As we discussed in Chapter 4, Active Directory has three naming partitions: configuration, schema, and domain. In this section, we will primarily be concerned with the configuration and domain naming partitions of Active Directory and how SRS and ADC service allow the Exchange 5.x directory and the configuration and domain partitions of Active Directory to coexist. (The authors recognize that Exchange 4.x is built on directory services as well. However, for the sake of this discussion, we will use the phrase "Exchange 5.x" to refer to all previous Exchange systems, including both the 4.x and 5.x platforms.) Let's spend some time looking at each of these services.
Site Replication Service (SRS) is responsible for replicating Exchange 5.x site and configuration information to the configuration naming partition of Active Directory when an Exchange 2000 server belongs to an existing Exchange 5.5 site. This allows the Exchange 2000 server to be represented in the Exchange site server list so that earlier versions of Exchange Server can send messages to and receive messages from the Exchange 2000 server.
SRS consists of a service that is activated and a database that is initialized when the first Exchange 2000 server is introduced into a legacy Exchange site. Activation can also occur when an Exchange 5.5 directory replication bridgehead server is upgraded to Exchange 2000 Server. If you install additional Exchange 2000 servers into the Exchange 5.5 organization, they will include SRS, but it will be disabled. The components of SRS are as follows:
Even though SRS is similar to the Exchange 5.5 directory service, its Name Service Provider Interface (NSPI) is disabled to prevent Microsoft Outlook clients from connecting to and using the Exchange 2000 directory for name resolution. If the NSPI was activated, Outlook clients could attempt name resolution in the wrong directory, leading to name resolution errors.
SRS must also run LDAP in order to communicate with Active Directory. Because the Microsoft Windows 2000 operating system also uses LDAP and locks the well-known port 389 for its own use, SRS defaults to using port 379 for its LDAP communications. No special configuration is needed for SRS to communicate with Active Directory using LDAP.
Unlike ADC service, which we will discuss in a moment, SRS automatically installs its own connection agreement (ConfigCA). The agreement is between SRS and Active Directory rather than between Active Directory and the Exchange 5.5 directory. ConfigCA is the pathway through which SRS on the Exchange 2000 server passes configuration naming data to Active Directory. This is a read-only agreement, and it can be seen in the Active Directory Connector Management snap-in, shown in Figure 14-2. (Read-only and other types of agreements are discussed more fully in the section "Active Directory Connector.")
Figure 14-2. Read-only connection agreement in the Active Directory Connector Management snap-in.
To communicate with Exchange 5.x servers, SRS uses RPCs. Thus, to the Exchange 5.x servers, Exchange 2000 Server, via SRS, looks like another Exchange 5.x server. If an Exchange 5.x bridgehead server is upgraded to Exchange 2000 Server, SRS will notice this and communicate with that bridgehead server using SMTP.
Since SRS is a read-only service, meaning that it can't be configured, there isn't a great deal to manage. However, a couple of points are worth noting. First, this is a two-way connection agreement that cannot be modified. Second, you'll recall that the agreement is between Active Directory and SRS. This can look confusing when you first encounter the interface because the agreement reports the Exchange server and the Windows 2000 server as the same server. You'll be creating a connection "between" the same server because the server hosting the Exchange 2000 server that is installed into your Exchange 5.5 site is also a domain controller in the Windows 2000 Active Directory. This is most clearly seen on the Connections tab of the property sheet for the connection agreement, as illustrated in Figure 14-3.
Figure 14-3. Connection agreement "between" the same server.
The Site Consistency Checker (SCC) is an updated version of the Knowledge Consistency Checker from Exchange Server 5.5 and runs inside SRS. It ensures that knowledge consistency is maintained for sites and administrative groups when interoperating between Exchange Server 5.5 and Exchange 2000 Server. In addition, in a large organization with many Exchange 5.5 sites, a triangulation of replication links, which would create duplicate replication paths, could be created as sites are migrated from Exchange Server 5.5 to Exchange 2000 Server. The SCC ensures that as new replication links are created, triangulation is avoided in the link topology.
SRS uses the Extensible Storage Engine (ESE) database technology. You'll find that it installs the same set of databases and transaction logs as a storage group. By default, these files are stored in the Exchsrv\srsdata folder. Unlike the stores in a storage group, the SRS database cannot be mounted or dismounted, but you can start and stop SRS in the Services utility.
The Active Directory Connector is a service that runs on your Windows 2000 domain controller and allows you to synchronize your Exchange Server 5.5 and Windows 2000 directories. Unlike SRS, which replicates information between an Exchange 5.x organization and the configuration naming partition in Active Directory, the ADC service replicates information between the Exchange 5.x directory and the domain partition in Active Directory.
ADC service comes in two versions: one ships with Windows 2000 Server, and the other ships with Exchange 2000 Server. The Windows 2000 version of the ADC service allows directory information in your Exchange Server 5.5 organization to be replicated to the Windows 2000 Active Directory. The Exchange 2000 version of the ADC service not only lets you synchronize Exchange Server 5.5 directory information with Windows 2000, it also works with SRS. If you've installed Windows 2000 Active Directory Connector, Exchange Server automatically updates it to the Exchange 2000 version when you install Exchange 2000 Server.
After you've synchronized the directories, as described in the sections that follow, the Windows 2000 Active Directory generates the Global Address List of mail-enabled users for those users who connect to the Exchange 2000 server. Users connecting to the Exchange Server 5.5 directory will continue to access the Global Address List from the Exchange Directory Store.
You configure synchronization between your two directories by defining connection agreements that ADC service manages. A connection agreement is just that—an agreement that you manually instantiate to define how directory information is synchronized between the two directories. You will define at least one primary connection agreement and one or more nonprimary connection agreements. The agreements must contain server names, objects to synchronize, target containers, and a synchronization schedule.
Connection agreements are either one-way or two-way. As the name implies, a one-way connection agreement allows directory information to flow in only one direction—from the directory you specify to the directory to which the connection agreement connects. For example, if a connection agreement is configured as one-way from directory D1 to directory D2, any changes made to objects in the D1 directory will be replicated to the D2 directory. However, changes made to objects in the D2 directory will not be replicated to the D1 directory. A two-way connection agreement allows replication to flow in both directions. Hence, changes made to objects in either directory are replicated.
When setting up your connection agreements, you will strive to match one or more containers in one directory with one or more containers in the other directory. Your environment, future plans, and network administrative model will all affect your choice. For instance, you can synchronize the default Recipients container in your Exchange 5.5 site with one Active Directory container—perhaps the Users organizational unit (OU). In this scenario, any subcontainers in the Recipients container will be created automatically under the Users OU, as shown in Figure 14-4.
Figure 14-4. Container synchronization.
You can also synchronize from one Exchange container to multiple Active Directory containers by choosing to replicate one object class to one Active Directory OU and another object class to another Active Directory OU. For instance, if all of your Exchange 5.5 recipients were created in the default Recipients container, you could choose to replicate your user objects to a Users OU in Active Directory and your custom recipients to a Contacts OU, as shown in Figure 14-5.
Figure 14-5. Object class synchronization.
By the same token, you can synchronize multiple Exchange containers with multiple Active Directory containers or synchronize multiple Active Directory containers with multiple Exchange containers. Moreover, you can configure each connection agreement to synchronize single or multiple object types. This service gives you the opportunity to rearrange your object hierarchy in Active Directory.
You install ADC service from the ADC folder on the Exchange 2000 companion CD-ROM. During the installation, the installation wizard prompts you to choose the Microsoft Active Directory Connector Service Component, the Microsoft Active Directory Connector Management Components, or both (Figure 14-6). Selecting Microsoft Active Directory Connector Service Component installs the ADC service (Adc.exe). Selecting Microsoft Active Directory Connector Management Components installs the Active Directory Connector Management snap-in into a separate Microsoft Management Console (MMC).
The user account that you log on with to install the ADC service must have the ability to modify the schema; otherwise, you'll receive the error message in Figure 14-7. However, if Exchange 2000 Server is already installed somewhere in your Windows 2000 forest, schema modifications are not necessary when installing the ADC service, since the schema has already been extended.
REAL WORLD Questions to Consider Before Deploying ADC ServiceBefore deploying ADC service, ask yourself the following questions to determine the best way to configure it for your needs.
Do you want to administer all of your directory objects from Active Directory? You can manage all of your Exchange Server 5.5 and Active Directory objects with one tool: Active Directory Users and Computers. This approach will require a one-way connection agreement from Windows to each of your existing Exchange sites. If your Exchange team and network team need to administer their areas separately, choose a two-way connection agreement. Final decisions should involve representatives from all of your teams.
Do you want to use Exchange Administrator to manage your Exchange Server 5.5 environment until your migration is finished? If you want to continue using Exchange Administrator, you need to define most of your connection agreements as one-way from Exchange. This arrangement requires only a single-point connection agreement from one of your sites because the Exchange Directory Service (DS) will replicate any new or modified objects into the site hosting the Exchange end of the connection agreement. This scenario is beneficial if you want to reduce management time and replication traffic.
Do you want to be able to create new accounts in both your Windows 2000 and Exchange directories? You might want the flexibility of creating new accounts in either directory if you're in a decentralized administration model where each department or division manages its user groups or if your migration will take place over a long time (six months or more). This scenario requires a two-way connection agreement (that is, ADC service must regard each directory as write enabled), and you must carefully coordinate which team creates which user accounts. You also need to consider the security and administrative implications if you're giving users outside your organization LDAP access with write privileges to either of your directories.
Figure 14-6. ADC service installation choices.
Figure 14-7. Permissions needed to modify the schema.
Next, the installation wizard asks for a location for the installation files and for the administrator name and password in the Windows 2000 domain. The final installation screen asks you to finish the installation.
NOTE
After you've migrated all of your directory information to Windows 2000 and fully implemented Exchange 2000 Server, you'll no longer need Active Directory Connector service because you'll no longer have any Exchange 5.5 servers. If you choose to uninstall the ADC service, you must first delete all of the connection agreements you defined on the local server. Best practice would be to do this after you have switched your Exchange 2000 organization to native mode.
Once you've installed the ADC service, you'll need to create the primary connection agreement. To do so, launch the ADC service snap-in by choosing Active Directory Connector from the Microsoft Exchange menu. Right-click the server name, point to New, and choose either Recipient Connection Agreement or Public Folder Connection Agreement. For our discussion in this chapter, we'll use Recipient Connection Agreement. Creating the Public Folder Connection Agreement is similar to creating the Recipient Connection Agreement.
You'll need to give your connection agreement a name that describes the function it will serve. Figure 14-8 illustrates how to name a two-way agreement.
Figure 14-8. Naming a two-way connection agreement.
Connections Tab On the Connections tab shown in Figure 14-9, we've configured the Connect As values for each server because these two servers are in different domains and we are writing from each directory to each directory. If you have different domains, which will usually be the case when migrating from 5.x to 2000, you will need to enter Connect As values for each directory to which you would like to write information that is generated in the other directory.
You can also specify the port number that will be used by Exchange Server 5.5. You'll need to change this port number if your Exchange 5.5 server is running on a Windows 2000 domain controller. When Windows 2000 boots up, the Active Directory LDAP services start before any Exchange services, and the LDAP service locks port 389 (the default LDAP port) for its own use. If you leave the port number at 389 for the ADC service to use in this scenario, it will fail to bind to the Exchange directory because of a port number conflict. Most administrators are choosing port 390 in this situation.
Figure 14-9. Connections tab of the ADC service property sheet.
TIP
If you're running Exchange Server 5.5 on a Microsoft Windows NT 4 server, be sure to specify the domain name in front of the Windows NT 4 user name that you use to log on to the domain (for example, domain name\username). If you don't specify the domain name, you'll receive an 8026 error message in the Event Viewer application log informing you that the bind was unsuccessful.
Schedule Tab You configure the replication interval for the connection agreement on the Scheduletab (Figure 14-10). Setting the replication interval to Always will cause the connection agreement to replicate every 15 miutes. You can force the entire directory to replicate the next time the software runs the agreement, whether it runs on a predetermined schedule or not, by selecting the Replicate The Entire Directory The Next Time The Agreement Is Run check box. Selecting this option sets the msExchServerXHighestUSN attribute to 0 and the msExchDoFullReplication attribute to True for the connection agreement.
From Exchange and From Windows Tabs The From Exchange tab (Figure 1411) and the From Windows tab (Figure 14-12) let you set which containers and objects in your Exchange 5.5 site will replicate to Windows 2000 Active Directory and vice versa.
By default, each Exchange site has one Recipients container. If you've created multiple subcontainers under the Recipients container, you have several options for replicating your objects to Windows 2000. If you want to retain the same container structure in Active Directory, create one connection agreement and choose the Exchange site as the source container. Active Directory will automatically create the same container structure in its directory and populate it accordingly. If you want to consolidate several Exchange containers into one container in Active Directory, create one connection agreement and individually choose each of the containers as the source, pointing them to the same container in Active Directory.
Figure 14-10. Schedule tab of ADC service property sheet.
Figure 14-11. From Exchange tab of ADC service property sheet.
Figure 14-12. From Windows tab of ADC service property sheet.
If you want to have complete control over each container (for example, if you want to have the mailbox container replicate every 30 minutes but have the custom recipient container replicate every 12 hours), create a separate connection agreement for each container, specifying your source and target containers.
TIP
If you want to change your structure entirely, you have two options:
- You can choose one connection agreement, replicate your Exchange containers to one Active Directory container, and then manually move the objects within the Windows 2000 containers after they exist in the Active Directory.
- You can create multiple connection agreements and have each connection agreement process one Recipients container (or object type) and point it to a specific OU in Active Directory. Generally speaking, unless you have a specific reason to choose the previous option, it's best to use this technique, since it is both easier and limits the possibility of human error when moving objects from one container to another.
On the From Windows tab, you can select the Replicate Secured Active Directory Objects To The Exchange Directory check box. Normally, any object with any kind of Deny access control entry (ACE) set would not be replicated to your Exchange 5.5 directory. Selecting this check box disables the filtering of objects based on the specified Deny ACE, so that those objects are replicated from Windows to your Exchange 5.5 directory. Deny ACEs can be set on the Security tab of the object in question.
Deletion Tab The Deletion tab (Figure 14-13) lets you specify how you want the target directory to manage deleted objects in the source directory. You can either have the deleted object replicated to the target directory or have it cataloged in the appropriate import file format. If you choose to delete the objects, the target directory's tombstone setting will determine when the object will be deleted. If you choose to catalog the deletion list, you'll need to manually perform a directory import and choose to have all of the objects being imported deleted during the import process.
NOTE
Tombstoning affixes a future date and time to an object after deletion so that all copies of the object in the directory will be deleted at the same time. This practice prevents replication services from backfilling a deleted object into the directory and presenting it as though it had never been deleted.
Remember that Windows 2000 strips an object of its permissions after you delete it. If you think you might want to use a deleted object again, keep it in the deletion list and then import it again when you need the object.
Figure 14-13. Deletion tab of ADC service property sheet.
Advanced Tab On the Advanced tab (Figure 14-14), you need to configure several important values. First, in the Paged Results area, you can change the number of entries per LDAP page. Increase this value if your Exchange 5.5 server is running on a Windows 2000 domain controller. You want to do this because both Active Directory and ADC service will be using LDAP to send and receive queries. Paging improves performance by grouping together objects to be replicated before each replication request. Larger page sizes (containing more objects per page) require fewer LDAP requests to complete replication of all objects, but they also require more memory to operate. Setting the page size to 0 results in no replication, so do this only if you want to disable the connection agreement.
Figure 14-14. Advanced tab of ADC service property sheet.
Be sure to give careful attention to the check boxes for configuring primary agreements. The This Is A Primary Connection Agreement For The Connected Exchange Organization option is the default. A primary connection agreement will attempt to create new objects in the target directory when synchronizing objects from one directory to another. Furthermore, if a mailbox in Exchange Server 5.5 has no primary user account, and no corresponding Windows 2000 user account exists in Active Directory, a primary connection agreement will create a new user account as part of the replication of the mailbox.
A nonprimary connection agreement doesn't create new objects in the Exchange Server 5.5 directory and instead replicates only attributes between the Exchange Server 5.5 mailbox and its corresponding Windows 2000 user object. Furthermore, if the connection agreement is nonprimary, the ADC service establishes replication only if you've designated a primary user account on the mailbox's General tab. If no primary user account is designated for the Exchange 5.5 mailbox and no corresponding Windows 2000 user object exists, a nonprimary connection agreement won't attempt to create the user object in Active Directory.
Having multiple two-way, primary connection agreements to multiple Exchange Server 5.5 sites from one Active Directory container means that each new object you create in the Active Directory container will replicate to each Exchange Server 5.5 site directory. This scenario will create multiple instances of the same object in your Exchange Server 5.5 organization. The Exchange 5.5 Directory Service will then replicate these objects throughout the organization. If you need to synchronize multiple Exchange sites with one container in Active Directory, configure your connection agreements as one-way from Exchange, with only one two-way connection agreement. This configuration will allow newly created objects in Active Directory to be replicated to your Exchange 5.5 directory without incurring multiple instances of that object.
If you want to create multiple connection agreements from the Active Directory to the Exchange Server 5.5 directory, it's best to set only one connection agreement as primary and the rest as nonprimary. Do this by clearing the This Is A Primary Connection Agreement For The Connected Windows Domain check box on all but one of your connection agreements. The overall effect will be that an object created in Active Directory will be created only once in the Exchange 5.5 directory. You'll need to consider which Exchange 5.5 sites should receive the newly created Active Directory objects.
The most complicated scenario is one in which you need to have certain objects that are created in Active Directory replicated to certain Exchange 5.5 sites and other objects created in Active Directory replicated to other Exchange 5.5 sites. If this is your situation, consider creating separate primary connection agreements from different Active Directory containers to each Exchange 5.5 site. Although doing so will increase the complexity of your ADC service administration, it will allow you to specify which Active Directory objects are replicated to which Exchange 5.5 site.
Associated with the This Is A Primary Connection Agreement For The Connected Windows Domain check box is the setting This Is The Primary Connection Agreemenet For The Connected Exchange Organization check box, used for replicating a mailbox object that has no corresponding primary user account in Active Directory. This check box controls whether an object is created in the Windows 2000 domain if no user account match exists between the two directories. The When Replicating A Mailbox Whose Primary Windows Account Does Not Exist In The Domain drop-down list becomes unavailable if you clear the check box. Use this setting if you need to migrate several mailboxes and you're sure that some of the mailboxes don't have user accounts in Active Directory.
The This Is An Inter-Organizational Connection Agreement check box should be is selected if the connection agreement is being made between two Exchange organizations, which would be the case when uploading directory information from an Exchange 5.x organization to a Windows 2000 Active Directory whose schema has already been extended with an Exchange 2000 directory. It is also selected when you are replicating your 5.x information to an Active Directory that has no Exchange 2000 organization defined, and thus whose schema has not been extended to include Exchange 2000 objects.
You would not want to select this option if you have installed an Exchange 2000 server into an existing Exchange 5.5 organization. In this case, the Exchange 2000 organization and the Exchange 5.5 organization are the same.
When replication is scheduled to occur within a two-way connection agreement, you can choose the direction in which replication will occur first in the Initial Replication Direction For Two-Way Connection Agreements check box.
Summary of ADC Options
- If you're coming from a single Exchange 5.5 site, create one connection agreement to retain the same container structure in Active Directory.
- To consolidate multiple Exchange Server 5.5 containers into one container in Active Directory, create one connection agreement and choose each of the Exchange containers individually as a source.
- To have complete control over the synchronization of each Exchange 5.5 container as it replicates to Windows 2000 Active Directory, create a connection agreement for each source container.
- To substantially change your container model, either configure one connection agreement, move all of your source objects into one Windows 2000 container, and then manually move the objects within the Active Directory, or set up multiple connection agreements that specify each source and destination container.
By right-clicking the Active Directory Connector Management snap-in in the MMC console, you can configure which attributes of each object you want to replicate to the other directory. As was mentioned previously, a nonprimary connection agreement replicates only the attributes of an object to the other directory. This property sheet lets you choose the attributes you want to replicate.