Active Directory Home

Home
Knowledge Base
Forums
Site Info
Videos & Resources
עברית
Quick Links
Knowledge Base
Active Directory
Cisco and Routing
Exchange Server
Virtualization
Windows Server 2008
Windows 7 Beta
Windows Vista
Computer Training
Videos & Resources
New Articles
Sponsored
Exchange Server Security
Email Archiving Solutions
Free Network Inventory

Most Popular Articles
Repair PST Files
Forgot the Administrator's Password?
Excel Password Recovery
How to Write ISO Files
How to Partition a Hard Drive
How to Change the Serial in Windows XP
Install Windows XP Pro
Disable UAC in Windows Vista
Install Active Directory on Windows 2003
Home Network Setup
How to Setup a VLAN on a Cisco Switch
Stay Connected
Join our newsletter
Our biweekly emails will keep you up to date on our latest news and articles straight to your inbox!
E-mail Address: Privacy Policy
Follow on Twitter
Subscribe via Rss
Author is a Microsoft Windows Server System - Exchange Server MVP
Configure Active Directory Connector Connection Agreements
by Daniel Petri - January 7, 2009
How do I configure Active Directory Connector Connection Agreements (CA)?
Daniel Petri's Exchange Server Recommendations
There are several new features included within Exchange Server 2007, which some of my articles touch on briefly. However, if you are looking for training that takes you from installation to integration with Outlook and management of Exchange Server 2007 then you need Train Signal's training videos. The Exchange Server 2007 training videos are taught by Microsoft MVP and MCSE, David Shackelford, who teaches with a "Hands-on" approach. Daniel Petri
You can see the Exchange Server 2007 training with video instruction here.
MSKB 296260 has the following information:
In most ADC deployments, your configuration falls under one of the following scenarios; before you configure Connection Agreements (CA), determine which scenario applies to your situation:
· First scenario. The Exchange Server 5.5 mailboxes are associated with accounts in a Windows 2000 Active Directory domain.
· Second scenario. The Exchange Server 5.5 mailboxes are associated with accounts that are located in a Windows NT 4.0 domain, even though a new Windows 2000 Active Directory domain has been created.
In both scenarios, you need to install the ADC. To install the ADC follow this article: Active Directory Connector Installation
First Scenario
To configure the two-way user Connection Agreement:
1. On the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Connector Management.
2. Right-click Active Directory Connector, point to New, and then click Connection Agreement.
3. Click the General tab, and then:
a. Type the name of the Connection Agreement in the Name box.
b. Under Replication Direction, click Two-way.
c. When you receive the following message, click OK:
The connection agreement must now write to the Exchange directory.
d. Click the Active Directory Connector server that you want to use.
Note: If this is the first installation, there is only be one server available.
4. Click the Connections tab, and then:
a. Under Windows Server Information:
I. Make sure that:
§ The Server box contains the name of your Windows 2000-based server.
§ The Authentication box defaults to "Windows Challenge/Response".
§ The account that you are using has write permissions to the directory because the agreement is a two-way agreement, and read and write permissions are necessary.
II. Under Connect as, click Modify, and then select an Administrative account that has write permissions to Active Directory.
b. Under Exchange Server Information:
I. Make sure that:
§ The Server box contains the name of your Exchange Server 5.5 computer.
§ The Authentication box defaults to "Windows Challenge/Response".
§ The account that you are using has at least Admin permissions to the directory because the agreement is a two-way agreement, and read and write permissions are necessary.
§ The Lightweight Directory Access Protocol (LDAP) port on the Exchange Server 5.5 directory is correct (by default, this port is 389).
II. In the Connect as list, click Modify, and then select an account that has Admin privileges in the Exchange Server 5.5 directory.
5. Click the Schedule tab, and then set the Replication time to Always.
Note: The ADC automatically replicates all of the objects during the first replication cycle; therefore, if you select the Replicate the entire directory the next time the agreement is run check box, you do not affect the first replication cycle.
6. Click the From Exchange tab, and then:
a. Under Exchange Recipients containers, click Add, and then add each top-level Recipients container from your Exchange Server 5.5 site.
Important: Do not add any containers from other sites. If you use multiple sites, you need to set up additional two-way connection agreements to servers in each of the other sites.
b. Under Default destination, click Modify, and then click the Users container.
Note: This is the default container in which the ADC will create new objects if the ADC cannot match the Exchange Server 5.5 object to an existing Active Directory object. If user accounts exist in different organizational units, see the IMPORTANT note in step 6.c.
c. Make sure that all of the objects under Select the objects that you want to replicate are selected (all of the objects are selected by default).
Important: The ADC replicates all of the Exchange Server distribution lists (DLs) to Active Directory as Universal Distribution Groups (UDGs). You can create these UDGs in either a mixed-mode or native-mode Active Directory domain. However, if you use the equivalent Exchange Server DL object to control access to public folders in Exchange Server, the Exchange 2000 information store process tries to convert the UDG to a Universal Security Groups (USG) because distribution groups are not security principals. If the UDG exists in a mixed-mode Active Directory domain, the USG conversion process does not succeed because USGs can only exist in native-mode domains. This results in a public folder in Exchange 2000 that has an ambiguous Access Control List (ACL); because of this, only the folder owner can access the folder's content, and other Exchange 2000 users cannot even see the public folder in the client hierarchy. When a UDG-to-USG conversion does not succeed, a 9552 event ID message is logged in the Exchange 2000 Application event log. In this scenario, you need a separate Recipient Connection Agreement to replicate the DLs to a native-mode domain.
d. Click the From Windows tab, and then:
I. Under Windows Organizational Units, click Add, and then add the Users container.
Important: If the Active Directory domain contains additional organizational units that contain users with Exchange mailboxes, you must specify these organizational units under Windows Organizational Units. If you do not specify the organizational units as export containers, the ADC cannot replicate the users back to the Exchange Server 5.5 directory.
II. Under Default destination box, click Modify, and then click the appropriate Recipients container.
III. Make sure that all of the objects under Select the objects that you want to replicate box are selected (all of the objects are selected by default).
IV. Click to select the Replicate secured Active Directory objects to the Exchange directory check box. Secured Active Directory objects are Active Directory objects that contain an explicit Deny Access Control Entry (ACE).
V. Determine whether or not you want to select the Create objects in location specified by Exchange 5.5 DN check box. If you select this check box, the ADC creates new objects in a location that is based on the Exchange Server 5.5 distinguished name (legacyExchangeDN). If the organizational units that you selected as export containers contain subcontainers, you can select this check box to prevent the ADC from creating these subcontainers in the Exchange Server 5.5 directory.
e. Click the Deletions tab.
f. You are now finished configuring the recipient Connection Agreement. To force replication, right-click the two-way agreement, and then click Replicate Now.
Second Scenario
This scenario describes how to create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain. This scenario requires at least a one-way trust relationship in which Windows 2000 Active Directory trusts the Windows NT 4.0 domain. However, to ease administrative effort, a two-way trust relationship is recommended.
Important: if your migration strategy is to have users log on to your newly-created Active Directory, then you can run the ADMT before you create your two-way recipient Connection Agreement. If you run a domain migration tool that migrates SidHistory such as ADMT before you create your two-way recipient Connection Agreement, you do not have to run the ADClean Utility. ADMT settings allow the Administrator to create enabled users with which a valid 5.5 mailbox can match.
To create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain:
1. Perform all of the steps in the "First Scenario" section of this article.
2. Start the Windows 2000 Active Directory Users and Computers snap-in, and then confirm that Exchange Server 5.5 users have been replicated as disabled users. Note that these objects are located in the default import container that is specified on the From Exchange tab of the Recipient Connection Agreement.
Important: Do not enable these disabled users. These accounts are only place holders for the Exchange Server 5.5 mailboxes; these accounts are not security principals, and are not meant to be logged on to.
3. Determine which one of the following methods you want to use to migrate your user accounts to Windows 2000 Active Directory:
· Upgrade the Windows NT 4.0 domain to Windows 2000.
· Use the Active Directory Migration Tool (ADMT) to migrate users, including SidHistory.
· Use a third-party migration utility that supports SidHistory migration.
4. After you migrate the users to Windows 2000 Active Directory, you can run the Active Directory Cleanup Wizard (ADClean) to merge the mail attributes from the ADC-created place holder accounts with your newly migrated users.
Links
XGEN: How to Configure a Two-Way Recipient Connection Agreement for Exchange Server 5.5 Users - 296260
XADM: ADC Installation Requirements - 253286
XADM: Description of the Active Directory Connector Deletion Mechanism - 253829
XADM: How Active Directory Connector Replicates Subcontainers - 253826
How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration - 260871
XADM: Possible Uses of Active Directory Account Cleanup Wizard - 270652
Share this article:
digg_bgcolor = '#fff';
digg_skin = 'compact';
digg_window = 'new';

Delicious Twitter Reddit E-mail
Related Whitepapers and Reading
802.11n Planning and Network Management
Scalability in Log Management
Limelight Networks CDN Network Overview
Related Articles
Active Directory Connector Requirements
Active Directory Connector Installation
How do I install and configure a new Windows 2000 DNS server within an existing DNS environment where Active Directory is not enabled?
How can I configure DNS forwarding for Internet connection?
Monitoring Exchange 2007 Service Level Agreements
Active Directory Search Limit
Active Directory Sizer Tool
Finding Delegates in Active Directory
Sign Up For the Petri IT Knowledgebase Weekly Digest!E-mail Address:
Search Site Sponsored by TechNet Plus Direct
Sponsors
GFI Mail Essentials Get the #1 Anti spam filtering solution for YOUR business at unbeatable pricing. Download a free trial of GFI MailEssentials today!
Exchange 2007 Training Learn to Install, Configure, and Manage Exchange Server 2007. Practice Tests for Exchange Exams Included!
Free Compliance Download Configuresoft provides real time compliance checking for multiple VMware ESX host servers at once.
Terms of Use Privacy Policy Contact Advertise ©2009 Blue Whale Web Inc.
try {
var pageTracker = _gat._getTracker("UA-3414659-1");
pageTracker._setDomainName("none");
pageTracker._setAllowLinker(true);
pageTracker._trackPageview();
}
catch(err){}