|Chapter 4 - Managing the Exchange Organization Topology|
|Monitoring and Managing Microsoft Exchange 2000 Server|
|by Mike Daugherty|
|Digital Press 2001|
Before upgrading to Exchange 2000, you must first upgrade the underlying operating system to Windows 2000. As you upgrade to Exchange 2000, it may be difficult to upgrade all Exchange servers at the same time. During this migration period, you will have a mixed environment consisting of Windows 2000, Exchange 5.5, and Exchange 2000. During this coexistence period you will have two directoriesthe Exchange 5.5 directory and the Windows 2000 Active Directory. Keeping separate directories synchronized is a difficult problem. Thankfully, the Active Directory Connector (ADC) is available to ease the administrative difficulties.
The Active Directory Connector (ADC) is a service that synchronizes the Windows 2000 Active Directory with the Exchange Server 5.5 directory. This synchronization can be used to help populate the Active Directory for companies that have an existing Exchange Server 5.5 implementation. Synchronizing the Exchange Server 5.5 and Windows 2000 directories is also necessary for maintaining a mixed environment containing both Exchange Server 5.5 and Exchange 2000. Since the Windows 2000 Active Directory is the Global Address List for Exchange 2000 users, it is important for all mail objects to be listed in the Active Directory.
The Active Directory Connector is not automatically installed when you install Windows 2000 or Exchange 2000; it is installed as an optional component. When you install ADC, the installation process adds a new Windows 2000 service identified as MSADC and a new Microsoft Management Console snap-in for managing configuration agreements (CAs) between the Exchange 5.5 and Windows 2000 directories. The ADC allows you to administer the directory from either Active Directory or the Exchange 5.5 directory service.
A version of the Active Directory Connector is shipped with Windows 2000. This version of the ADC includes the basic replication functionality, allowing you to replicate objects between Exchange 5.5 site naming context objects such as the recipient containers and the Active Directory. If you have already implemented an Exchange 5.5 environment, the basic Windows 2000 ADC can be used to quickly import much of the existing Exchange 5.5 directory information into the Active Directory. This allows you to populate your Active Directory very quickly.
An enhanced version of the Active Directory Connector is included as an optional component with Exchange 2000 Server. You can easily install this enhanced version when you install Exchange 2000. The enhanced Exchange 2000 Server Active Directory Connector includes all of the support found in the basic Windows 2000 ADC (i.e., replication of the Exchange 5.5 site naming context), plus support for replicating the Windows 2000 configuration naming context and for downstream routing. This is needed for supporting Exchange environments that include a mixture of Exchange 5.5 and Exchange 2000 servers.
When you install the Active Directory Connector, you define a Windows 2000 service. However, installing the ADC does not establish or control connections between the Windows 2000 Active Directory and any Exchange Server 5.5 directories. You establish these connections by configuring connection agreements (CAs). Each connection agreement defines and controls a relationship between an Active Directory domain and an Exchange site, and contains replication information, such as the server names , object classes to replicate, target containers, and schedule.
The Active Directory Connector and configuration agreements can be quite flexible. You can perform replication from Exchange 5.5 to Windows 2000, from Windows 2000 to Exchange 5.5, or both directions simultaneously . A single Active Directory Connector can support multiple CAs, each of which can define the relationship between different Windows 2000 Active Directory domain controllers and one or more Exchange Server 5.5 site recipient containers. There are few guidelines for configuring the connection agreements and Active Directory Connectors.
If you want to centrally manage both Windows 2000 and Exchange 5.5 objects, you must configure the connection agreement for two-way replication to every Exchange 5.5 site. This type of connection agreement supports reads and writes to both the Active Directory and the Exchange 5.5 directory.
Each Active Directory Connector can support multiple Connection Agreements. There is no theoretical limit to the number of CAs supported by each ADC, but the practical limit is that each ADC should support no more than 50 to 75 Connection Agreements. If your encounter performance problems with an Active Directory Connector, remember that it is possible to deploy multiple ADC servers to improve performance.
One obvious use for the Active Directory Connector is to perform a one-way import of Exchange 5.5 accounts into the Windows 2000 Active Directory. This provides a quick, automated method to populate the Active Directory. You can do this by configuring a one-way connection agreement in which the Exchange 5.5 mailboxes are replicated to the Active Directory. The connection agreement would be between the Active Directory and any of the Exchange 5.5 sites. Because all Exchange 5.5 information can be found on any Exchange server in the organization, all of the Exchange 5.5 objects and sites can be copied from a single connection. You do not need CAs to each of the Exchange 5.5 sites for this type of one-way replication. When changes are made to the Exchange 5.5 directory, these will automatically be replicated to the Active Directory.
Each Connection Agreement defines and controls replication between specific Active Directory organizational units and Exchange 5.5 recipient containers. One or more Exchange recipient containers can be replicated to one or more Active Directory organizational units. Multiple Connection Agreements can be used to replicate different object types between an Active Directory and a single Exchange site.
During your migration from Exchange 5.5 to Exchange 2000, you may have a situation where an Exchange 2000 server belongs to an Exchange 5.5 site. It is important that configuration information be replicated between the Exchange 5.5 directory and the Active Directory used by the Exchange 2000 system. Replicating the configuration information ensures that the Exchange 2000 server will be represented in the Exchange 5.5 server list. This is a prerequisite for users to continue to send and receive messages regardless of which version of Exchange they happen to be using. Replicating the configuration information will also ensure that the Exchange 2000 servers will be able to send messages to connectors running on Exchange 5.5 servers and that Exchange 5.5 servers will be able to send messages to connectors running on Exchange 2000 servers.
Exchange configuration information is replicated through a special type of Connection Agreement known as a Configuration Connection Agreement (ConfigCA). The Exchange server automatically configures configuration Connection Agreements. You do not need to manually configure a ConfigCA. The first ConfigCA for an Exchange 5.5 organization is named Master_ConfigCA_ orgname . The ConfigCA cannot be modified even though it can be seen using the Active Directory Connector MMC console. After replication, your Exchange 5.5 sites are listed in the Active Directory as administrative groups. If you view the Exchange 5.5 organization using the Exchange 5.5 Admin program, the Exchange 2000 servers are listed as members of the Exchange 5.5 site.
The Configuration Connection Agreement for replicating configuration information is between the Active Directory and the Exchange 2000 Site Replication Service (SRS). The Exchange 2000 Server automatically installs the Site Replication Service component when an Exchange 2000 server is installed into an Exchange 5.5 site. The SRS is similar to the Exchange 5.5 Directory Service and is used for intra-site directory replication using Remote Procedure Calls (RPCs). It uses Exchange 5.5-style LDAP calls and listens on port 379. If you upgrade an Exchange 5.5 bridgehead server to Exchange 2000, the Site Replication Service will also provide mail-based directory replication to other Exchange 5.5 sites.
The Active Directory Connector can impose a heavy processing load on the host hardware system. The load placed on the ADC servers CPU during replication is about 50 percent. The location and size of the system depends upon the size of the Exchange organization, the number of Windows 2000 domains, and the replication schedule between the two environments. Because the ADC needs to access the Active Directory, you should consider installing the ADC on a Global Catalog server. If the Global Catalog server does not have sufficient power to support the Active Directory Connector service, a good second choice is a server that has a reliable, high-bandwidth network connection to the Global Catalog server. The Exchange 5.5 bridgehead server should be on the same network segment if possible.
The Active Directory Connector software is not installed automatically when you install Exchange 2000. The following procedure can be used to install the Active Directory Connector software:
Insert the Exchange 2000 Server CD-ROM into your CD-ROM drive.
Select Run from the Windows 2000 Start menu. Enter x :\adc\i386\setup.exe, where x is your CD-ROM drive. Select OK to start the setup program.
Select Next to display the Component Selection screen (Figure 4.12).
Figure 4.12: The component selection screen
Select the Microsoft Active Directory Connector Service component check box and the Microsoft Active Directory Connector Management components check box. Select Next to continue.
Select a folder where you want the software to be installed. Select Next to continue.
Enter the account name and password under which the Active Directory Connector service will be run. When you select Next, the Active Directory Connector installation wizard begins to install the ADC software. This may take several minutes to complete.
The ADC installation wizard will display a completion message when the installation has completed. Select Finish to exit the ADC installation wizard.
You can start the Active Directory Connector service from a command prompt by typing net start msadc.
The Active Directory Connector and associated Connection Agreements use a variety of counters and attributes to determine which objects and attributes need to be replicated between the two environments. These counters and attributes include Connection Agreement Update Sequence Numbers (USNs), DSA-Signature attributes on Active Directory and Exchange 5.5 directory objects, Object-Version attributes, and Replicated Object-Version attributes.
While the Exchange 5.5 directory performs object-based replication, the Active Directory does attribute-based replication. The Connection Agreement uses a combination of Active Directory USNs and the sum of Attribute Versions of each AD object in the source container to determine which Active Directory changes need to be replicated to the Exchange environment.
Figure 4.13 shows the mapping between some of the common Exchange 5.5 objects and Active Directory objects.
The default replication for each Connection Agreement is defined as a part of the Active Directory Connector. You can change the default attributes that will be replicated and you can also customize object matching rules. These policy settings are shared across multiple Connection Agreements associated with the ADC.
You can use the following procedure to change the attributes to be replicated for all Connection Agreements.
Select Start Programs Microsoft Exchange Active Directory Connector.
Right-click Active Directory Connector Management and then select Properties.
Select From Exchange to change the attributes that will be replicated from Exchange 5.5 to Windows 2000 (Figure 4.14). By default, all attributes are selected for replication. However, there may be business or technical reasons for not wanting all attributes replicated between the two environments. Attributes you select affect all Connection Agreements. If you clear an attribute on the From Exchange tab, be sure to clear the same attribute on the From Windows tab.
Figure 4.14: The From Exchange tab
You can also customize the object matching rules used during replication. By default, objects are matched by GUID, legacyExchange DN, and Primary Windows NT Account. If no match is found, or if these objects are unavailable, the replication creates a new object in the directory. Select Add to create a new object matching rule. If you have any two-way Connection Agreements, you must enter the object matching criteria in both the From Exchange and From Windows tabs. This ensures that the Active Directory Connector will replicate to the same object in both locations.
Select From Windows to change the attributes that will be replicated from Windows 2000 to Exchange 5.5 (Figure 4.15). By default, all attributes are selected for replication. Attributes you select affect all Connection Agreements. If you clear an attribute on the From Windows tab, be sure to clear the same attribute on the From Exchange tab.
Figure 4.15: The From Windows tab
Select Add to create a new object matching rule. If you have any two-way Connection Agreements, you must enter the object matching criteria in both the From Exchange and From Windows tabs.
Installing the Active Directory Connector only defines a Windows 2000 service; it does not establish or control connections between the Windows 2000 Active Directory and any Exchange Server 5.5 directories. You establish these connections by using the Active Directory Connector MMC console to configure connection agreements. You can use the following procedure to create a connection agreement:
Start the Active Directory Connector MMC console from the Windows 2000 Start menu by selecting Programs Microsoft Exchange Active Directory Connector.
Select Active Directory Connector Management, then right-click on the Active Directory Connector for which you wish to add a Connection Agreement and select New Recipient Connection Agreement to display the Connection Agreement properties.
The following steps describe each of the tabs for the Connection Agreement properties. Select each tab, enter the appropriate information, and then select OK to create the Connection Agreement.
Select the General tab to display general properties for the Connection Agreement (Figure 4.16).
Figure 4.16: The General tab
In the Name field, enter a name for the new Connection Agreement.
Select the direction for replication. The available options are:
Two-way. Active Directory objects will be replicated to the Exchange 5.5 directory, and Exchange 5.5 objects will be replicated to the Windows 2000 Active Directory.
From Exchange to Windows. Exchange 5.5 objects will be replicated to the Active Directory, but Active Directory objects will not be replicated to the Exchange directory.
From Windows to Exchange. Active Directory objects will be replicated to the Exchange 5.5 directory, but Exchange objects will not be replicated to the Active Directory.
When you select either a two-way Connection Agreement or a one-way CA to Exchange, the Connection Agreement will modify and add attributes to each Exchange directory object it replicates. Within the Exchange environment, those modified objects will need to be replicated to all Exchange sites. The ADC replication and Exchange site replication can require considerable network bandwidth since Exchange replicates the entire object rather than just the modified object attributes. As a rule of thumb, each modified Exchange directory object will result in approximately 5 KB of replication network traffic to other Exchange servers within the site, and approximately 1 KB of network traffic to other sites. (The inter-site network traffic is less due to compression of the data.)
Use the Select a server to run the Connection Agreement drop-down list to select the Windows 2000 server where the Active Directory Connector and associated Connection Agreement will be run.
Select the Connections tab to display connection properties for the Connection Agreement (Figure 4.17).
Figure 4.17: The Connections tab
Enter values for the Windows Server information fields.
In the Server field, enter the Windows 2000 server to be used for the connection. If the ADC is installed on a member server, specify the local Global Catalog as the Windows 2000 server.
Use the Authentication drop-down list to select the type of authentication that will be used by the Windows 2000 server. Authentication is the process by which administrators who claim to have accounts on your system are verified for access. The available options are:
Basic (Clear Text) using SSL . This sends clear text through a Secure Sockets Layer (SSL) encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.
Windows Challenge/Response . This type of password authentication uses the basic Windows network security.
Windows Challenge/Response using SSL . This uses Windows network security through an SSL-encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.
You should always use SSL encryption if you are replicating to a server located outside of your organization.
In the Connect As field, enter the logon credentials for connecting to the Windows 2000 server. Select Modify to select the account and enter the associated password.
Enter values for the Exchange Server information fields:
In the Server field, enter the Exchange 5.5 server to be used for the connection.
By default, the Port field is set to 389. If you have changed the default on the Exchange 5.5 server, you will need to enter the appropriate Lightweight Directory Access Protocol (LDAP) port in this field. You can determine the Exchange 5.5 port, by using the Exchange 5.5 Administrator program to examine the Protocols container.
Use the Authentication drop-down list to select the type of authentication that will be used by the Exchange 5.5 server.
In the Connect As field, enter the logon credentials for connecting to the Exchange 5.5 server. Select Modify to select the account and enter the associated password.
Select the Schedule tab to display the schedule for the Connection Agreement (Figure 4.18).
Figure 4.18: The Schedule tab
Select the activation schedule for directory replication using the following options: Use the Never button to disable directory replication.
You use the Always button to request that directory replication should happen every 5 minutes, 24 hours per day, and 7 days per week.
If you select the Selected times button, you must select the times using the daily schedule grid. During the hours you select, the Connection Agreement will check for changes every 5 minutes.
Use the Replicate the entire directory the next time the agreement is run check box to force all directory objects to be checked for consistency. Inconsistent objects will be replicated. This check box modifies the msExchServerXHighestUSN and msExchDoFull Replication Connection Agreement attributes.
Select the From Exchange tab to display the Connection Agreement properties for Exchange recipient containers (Figure 4.19). The settings on this tab are used to specify the Exchange 5.5 containers from which information will be replicated.
Figure 4.19: The From Exchange tab
Select Add to add an Exchange 5.5 recipient container. To replicate all containers in the site, select the site object as the source. The Active Directory Connector will automatically create the appropriate Active Directory organizational unit hierarchy.
If a Connection Agreement is configured to write to the Exchange 5.5 directory, then the CA can only include containers from one Exchange site. If you have multiple Exchange 5.5 sites, you must create multiple Connection Agreements.
Select Modify to change the default Active Directory organizational unit where unmatched Exchange 5.5 objects will be stored in the Active Directory.
You can use the check boxes to specify the Exchange object types to replicate. The available choices are: mailboxes, custom recipients, and distribution lists.
Select the From Windows tab to display the Connection Agreement properties for Windows 2000 recipient containers (Figure 4.20). The settings on this tab are used to specify the Active Directory organization units from which information will be replicated.
Figure 4.20: The From Windows tab
Select Add to add an Active Directory organizational unit. You need not individually select each Active Directory organizational unit. Instead, you can select the top-level domain as the source if you want to retain the same hierarchy when the organizational units are replicated to Exchange. The Active Directory Connector will automatically create all containers in the hierarchy.
Select Modify to change the default Exchange 5.5 container where unmatched Active Directory objects will be stored in the Exchange 5.5 site. Under most circumstances Active Directory user objects are mapped to a corresponding mailbox object in the Exchange 5.5 recipients container. However, if the Active Directory object does not relate to an Exchange object, then the Active Directory Connector creates an object in the default Exchange 5.5 container.
You can use the check boxes to specify the Active Directory object classes to replicate.
Select the Deletion tab (Figure 4.21). The options on this tab are used to specify the actions to be taken when directory objects are removed from source and target directories.
Figure 4.21: The Deletion tab
Select the action to be taken when replicating deletions from the Windows 2000 Active Directory.
Select Delete the Exchange mailboxes, custom recipients and distribution lists to automatically delete the Exchange 5.5 objects that correspond to deleted Active Directory objects.
Select Keep the Exchange deleted items and store the deletion list in the temporary CSV file to create a list of deleted items rather than deleting the items. The list of items deleted from the Windows 2000 Active Directory is stored on the Active Directory Connector server in the following file:
\ windir \MSADC\ CAname \Ex55.csv
where windir is the name of the Windows directory, and CAname is the name of the Connection Agreement.
By default, objects deleted from the Active Directory are not deleted from the Exchange directory.
Select the action to be taken when replicating deletions from the Exchange 5.5 directory.
Select Delete the Windows disabled user accounts, contacts and groups to automatically delete the Active Directory objects that correspond to deleted Exchange 5.5 objects.
Select Keep the Windows deleted items and store the deletion list in the temporary LDF file to create a list of deleted items rather than deleting the items. The list of items deleted from the Exchange 5.5 directory is stored on the Active Directory Connector server in the following file:
\ windir \MSADC\ CAname \Win2000.ldf
where windir is the name of the Windows directory, and CAname is the name of the Connection Agreement.
By default, objects deleted from the Exchange directory are not deleted from the Active Directory.
Select the Advanced tab (Figure 4.22).
Figure 4.22: The Advanced tab
Enter values for the Windows Server entries per page and the Exchange Server entries per page . This is the LDAP page size. The default of 20 entries per paged result is usually adequate.
When you have multiple Exchange 5.5 sites and require two-way replication, you must have a Connection Agreement for each Exchange site. However, if each of these CAs were connected to the same Active Directory organizational unit, then the same objects would be replicated to each Exchange site. This could result in duplicate Global Address List entries since Exchange 5.5 replicates its own directory information among the sites in the Exchange organization. Clearing the This is a primary Connection Agreement for the connected Exchange Organization check box will prevent new Active Directory objects from being replicated to the Exchange site through this Connection Agreement. The CA will only replicate changes to objects that already exist in the Exchange directory.
Typically, you want only one primary CA for each Exchange organization. However, it is possibleand sometimes correctto have multiple Connection Agreements for the same Exchange organization. Multiple CAs for the same Exchange organization are useful if the source containers or organization units differ for each Connection Agreement or if the replicated object classes are different. Also, you should have more than one primary CA if you have multiple Active Directory domains. This will allow objects other than User objects to be replicated to the Exchange directory.
From the drop-down list, select the action to be taken when replicating a mailbox whose primary Windows 2000 account does not exist in the domain. The options are:
Create a disabled Windows user account
Create a new Windows user account
From the drop-down list, select the initial replication direction for two-way Connection Agreements. The options are:
Select the Details tab (Figure 4.23).
Figure 4.23: The Details tab
Use the Administrative note field on the Details tab to enter additional information about the Connection Agreement.