you can specify both the source and target object class to which the rule
applies. You cannot specify only the source object class or only the target object class. Table E.1
contains definitions for all of the fields in the preceding example.
Field Definition
Field Definition
dn-
A distinguished name-linked attribute
syntax
The following example is a rule that applies when you want to replicate a group from Active
Directory to a distribution list on the Exchange Server 5.5 directory. Separate all values with a $
to create the object-class format that ADC uses.
mycomment#group$top#groupofnames$person$top
The following example is the reverse of the replication in the second example. Here, the source is
an Exchange Server 5.5 distribution list and the target is an Active Directory group. The source
and target attribute name fields specify the Lightweight Directory Access Protocol (LDAP) name
of the attribute.
mycomment#groupofnames$person$top#group$top#...
The following is an example of one attribute that has a different name in Active Directory and
Exchange Server 5.5.
comment###otherMailbox#ProxyAddresses#...
The following example only applies when ADC replicates a distribution list on Exchange
Server 5.5 to a group in Active Directory, and this schema map syntax maps the member attribute
between them. If you do not want the member attribute to be replicated between distribution lists
and groups, remove this line from the file.
commentl#groupofnames$person$top#group$top#member#member#...
The prefix field is used only in one special case. Do not use the prefix field except as it is used in
the following lines in the Local.map file:
local###mail#ProxyAddresses#SMTP$##120#
local###textEncodedORAddress#ProxyAddresses#X400$##120#
The preceding schema map syntax indicates that when the mail attribute on Exchange Server 5.5
is replicated to the proxyAddresses attribute in Active Directory, the attribute should be added
with the "SMTP$" prefix. The dn-syntax field indicates that the attribute that ADC is replicating
Appendix E: Viewing and Modifying the Attribute Mapping 111
is a distinguished name-linked attribute, and therefore the distinguished name must be resolved
before the attribute is added. For example:
remote#...#...#manager#manager##DN#2#
Flags
The flags field uses a set of flags that indicates how ADC works in certain situations, or whether
or not the Active Directory Connector snap-in displays each attribute. Table E.2 describes each
flag.
Flag Description
0x000
Maps a multivalued attribute to a single-valued attribute
1
0x000
Lazy DN conversion
2
0x000
Maps a single-valued attribute to a multivalued attribute
4
0x000
Concatenates a multivalued attribute to a single-valued attribute
8
0x001
Disables replication
0
0x002
The source attribute is an ADC internal attribute
0
0x004
The target attribute is an ADC internal attribute
0
0x010
Hides the attribute in the Active Directory Connector Management snap-in
0
0x020
Merges the attribute into the target (instead of replacing it)
0
0x040 Distinguished name attribute that can only be resolved if Exchange 2000 Server is
0 installed
0x080
Allows mapping of strings to distinguished names and distinguished names to strings
0
112 Understanding and Deploying Exchange 2000 Active Directory Connector
Note
The 0x800 flag was introduced with the Service Pack 1 version of ADC.
Appendix E: Viewing and Modifying the Attribute Mapping 113
To combine flags, add the value of the flags and use the hexadecimal number that results
(without "0x"). To best use these flags, observe the way that they are used in the Remote.map and
Local.map files. The following list describes the most important flags:
• The lazy DN conversion flag (0x0002) causes ADC to postpone the resolution of the
attribute, so that resolution of the attribute is the last operation that ADC performs before
ADC replicates the entry. This improves performance because all linked distinguished names
are resolved at the end of the process with fewer searches to the directory service.
• The disable replication flag (0x0010) has the same effect as removing the line from the file.
The Active Directory Connector Management snap-in sets or resets this attribute every time
that you clear or select this attribute to be replicated.
• The hide from the UI flag (0x0100) hides the attribute in the MMC snap-in so that the
attribute cannot be disabled or enabled.
When ADC determines which rule to use to map an attribute, the first choice is a rule that is
complete with object class. If ADC finds such a rule, it uses that rule. If ADC does not find such
a rule, the next choice is a generic rule (without an object class).
Specifying an Authoritative
Attribute Source
In certain circumstances, an attribute or attributes must be set as the authoritative source for
changes. One such circumstance is when you have specialized programs that write to
Exchange 5.5, and you have not had the opportunity to adapt the program to write to Active
Directory. Another circumstance is when you have developed a program to write to Active
Directory and want changes to certain attributes to be written or modified only from Active
Directory. Specifying an authoritative attribute source allows all changes that are made to certain
attributes from one directory to be authoritative over the other directory. To modify this behavior,
you need to understand which attributes map from Exchange 5.5 to Active Directory and from
Active Directory to Exchange 5.5. See the information at the beginning of this appendix.
Note
If you disable replication for any attribute, you should test that change completely
before deploying.
The following procedure indicates how you can force an attribute to be the authoritative source.
In this procedure, the goal is to modify the attribute mapping rules to force the telephone number
from Exchange 5.5 to be the authoritative source.
To force an attribute to be the authoritative source
1. In the Active Directory Connection Management snap-in, right-click Active Directory
Connection Management and click Properties.
2. On the From Windows tab, clear the telephoneNumber check box.
3. Click OK and exit the snap-in.
The attribute is mapped to Active Directory and replicated, but only the changes in Exchange 5.5
for this attribute are replicated.
A P P E N D I X F
There are situations where the Microsoft® Exchange Server version 5.5 Move Server Wizard is
needed in a mixed environment to help collapse two organizations, or modify an existing
organization. Using the Move Server Wizard after deploying Active Directory Connector (ADC)
can cause adverse effects, such as deleted Microsoft Active Directory® directory service
accounts.
For example, if a particular Exchange 5.5 site is being synchronized with Active Directory and
the Move Server Wizard is run, all mailboxes that are associated with the server that is being
moved have a delete issued for them. They are re-created in the target organization and site.
When ADC picks up the delete, it replicates the delete into Active Directory and issues a delete
for the corresponding Active Directory account. If the server is moved into another site in the
same organization, ADC will not synchronize the two directory objects. This is because ADC
determines that the object has been deleted and should no longer be replicated.
Note
Using the Move Server Wizard to move a server from one site in an organization to
another site in the same organization is not supported if the objects are being
synchronized with ADC.
To avoid having ADC replicate the deletes into Active Directory, make sure that the connection
agreement that is responsible for replicating the objects on this server has the delete option set to
write to an .ldf file. (Do not import this file after the Move Server Wizard has been used.) Setting
the delete option to write to an .ldf file will prevent ADC from replicating the deletes, and when
the server is moved to the target site the objects will be synchronized.
Note
If deletions were not set to write to a file, and ADC removes the Active Directory
objects, perform the following operations:
1. On the Exchange 5.5 server that was moved, export all objects that were being
replicated using ADC.
2. Open the .csv file created by the export with a text editor or with Microsoft Excel
and remove all of the ADC-Global-Names values for all objects.
3. Import the .csv file using the Exchange 5.5 Administrator program.
When you have completed the three preceding steps, ADC will be able to synchronize
the objects.
If you use the Move Server Wizard to remove an Exchange 5.5 site from a mixed organization
that is being synchronized with ADC, it is recommended that you replicate the deletes. Also, if
116 Understanding and Deploying Exchange 2000 Active Directory Connector
you use the Move Server Wizard to move an Exchange 5.5 server from one organization into a
mixed organization, it is recommended that you move the server into a non-mixed site.
A P P E N D I X G
Token Augmentation
To support the interoperation of Exchange Server 5.5 and Exchange 2000 Server, Windows 2000
contains logic to extend the token of the mixed-mode Windows 2000 user to include the SIDs of
the USGs of which it is a member. The logic augments the token as necessary, taking into
account whether the user is in a native-mode or mixed-mode Windows 2000 domain and whether
a disabled user object is involved. For more information about token augmentation and disabled
users, see "Added Complexity from Disabled Users and Mailbox Rights" later in this appendix.
The testing for Universal Security Groups (USGs) and Public Folder Access Control Lists
(ACLs) falls into four basic topologies. Each topology is shown below with a brief explanation
of the elements that differentiate it from the other topologies. These diagrams represent minimum
installations, and you should do additional testing prior to deploying them in a production
environment.
• Single Native–mode Domain This is the simplest case, in which all user and group
objects are in a native-mode domain. The Microsoft® Exchange 2000 Server store can
convert the universal distribution groups into universal security groups. When the
Exchange 2000 store is evaluating an ACL, the token augmentation logic path does not need
to be invoked, because the user's token will already include the USGs. A variation on this
topology is a forest of multiple native-mode domains.
• Trusts Spanning Forest This topology is useful in a situation in which the user is
logging on with credentials from an explicitly trusted domain and accessing an
Exchange 2000 server in a different forest. The result is an Exchange 2000 disabled user
object that has mailbox rights assigned to an enabled user object in the trusted authentication
domain. This added level of complexity is dealt with through the Exchange Master Account
SID attribute. The token augmentation code determines that this situation exists, finds the
corresponding disabled user object, and augments the token with the SIDs of the universal
security groups of which that object is a member.
Inter-Organization Connection
Agreement
You can set the inter-organization connection agreement option on the Advanced tab of a
connection agreement properties sheet. This option allows Microsoft® Exchange Server
version 5.5 and Microsoft Exchange 2000 servers that are in two separate Exchange
organizations to replicate information. The inter-organization option doesn't handle how objects
are created; it primarily handles how proxies are generated (they are not generated with the inter-
organization option).
If the inter-organization option is not selected, Active Directory Connector (ADC) does not:
• Match Custom Recipients to a mailbox-enabled user.
• Match a mailbox to a user that is only mail-enabled.
• Stamp msExchMasterAccountSID or legacyExchangeDN.
Arbitrating Changes
ADC arbitrates changes to ensure that changes in either the Exchange 5.5 directory or the Active
Directory® directory service are synchronized.
Note
ADC only arbitrates changes when a two–way connection agreement is set. Using
two one-way connection agreements to achieve two-way replication is not supported.
ADC processes changes or creations in several different ways. When a two-way connection
agreement is scheduled to replicate or initiated using "Replicate Now", the ADC service reads the
properties of the connection agreement from Active Directory.
ADC searches the Exchange 5.5 server for objects that are in an export container, and whose
update sequence number (USN) values are greater than what is stored in
msExchServer2HighestUSN.
Appendix I: Inter-Organization Connection Agreement 127
1. If there are changes to replicate, ADC looks at each object that has changed, then goes to the
target object based on the msExchADCGlobalNames value on the source object.
a. If the source Exchange object does not have msExchADCGlobalNames, ADC finds a
match or creates a new object. For more information about the process, see "How Active
Directory Connector Finds, Matches, and Links Objects" in Chapter 7.
b. ADC compares the msExchServer1HighestUSN value on the connection agreement
with the USN of the target object to determine if the target object has been modified.
c. If the target object has not been modified, the change from Exchange 5.5 is written to
the Microsoft Active Directory® directory service object. If the Active Directory object
has been modified and the USN changed is greater than that of the one in Exchange 5.5,
ADC does not write the change and waits for Active Directory to Exchange 5.5
replication.
d. If the USN change on the Active Directory object is equal to the USN change on the
Exchange 5.5 object, ADC uses the whenChanged attribute on each object to determine
which change is newer. ADC uses the currentTime attribute from the Exchange 5.5 and
global catalog server to compensate for any time differences between the servers. If the
Exchange 5.5 change is most recent, it is written to the Active Directory object. If the
Active Directory object is most recent, the connection agreement waits for the Active
Directory to Exchange 5.5 replication.
2. ADC replicates changes from Active Directory to Exchange 5.5. ADC compares the
msExchServer1HighestUSN value against the USN values associated with the objects in the
Active Directory export containers.
3. If there are changes to replicate, ADC checks each object that is changed, then goes to the
target object based on the msExchADCGlobalNames value on the source object.
a. If the source Active Directory object does not have msExchADCGlobalNames, ADC
finds a match or creates a new object. For more information about the process, see
"How Active Directory Connector Finds, Matches, and Links Objects" in Chapter 7.
b. If the Active Directory object has a higher USN changed value than the Exchange 5.5
object, Active Directory writes the change. If there is a conflict, the ADC service
compares the whenChanged timestamps of the objects using the currentTime attribute to
compensate for time differences. If any of the same objects have been changed, the
previous conflict resolution will be known, and only those objects in Active Directory
that are newer will be written.
Using two one-way connection agreements that have overlapping import and export containers to
achieve two-way replication is not supported. For example, suppose you have a From Exchange
to Windows connection agreement set up that is replicating the Site\Recipients container to a
default import container of Domain\Users. You cannot set up another one-way From Windows to
Exchange connection agreement that has Domain\Users as an export container. To achieve the
two-way replication required for mixed sites, you must use a two-way connection agreement.
128 Understanding and Deploying Exchange 2000 Active Directory Connector
Transaction REG_SZ The directory to which ADC logs all the deletes and failures.
Directory Defaults to MSADC\ in the ADC directory.
Sync Sleep REG_DWORD When ADC is not synchronizing, how long it waits before it
Delay (secs) should poll or resume work. Defaults to 300 seconds.
Max REG_DWORD The maximum length of time ADC will replicate. The default is
Continuous 300 seconds.
Sync (secs)
Password REG_DWORD The number of days ADC stores unused passwords. The default
Expiration is O, and if the default value is used, the actual number of days
depends on the number of passwords stored. This can range from
60 to 180 days.
Export Block REG_DWORD How big a block of USNs ADC exports before ADC commits the
Size connection agreement. The default is 20000. This is the starting
value that ADC uses when replicating. After the first block, the
block size is variable and is set to 10% of the remaining USNs.
Maximum REG_DWORD The maximum allowed export block size. The default is
Export Block 0xFFFFFFFF.
Size
Deletion REG_DWORD If the Exchange store mailbox delete fails, should the directory
Depend On object delete fail? Used as a Boolean, 0 to disable, and 1 to
Store enable. The default is 0.
130 Understanding and Deploying Exchange 2000 Active Directory Connector
ADCI REG_DWORD Sets the remote procedure call (RPC) port for setting passwords
TCP/IP Port on ADC connection agreements, so that it can be accessed
through a firewall. The default is not set, so the RPC port is
defined dynamically.
Disabled REG_SZ Allows you to choose the description that is set when ADC
Windows creates a disabled user. The default is "Disabled Windows user
User Account account". For more information, see Microsoft Knowledge Base
Description article 288084, "XADM: How to Change the Description Set on
Disabled Users by the ADC"
(http://support.microsoft.com/?kbid=288084).
UMAC REG_DWORD Period for unmerged attribute cleanup, in seconds. The default is
Timeout 43200 seconds (12 hours).
Merge Bad REG_DWORD Specifies if bad links on a target object (with incorrect syntax or
Links ADC Global Name values that are in the same site and
organization as the import container) should be stamped on the
source object during back replication. Used as a Boolean value.
The default is 1 (TRUE).
Max DC REG_DWORD Available with the Exchange 2000 Service Pack (SP) 3 ADC.
State Vector This value sets an upper limit on the number of domain
controllers that ADC keeps track of in the msExchUSNVector
attribute on the connection agreement. This is useful if you have
>800 domain controllers in the environment. For more
information, see Microsoft Knowledge Base article 314950,
"XADM: The ADC Does Not Work in an Environment That
Contains More Than 800 Domain Controllers"
(http://support.microsoft.com/?kbid=314950).
A P P E N D I X J
Additional Resources
Technical Articles
Directory Replication and Background Traffic for Microsoft Exchange 5.5
(http://go.microsoft.com/fwlink/?LinkId=20532)
Resource Kits
Microsoft Exchange 2000 Server Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=6543)
You can order a copy of the Microsoft Exchange 2000 Server Resource Kit from Microsoft
Press® at http://go.microsoft.com/fwlink/?LinkId=6544.
Microsoft Windows 2000 Server Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=6545)
You can order a copy of the Microsoft Windows 2000 Server Resource Kit from Microsoft
Press at http://go.microsoft.com/fwlink/?LinkId=6546.