4.4 Managing a mixed environment using the Active Directory Connector

Before upgrading to Exchange 2003, you must first upgrade the underlying operating system environment to support Active Directory. As you upgrade to Exchange 2003, it may be difficult to upgrade all Exchange 5.5 servers at the same time. During this migration period, you will have a mixed environment consisting of Active Directory, Exchange 5.5, and Exchange 2003. During this coexistence period, you will have two directories: the Exchange 5.5 directory and the Active Directory. Keeping separate directories synchronized is a difficult problem. Fortunately, the ADC is available to ease the administrative difficulties.

The ADC is a service that synchronizes the Active Directory with the Exchange Server 5.5 directory. This synchronization can be used to help populate the Active Directory for companies that have an existing Exchange Server 5.5 implementation. Synchronizing the Exchange Server 5.5 directory and the Active Directory is also necessary for maintaining a mixed environment containing both Exchange Server 5.5 and Exchange 2003. Because the Active Directory is the GAL for Exchange 2003 users, it is important for all mail objects to be listed in the Active Directory.

The ADC is not automatically installed when you install Windows or Exchange; it is installed as an optional component. When you install ADC, the installation process adds a new service identified as the Microsoft Active Directory Connector and a new MMC snap-in for managing connection agreements between the Exchange 5.5 directory and the Active Directory. The ADC allows you to administer the directory from either the Active Directory or the Exchange 5.5 directory service.

A version of the ADC is shipped with Windows Server. This version of the ADC includes the basic replication functionality, allowing you to replicate objects between Exchange 5.5 site naming context objects, such as the recipient containers and the Active Directory. If you have already implemented an Exchange 5.5 environment, the basic Windows ADC can be used to quickly import much of the existing Exchange 5.5 directory information into the Active Directory. This allows you to populate your Active Directory very quickly.

An enhanced version of the ADC is included as an optional component with Exchange 2003. This enhanced version can be easily installed when Exchange is installed. The enhanced Exchange ADC includes all of the support found in the basic Windows ADC (i.e., replication of the Exchange 5.5 site-naming context), plus support for replicating the Active Directory configuration naming context and for downstream routing. This is needed for supporting Exchange environments that include Exchange 5.5 servers.

4.4.1 Connection agreements

When you install the ADC, you define a Windows service. However, installing the ADC does not establish or control connections between the Active Directory and any Exchange Server 5.5 directories. You establish these connections by configuring connection agreements (CAs). Each CA defines and controls a relation between an Active Directory domain and an Exchange 5.5 site and contains replication information, such as the server names, object classes to replicate, target containers, and schedule.

The ADC and CAs can be quite flexible. You can perform replication from Exchange 5.5 to Active Directory, from Active Directory to Exchange 5.5, or both directions simultaneously. A single ADC can support multiple CAs, each of which can define the relation between different Active Directory DCs and one or more Exchange Server 5.5 site recipient containers. There are few guidelines for configuring the CAs and ADCs.

If you want to centrally manage both Active Directory and Exchange 5.5 objects, you must configure the CA for two-way replication to every Exchange 5.5 site. This type of CA supports read and write operations to both the Active Directory and the Exchange 5.5 directory.

Each ADC can support multiple CAs. There is no theoretical limit to the number of CAs supported by each ADC, but the practical limit is that each ADC should support no more than 50 to 75 CAs. If you encounter performance problems with an ADC, remember that it is possible to deploy multiple ADC servers to improve performance.

One obvious use for the ADC is to perform a one-way import of Exchange 5.5 accounts into the Active Directory. This provides a quick, automated method to populate the Active Directory. You can do this by configuring a one-way CA in which the Exchange 5.5 mailboxes are replicated to the Active Directory. The CA would be between the Active Directory and any of the Exchange 5.5 sites. Because all Exchange 5.5 information can be found on any Exchange server in the organization, all of the Exchange 5.5 objects and sites can be copied from a single connection. You do not need CAs to each of the Exchange 5.5 sites for this type of one-way replication. When changes are made to the Exchange 5.5 directory, they will automatically be replicated to the Active Directory.

Each CA defines and controls replication between specific Active Directory-OUs and Exchange 5.5 recipient containers. One or more Exchange recipient containers can be replicated to one or more Active Directory OUs. Multiple CAs can be used to replicate different object types between an Active Directory and a single Exchange site.

4.4.2 Configuration connection agreements and site replication service

During your migration from Exchange 5.5 to Exchange 2003, you may have a situation in which an Exchange 2003 server belongs to an Exchange 5.5 site. It is important that configuration information be replicated between the Exchange 5.5 directory and the Active Directory used by the Exchange 2003 system. Replicating the configuration information ensures that the Exchange 2003 server will be represented in the Exchange 5.5 server list. This is a prerequisite for users to continue to send and receive messages regardless of which version of Exchange they happen to be using. Replicating the configuration information will also ensure that the Exchange 2003 servers will be able to send messages to connectors running on Exchange 5.5 servers and that Exchange 5.5 servers will be able to send messages to connectors running on Exchange 2003 servers.

Exchange configuration information is replicated through a special type of CA known as a Configuration Connection Agreement (ConfigCA). The Exchange server automatically configures ConfigCAs. You do not need to manually configure a ConfigCA. The first ConfigCA for an Exchange 5.5 organization is named Master_ConfigCA_ orgname. The ConfigCA cannot be modified even though it can be seen using the ADC MMC console. After replication, your Exchange 5.5 sites are listed in the Active Directory as administrative groups. If you view the Exchange 5.5 organization using the Exchange 5.5 Admin program, the Exchange 2003 servers are listed as members of the Exchange 5.5 site.

The ConfigCA for replicating configuration information is between the Active Directory and the Exchange 2003 Site Replication Service. The Exchange 2003 server automatically installs the Site Replication Service component when an Exchange 2003 server is installed into an Exchange 5.5 site. The Site Replication Service is similar to the Exchange 5.5 Directory Service and is used for intrasite directory replication using RPCs. It uses Exchange 5.5-style LDAP calls and listens on port 379. If you upgrade an Exchange 5.5 bridgehead server to Exchange 2003, the Site Replication Service will also provide mail-based directory replication to other Exchange 5.5 sites.

4.4.3 Installing Active Directory Connector

The ADC can impose a heavy processing load on the host hardware system. The load placed on the ADC server's CPU during replication is about 50%. The location and size of the system depends on the size of the Exchange organization, the number of Active Directory domains, and the replication schedule between the two environments. Because the ADC needs to access the Active Directory, you should consider installing the ADC on a GC server. If the GC server does not have sufficient power to support the ADC service, a good second choice is a server that has a reliable, high-bandwidth network connection to the GC server. The Exchange 5.5 bridgehead server should be on the same network segment if possible.

The ADC software is not installed automatically when you install Exchange 2003. You can use the following procedure to install the ADC software:

1. Insert the Exchange 2003 CD-ROM into your CD-ROM drive.

2. Select Run from the Start menu. Enter x:\adc\i386\setup.exe, where x is your CD-ROM drive. Select OK to start the setup program.

3. Select Next to display the Component Selection screen (Figure 4.15).

   
   Figure 4.15: Active Directory Connector Component Selection screen

4. Select the Microsoft Active Directory Connector Service component check box and the Microsoft Active Directory Connector Management components check box. Select Next to continue.

5. Select a folder where you want the software to be installed. Select Next to continue.

6. Enter the account name and password under which the ADC service will be run. When you select Next, the ADC installation wizard begins to install the ADC software. This may take several minutes to complete.

7. The ADC installation wizard will display a completion message when the installation has completed. Select Finish to exit the ADC installation wizard.

4.4.4 Configuring default Active Directory Connector replication policy

The ADC and associated CAs use a variety of counters and attributes to determine which objects and attributes need to be replicated between the two environments. These counters and attributes include CA Update Sequence Numbers, DSA-Signature attributes on Active Directory and Exchange 5.5 directory objects, Object-Version attributes, and Replicated-Object-Version attributes.

Whereas the Exchange 5.5 directory performs object-based replication, the Active Directory performs attribute-based replication. The CA uses a combination of Active Directory Update Sequence Numbers and the sum of Attribute Versions of each Active Directory object in the source container to determine which Active Directory changes need to be replicated to the Exchange environment.

Figure 4.16 shows the mapping between some of the common Exchange 5.5 objects and Active Directory objects.

Figure 4.16: Active Directory Connector object mapping

The default replication for each CA is defined as a part of the ADC. You can change the default attributes that will be replicated, and you can also customize object matching rules. These policy settings are shared across multiple CAs associated with the ADC.

You can use the following procedure to change the attributes to be replicated for all CAs.

1. Start the ADC MMC console from the Windows Start menu by selecting All Programs →Microsoft Exchange →Active Directory Connector.

2. Right-click Active Directory Connector Services and then select Properties.

3. From Exchange tab Select the From Exchange tab to change the attributes that will be replicated from Exchange 5.5 to the Active Directory (Figure 4.17). By default, all attributes are selected for replication. However, there may be business or technical reasons for not wanting all attributes replicated between the two environments. Attributes you select affect all CAs. If you clear an attribute on the From Exchange tab, be sure to clear the same attribute on the From Windows tab.

   
   Figure 4.17: Active Directory Connector attributes replicated from Exchange

4. You also can customize the object-matching rules used during replication. By default, objects are matched by GUID, legacyExchange DN, and Primary Windows NT Account. If no match is found, or if these objects are unavailable, the replication creates a new object in the directory. Select Add to create a new object matching rule. If you have any two-way CAs, you must enter the object-matching criteria in both the From Exchange and From Windows tabs. This ensures that the ADC will replicate to the same object in both locations.

5. From Windows tab Select the From Windows tab to change the attributes that will be replicated from the Active Directory to Exchange 5.5 (Figure 4.18). By default, all attributes are selected for replication. Attributes you select affect all CAs. If you clear an attribute on the From Windows tab, be sure to clear the same attribute on the From Exchange tab.

   
   Figure 4.18: Active Directory Connector attributes replicated from Active Directory

6. Select Add to create a new object-matching rule. If you have any twoway CAs, you must enter the object-matching criteria in both the From Exchange and From Windows tabs.

4.4.5 Creating a connection agreement

Installing the ADC only defines a Windows service; it does not establish or control connections between the Active Directory and any Exchange Server 5.5 directories. You establish these connections by using the ADC MMC console to configure CAs. You can use the following procedure to create a CA:

1. Start the ADC MMC console from the Windows Start menu by selecting All Programs →Microsoft Exchange →Active Directory Connector.

2. Right-click on the Active Directory Connector for which you wish to add a CA, and select New →Recipient Connection Agreement to display the CA properties.

3. General tab Select the General tab to display general properties for the CA (Figure 4.19).

   
   Figure 4.19: Connection Agreement General tab

4. In the Name field, enter a name for the new CA.

5. Select the direction for replication. The available options are:

   • Two-way. Active Directory objects will be replicated to the Exchange 5.5 directory, and Exchange 5.5 objects will be replicated to the Active Directory.

   • From Exchange to Windows. Exchange 5.5 objects will be replicated to the Active Directory, but Active Directory objects will not be replicated to the Exchange directory.

   • From Windows to Exchange. Active Directory objects will be replicated to the Exchange 5.5 directory, but Exchange objects will not be replicated to the Active Directory.

   When you select either a two-way CA or a one-way CA to Exchange, the CA will modify and add attributes to each Exchange directory object it replicates. Within the Exchange environment, those modified objects will need to be replicated to all Exchange sites. The ADC replication and Exchange site replication can require considerable network bandwidth because Exchange replicates the entire object rather than just the modified object attributes. As a rule of thumb, each modified Exchange directory object will result in approximately 5 KB of replication network traffic to other Exchange servers within the site and approximately 1 KB of network traffic to other sites. (The intersite network traffic is less because of compression of the data.)

6. Use the Select a server to run the Connection Agreement drop-down list to select the Windows server where the ADC and associated CA will be run.

7. Connections tab Select the Connections tab to display connection properties for the CA (Figure 4.20).

   
   Figure 4.20: Connection Agreement Connections tab

8. Enter values for the Windows Server information fields.

   • In the Server field, enter the Windows server to be used for the connection. If the ADC is installed on a member server, specify the local GC as the Windows server.

   • Use the Authentication drop-down list to select the type of authentication that will be used by the Windows server. Authentication is the process by which administrators who claim to have accounts on your system are verified for access. The available options are:

     • Basic (Clear Text) using SSL. This sends clear text through a Secure Sockets Layer (SSL)-encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.

     • Kerberos. This type of password authentication uses the basic Windows network security.

     • Kerberos using SSL. This uses Windows network security through an SSL-encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.

       You should always use SSL encryption if you are replicating to a server located outside of your organization.

   • In the Connect as field, enter the logon credentials for connecting to the Windows server. Select Modify to select the account and enter the associated password.

9. Enter values for the Exchange Server information fields:

   • In the Server field, enter the Exchange 5.5 server to be used for the connection.

   • By default, the Port field is set to 389. If you have changed the default on the Exchange 5.5 server, you will need to enter the appropriate LDAP port in this field. You can determine the Exchange 5.5 port by using the Exchange 5.5 Administrator program to examine the Protocols container.

   • Use the Authentication drop-down list to select the type of authentication that will be used by the Exchange 5.5 server. The available options are:

     • Basic (Clear Text) using SSL. This sends clear text through an SSL-encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.

     • Windows Challenge/Response. This type of password authentication uses the basic Windows network security.

     • Windows Challenge/Response using SSL. This uses Windows network security through an SSL-encrypted channel. Using SSL encryption ensures that the entire transaction session is encrypted.

   • In the Connect as field, enter the logon credentials for connecting to the Exchange 5.5 server. Select Modify to select the account and enter the associated password.

10. Schedule tab Select the Schedule tab to display the schedule for the CA (Figure 4.21).

    
    Figure 4.21: Connection Agreement Schedule tab

11. Select the activation schedule for directory replication using the following options:

    • Use the Never button to disable directory replication.

    • Use the Always button to request that directory replication should happen every 5 minutes, 24 hours per day, and 7 days per week.

    • If you select the Selected times button, you must select the times using the daily schedule grid. During the hours you select, the CA will check for changes every 5 minutes.

12. Use the Replicate the entire directory the next time the agreement is run check box to force all directory objects to be checked for consistency. Inconsistent objects will be replicated. This check box modifies the msExch-ServerXHighestUSN and msExchDoFullReplication CA attributes.

13. From Exchange tab Select the From Exchange tab to display the CA properties for Exchange recipient containers (Figure 4.22). The settings on this tab are used to specify the Exchange 5.5 containers from which information will be replicated.

    
    Figure 4.22: Connection Agreement From Exchange tab

14. Select Add to add an Exchange 5.5 recipient container. To replicate all containers in the site, select the site object as the source. The ADC will automatically create the appropriate Active Directory OU hierarchy.

    If a CA is configured to write to the Exchange 5.5 directory, then the CA can only include containers from one Exchange site. If you have multiple Exchange 5.5 sites, you must create multiple CAs.

15. Select Modify to change the default Active Directory OU where unmatched Exchange 5.5 objects will be stored in the Active Directory.

16. You can use the check boxes to specify the Exchange object types to replicate. The available choices are: mailboxes, custom recipients, and distribution lists.

17. From Windows tab Select the From Windows tab to display the CA properties for Active Directory recipient containers (Figure 4.23). The settings on this tab are used to specify the Active Directory OUs from which information will be replicated.

    
    Figure 4.23: Connection Agreement From Windows tab

18. Select Add to add an Active Directory OU. You need not individually select each Active Directory OU. Instead, you can select the top-level domain as the source if you want to retain the same hierarchy when the OUs are replicated to Exchange. The ADC will automatically create all containers in the hierarchy.

19. Select Modify to change the default Exchange 5.5 container where unmatched Active Directory objects will be stored in the Exchange 5.5 site. Under most circumstances, Active Directory user objects are mapped to a corresponding mailbox object in the Exchange 5.5 recipients container. However, if the Active Directory object does not relate to an Exchange object, then the ADC creates an object in the default Exchange 5.5 container.

20. You can use the check boxes to specify the Active Directory object classes to replicate.

21. Deletion tab Select the Deletion tab (Figure 4.24). The options on this tab are used to specify the actions to be taken when directory objects are removed from source and target directories.

    
    Figure 4.24: Connection Agreement Deletion tab

22. Select the action to be taken when replicating deletions from the Active Directory.

    • Select Delete the Exchange mailboxes, custom recipients and distribution lists to automatically delete the Exchange 5.5 objects that correspond to deleted Active Directory objects.

    • Select Keep the Exchange deleted items and store the deletion list in the temporary CSV file to create a list of deleted items rather than deleting the items. The list of items deleted from the Active Directory is stored on the ADC server in the following file:

      \windir\MSADC\CAname\Ex55.csv 

      where windir is the name of the Windows directory, and CAname is the name of the CA.

      By default, objects deleted from the Active Directory are not deleted from the Exchange directory.

23. Select the action to be taken when replicating deletions from the Exchange 5.5 directory.

    • Select Delete the Windows disabled user accounts, contacts and groups to automatically delete the Active Directory objects that correspond to deleted Exchange 5.5 objects.

    • Select Keep the Windows deleted items and store the deletion list in the temporary LDF file to create a list of deleted items rather than deleting the items. The list of items deleted from the Exchange 5.5 directory is stored on the ADC server in the following file:

      \windir\MSADC\CAname\Win2000.ldf 

      where windir is the name of the Windows directory, and CAname is the name of the CA.

      By default, objects deleted from the Exchange directory are not deleted from the Active Directory.

24. Advanced tab Select the Advanced tab (Figure 4.25).

    
    Figure 4.25: Connection Agreement Advanced tab

25. Enter values for the Windows Server entries per page and the Exchange Server entries per page This is the LDAP page size. The default of 20 entries per page result is usually adequate.

26. When you have multiple Exchange 5.5 sites and require two-way replication, you must have a CA for each Exchange site. However, if each of these CAs were connected to the same Active Directory OU, then the same objects would be replicated to each Exchange site. This could result in duplicate GAL entries because Exchange 5.5 replicates its own directory information among the sites in the Exchange organization. Clearing the This is a primary Connection Agreement for the connected Exchange Organization check box will prevent new Active Directory objects from being replicated to the Exchange site through this CA. The CA will only replicate changes to objects that already exist in the Exchange directory.

    Typically, you want only one primary CA for each Exchange organization. However, it is possible-and sometimes correct-to have multiple CAs for the same Exchange organization. Multiple CAs for the same Exchange organization are useful if the source containers or OUs differ for each CA or if the replicated object classes are different. Also, you should have more than one primary CA if you have multiple Active Directory domains. This will allow objects other than User objects to be replicated to the Exchange directory.

27. From the drop-down list, select the action to be taken when replicating a mailbox whose primary Windows account does not exist in the domain. The options are:

    • Create a disabled Windows user account.

    • Create a new Windows user account.

    • Create a Windows contact.

28. From the drop-down list, select the initial replication direction for twoway CAs. The options are:

    • From Exchange

    • From Windows

29. Select the Details tab (Figure 4.26).

    
    Figure 4.26: Connection Agreement Details tab

30. Use the Administrative note field on the Details tab to enter additional information about the CA.

31. Details tab Select OK to create the CA.