Exchange 2003 Active Directory Connector Wizardry


Lab


We used two machines, one a Windows 2000 domain controller with Exchange 5.5 installed, the other a Windows 2003 domain controller. Exchange 5.5 was used to create mailboxes and users in two containers. We especially created “problematic” yet common scenarios of a user with more then one mailboxes, a mailbox owned by a group and a user which had her name changed. The reason for this was to challenge the new ADC, see if can deal with situations that had to be resolved manually before ADC was deployed.




Setup


ADC now does not just add a partial set of Exchange attributes to Active Directory. It goes the whole way, possibly since Microsoft thought it best to avoid extending the schema twice.




So, if in Exchange 2003 the organization name is actually set during installation, and schema is extended using ADC, do we really need setup /forestprep? Actually, you do. Microsoft recommends doing forestprep before installing ADC. Forestprep now basically adds some registry settings and creates the GUID for an organization (and of course extends the schema if ADC was not installed).




ForestPrep and DomainPrep are also a requirement for setting up Public Folder Connection Agreements. If you don’t perform setup /domain prep before you run ADC you will get the following dialog box when running the connection agreement wizard:




For some reason, at least in the RC1 version of Exchange 2003, some strange pre and post installation dialog boxes appear. I don’t really know what to make of them and I hope they disappear by the time the product is released.





ADC Tools

Added to ADC are a set of tools used to automatically create connection agreements and deal with directory changes required for migration.


Using ADC tools is relatively easy. However the results of running the tools are presented as log files which you have to seek out and browse through. I got this output by running steps 1 and 2:


Current user is ‘Administrator\SUNNYDALE’ on computer ‘XANDER’


Pass 1 of 4: Resource Mailbox Scan 06/12/2003 12:16:15


Warning: The Data Collection tool found objects that must be marked as resource mailboxes before they can be replicated to Active Directory. Running the Resource Mailbox Wizard in Step 3 will resolve these issues.


Pass 2 of 4: Active Directory Connector Object Replication Check 06/12/2003 12:16:15


Matched ‘cn=SecretaryB,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=SecretaryB,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=ImportantE,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=Important Executive,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=Administrator,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=Administrator,CN=Users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=RegularJ,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=RegularJ,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=JaneD,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=NextB,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=BilbiB,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=BilbiB,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=SecretaryL,cn=Recipients,ou=Sunnydale,o=Integration’ to ‘CN=SecretaryL,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=MeetingR,cn=Special,ou=Sunnydale,o=Integration’ to ‘CN=SecretaryB,OU=domain users,DC=sunnydale,DC=city’ based on SID.


Matched ‘cn=ServerM,cn=Special,ou=Sunnydale,o=Integration’ to ‘CN=Administrators,CN=Builtin,DC=sunnydale,DC=city’ based on SID.


Warning: The Data Collection tool found objects that are not replicated from the Exchange 5.5 directory to Active Directory. Running the Connection Agreement Wizard in Step 4 will resolve these issues.


Pass 3 of 4: Active Directory Object Replication Scan 06/12/2003 12:16:16


No mail enabled objects found in Active Directory.


Active Directory Object Replication Scan completed.  No unreplicated objects found.


Pass 4 of 4: Active Directory Unmarked Resource Mailbox Scan 06/12/2003 12:16:16


No mail enabled objects found in Active Directory.


Active Directory Unmarked Resource Mailbox Scan completed.  No problems found.


To make a long story short, ADC found some of my planted directory problems and asks to run the Resource Mailbox Wizard in step 3.







As can be seen the wizard does not tell you which mailboxes were actually modified. From looking at directory I was able to ascertain that an account has been created for a meeting room that had a secretary as its primary account and security has been modified so that the secretary will still be able to fully access the mailbox for the meeting room.


Step 4 created the connection agreements:









After going through these dialog boxes the following log file shows what was created:


The following Connection Agreements will be created or modified:
      Name: Public Folders: sunnydale.city – Sunnydale\Integration
      5.5 Site: Sunnydale
      5.5 Server: FAITH:390
      Domain: sunnydale.city
      Domain Server: xander.sunnydale.city:389
      Two-way


      Name: Users: sunnydale.city – Sunnydale\Integration
      5.5 Site: Sunnydale
      5.5 Server: FAITH:390
      Domain: sunnydale.city
      Domain Server: xander.sunnydale.city:389
      One-way


Results


Going to the ADC connection agreement tab based interface this setup can be seen and modified. I would recommend for most scenarios to change the ADC CA to two way replication. One exception can be setting up ADC CAs for domain and sites where Exchange 5.5 directory corrections have not yes been made. This can sometimes happens when a migration projects starts but not all branches due to political reasons or lack technical expertise performed the required steps now performed, at least partially, by the Resource Mailbox Wizard. One way replication allows to easily make changes on the Exchange 5.5 directory and have them replicated to Active Directory. However, once you start to really use Active Directory, changes you make in Active Directory will not replicate to Exchange 5.5. This can prove to be quite a negative thing, especially once the first Exchange 2000/3 server is installed in the domain or site.





ADC’s security is now improved to add Kerberos support for accessing Active Directory as can be seen in the Authentication drop down box for the Windows Server information.


The initial OU containing the users in the domain now has two child OUs. These match the containers in Exchange 5.5. They are used for placing objects not matched in Active Directory, in this case, two distribution lists (now Universal Groups) and an external recipient (now a contact).




Resource mailboxes have been disabled because they are not actual users. However the security permissions were retained so that users will still be able to log on to these mailboxes.





Conclusion


Although the ADC functionality is largely unchanged from the Exchange 2000 version, the wizards are a welcome addition. It is probable that Exchange experts with some migrations under their belts will still configure ADC the old fashioned way and possibly even fix the Exchange 5.5 directory manually or using scripts. However, for novices the wizards are a great tool for aiding simple migrations, especially for the SMB marker. I predict that when these wizards mature through Exchange 2003 service packs eventually even experts will use some of the wizards because they can be time saving in many situations and documented more easily. The log files can provide an easy to access repository for ADC configuration history, especially in deployments when there multiple branches with many sites and domains.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top