Lesson 1: Integrating Microsoft Exchange Server 5.5 with Windows 2000 Server

It is advantageous to migrate the entire Windows NT environment to Windows 2000 Server before integrating Exchange Server with Active Directory. At a minimum, you should upgrade all primary domain controllers (PDCs). This ensures that all user accounts are Windows 2000 security objects, which greatly simplifies system integration because it avoids the creation of duplicate user objects. If you cannot upgrade your Windows NT domains for any reason, you need to create separate accounts for your users in Active Directory to synchronize them with mailbox information from the Exchange Directory. When upgrading the Windows NT domains later on, you may end up with duplicated directory objects for each user, which requires an explicit cleanup using the Active Directory Cleanup Wizard. Windows NT accounts are not automatically merged during the upgrade. The preparation of the Windows 2000 environment for Exchange 2000 Server is covered in more detail in Chapter 3, "Assessing the Current Network Environment."

This lesson explains how to integrate Exchange Server 5.5 with Active Directory. You can read how user account and mailbox information are synchronized between the Exchange Directory and Active Directory and what you need to take into consideration to design a straightforward synchronization topology. You can also learn how to use Active Directory to synchronize recipient information from different Exchange organizations with each other.

After this lesson, you will be able to

  • Explain how to integrate Exchange Server 5.5 with Active Directory using the Active Directory Connector (ADC)
  • Describe the difference between primary and nonprimary connection agreements (CAs) and the configuration of CAs in complex environments with multiple Windows 2000 domains and multiple Exchange sites
  • Develop appropriate strategies for synchronizing Windows 2000 user objects with Exchange mailbox information

Estimated time to complete this lesson: 120 minutes

Integrating the Exchange Directory with Active Directory

Integration with Active Directory is an asset if you are currently operating an Exchange Server 5.5 organization in a Windows 2000 Server environment, even if you don’t plan to move to Exchange 2000 Server. Among other things, Active Directory integration can help to facilitate the administration of user accounts and mailbox resources. On the other hand, if you are planning to upgrade, directory integration is a requirement. A smooth upgrade requires you to consolidate user account and mailbox information in Active Directory before installing the first Exchange 2000 server.

Directory Integration Using the Active Directory Connector

To integrate Exchange and Active Directory with each other, you need to install the ADC that ships with Exchange 2000 Server. The ADC is a Windows 2000 service that performs a synchronization of the directories based on the Lightweight Directory Access Protocol (LDAP), as indicated in Figure 6.1. You can find this component on the Exchange 2000 Server product CD in the \ADC\i386 directory. To install the ADC, launch SETUP.EXE from this location. You need to have the rights of a schema, enterprise, and domain administrator.

Because the ADC is a directory application, it is a good idea to install it directly on a Windows 2000 domain controller. In fact, Microsoft recommends a Global Catalog (GC) server. Keep in mind, however, that the hardware must be able to handle the extra workload. If the network connection to the nearest GC is fast and reliable, you can also install the ADC on a member server. The ADC computer should run Windows 2000 Server Service Pack 1. The Exchange Server version should be Exchange Server 5.5 with Service Pack 3 or later.

The ADC consists of two components, which you can install separately or on the same machine:

  • The Microsoft Active Directory Connector service This is the Windows 2000 service that performs the actual directory synchronization. The account being used to run the ADC service must be a member of the local Administrators group.

    Figure 6.1 - Directory synchronization based on the ADC

  • The Active Directory Connector Manager snap-in This is the management utility that allows you to configure the directory synchronization based on CAs, which are explained later in this lesson.

Note


It is advisable to check your Active Directory environment and fix any inconsistencies before installing the ADC. This is accomplished quickly using DCDIAG.EXE, which is available from Microsoft—go to www.microsoft.com and search for the phrase "DCDIAG." You can install this program on your domain controller together with the other Windows 2000 Support Tools, such as ADSI Edit. Make sure you place this program in a folder in the system search path. You can then simply type dcdiag at the domain controller’s command prompt to launch a test.

LDAP Port Conflicts

No ADC description would be complete without explaining how to handle the LDAP port conflict that occurs when running Exchange Server 5.5 on a Windows 2000 domain controller. Domain controllers listen on Transmission Control Protocol (TCP) port 389, as does the LDAP interface of the Exchange Directory. Active Directory always starts before Exchange Server and will always allocate TCP port 389 without giving the Exchange Directory service a chance to use it. You cannot change the Active Directory ports, but you can adjust the port number for the LDAP interface of Exchange Server in the Exchange Administrator program (see Figure 6.2). On most Windows 2000 domain controllers, TCP port 379 or port 390 is available for the Exchange Directory.

Figure 6.2 - Resolving an LDAP port conflict

Another option to resolve the port conflict is to remove Active Directory from the Exchange server—that is, if other Windows 2000 domain controllers are still available in the domain to provide authentication services. Removing Active Directory using DCPROMO.EXE does not affect the Exchange Server installation. Exchange can run on member servers without problems and without LDAP port conflicts. However, removing Active Directory is a less preferable solution than the simple change of a port number.

Extending the Active Directory Schema

The ADC Setup program must extend the Active Directory schema with Exchange-specific classes and attributes. Extending the schema means that Windows 2000 has to rebuild all GCs, resulting in a large amount of replication traffic. Exchange 2000 Server also requires you to extend the schema, and again, the GCs will have to be rebuilt. Therefore, if you intend to upgrade to Exchange 2000 Server at the end of the day, it is a good idea to prepare the Active Directory forest right away by running Setup in ForestPrep mode before installing the ADC. A prepared Active Directory forest does not require the ADC Setup program to extend the schema, saving you the extra replication cycle. You need to be a schema, enterprise, and domain administrator to successfully run Setup /ForestPrep in the root domain.

Note


Setup /ForestPrep extends the schema, prompts you for an organization name, creates the Exchange 2000 organization in Active Directory, and delegates the Exchange Full Administrator role to a specified user account. You are prompted to join an Exchange Server organization if an ADC has already been deployed in the forest. Make sure that the Exchange 2000 organization name matches exactly the name of your Exchange Server organization.

Windows 2000 vs. Exchange 2000 ADC

It is important to note that there are two versions of the ADC. One version comes with Windows 2000 Server and can be used to connect Exchange Server 5.5 to Active Directory when Exchange 2000 Server is not available. The other version comes with Exchange 2000 Server. To support a mixed Exchange organization, you need to deploy the version that comes with Exchange 2000. The ADC that ships with Windows 2000 Server is unable to replicate configuration information and does not support seamless system integration. You can read more about the replication of configuration information in Lesson 2.

Note


Use the ADC that comes with Exchange 2000 Server to connect Exchange Server 5.5 to Active Directory.

Synchronizing Recipient Information

The ADC does not synchronize or replicate directory information automati- cally. You need to configure this service manually using the ADC management console. Right-click the Active Directory Connector object, point to New, and then select Recipient Connection Agreement. Among other things, you need to specify the servers that host the directories to be synchronized, the directory objects to synchronize, the synchronization direction, and a synchronization schedule. You also need to specify user accounts to access the servers. Remember that the accounts must write information to the target directories. You can configure one-way (from Exchange Server 5.5 to Windows 2000, or vice versa) or two-way CAs.

Note


In multidomain environments, make sure that the specified Windows 2000 server is a GC server to ensure that all requested objects are included in the directory synchronization.

Connection Agreement Types

The Exchange 2000 ADC supports three types of CAs (recipient CA, public folder CA, and configuration CA) to synchronize recipient and configuration information between the directories. In the context of integrating Exchange Server 5.5 with Active Directory, recipient CAs are most important. Public folder and configuration CAs, on the other hand, facilitate the integration of Exchange 2000 with Exchange Server 5.5. They are covered in Lesson 2.

Note


Depending on the number of users and the power of your domain controller, it may take several hours to fully synchronize Exchange Directory with Active Directory. For a two-way CA, budget up to 1 hour per 1000 users.

Mapping of Recipient Information

Recipient CAs are able to selectively synchronize mailboxes, distribution lists, and custom recipients, respectively, with mailbox-enabled user accounts, distribution groups, and contact objects. You can configure separate CAs to specify different destination containers for each type or enable all types in one CA.

The ADC maps recipient objects in the following way:

  • Mailboxes correspond to mailbox-enabled user accounts that may in turn be enabled or disabled.
  • Distribution lists correspond to universal distribution groups.
  • Custom recipients correspond to contact objects.

Synchronizing Distribution Lists

A subtle design requirement revolves around the creation of groups in Active Directory for distribution lists in Exchange Server 5.5. Exchange uses distribution lists to set permissions on public folders, whereas the ADC creates universal distribution groups, which cannot be used for this purpose in Exchange 2000 Server.

Because Exchange 2000 fully integrates with Windows 2000 security to protect its resources, only security groups (not distribution groups) can be used to grant or deny permissions. For this reason, when you integrate Exchange 2000 Server into the environment, the system will attempt to automatically convert the ADC’s distribution groups to universal security groups. This conversion will fail in a domain operating in mixed mode because security groups are only available in native mode. For this reason, if possible, switch your Windows 2000 domains into native mode, or at least create a small resource domain, switch it into native mode, and let the ADC place all distribution groups in this domain. You can create a separate recipient CA for the synchronization of distribution lists and distribution groups if necessary (see Figure 6.3).

Figure 6.3 - Transferring distribution lists into a dedicated native-mode domain

Synchronizing Resource Accounts

There is one more issue you need to take into consideration before activating your recipient CAs. In Active Directory, every mailbox-enabled user has exactly one mailbox, and every mailbox corresponds to one user object. In Exchange Server 5.5, however, a Windows account can have multiple mailboxes. For instance, you may be responsible for a number of resource accounts, in which case you will work with a personal mailbox and a number of resource mailboxes. The challenge is to synchronize the correct mailbox with your Windows 2000 user account and create separate directory objects for the remaining resource mailboxes. This will not affect your ability to log on to any of these mail- boxes because your Windows 2000 account remains the primary Microsoft Windows NT account in Exchange Server 5.5.

Figure 6.4 illustrates the problem that multiple mailboxes with the same primary Windows security object can pose. The ADC synchronizes the first mailbox with the user object, where the security identifier (SID) of the primary Microsoft Windows NT account matches the SID of the user account in Active Directory. For the other mailboxes it either creates a contact, enabled user, or disabled user, depending on the CA configuration. Hence, you may end up with the wrong mailbox information in your user object. To prevent this problem, you must force the ADC to create a separate user account for each resource mailbox. This can be achieved by setting the custom attribute 10 of your resource mailboxes to NTDSNoMatch, which indicates, "Even if you find a matching user object, do not use it."

Figure 6.4 - Synchronizing a resource mailbox into a user account

To put it plainly, you must determine all those mailboxes in your organization that should not be synchronized with any existing users to set their custom attribute 10 to NTDSNoMatch. Depending on the number of mailboxes, this can be a time-consuming job. Fortunately, Microsoft provides a helpful utility called NTDSNOMATCH that makes things easier. NTDSNOMATCH checks for mailboxes with the same primary Windows NT account, determines whether the mailbox alias matches the Windows account name, and, if it does not, assigns the mailbox the NTDSNoMatch value. The output is a series of comma-separated value (.csv) files that you can edit further or import directly into the Exchange Directory to apply the custom attributes. The NTDSNOMATCH utility is available through Microsoft Product Support Services (MS PSS).

More Info: To Correct Mismatched Accounts After Directory Synchronization

If an ADC has synchronized a user object with the wrong mailbox information, you need to clean up both Exchange and Active Directory using low-level tools. It is a good idea to contact MS PSS for assistance.

For your reference, here are the steps you should follow:

  1. Stop the ADC service.
  2. Launch ADSI Edit (available in the support tools of Windows 2000 Server), and connect to the domain naming context (NC) of the user accounts.
  3. Open the desired organizational unit (OU), and display the properties of the problematic user account.
  4. Delete the values from the msExchADCGlobalNames attribute.
  5. Launch the Exchange Administrator program in raw mode (type admin /r ).
  6. For each of the mailboxes matched to the user account, display the raw properties (File menu, Raw Properties command), and remove all the values from the ADC-Global-Names attribute.
  7. For each resource mailbox, set the custom attribute 10 to NTDSNoMatch.
  8. Start the ADC service and check the outcome of the directory synchronization.

Use caution when using ADSI Edit or the Exchange Administrator program in raw mode to change values. Incorrect values may seriously damage Active Directory and may force you to reinstall the entire Windows 2000 environment. Keep in mind that you modify directory attributes at your own risk.

Configuring Object Matching Rules

By default, the ADC matches object attributes between Exchange and Active Directory in a straightforward way. For instance, the Hide-From-Address-Book attribute in Exchange is mapped to the msExchHideFromAddressLists attribute in Active Directory to ensure that hidden objects remain hidden from address books across the entire environment. If required, you can change the mapping of attributes by configuring an explicit object-mapping rule in the ADC management console. Launch Active Directory Connector Manager, right-click the root object called Active Directory Connector Management, and then select Properties. This opens the Active Directory Connector Management Properties dialog box, which provides access to two property sheets—From Exchange and From Windows—where you can customize the Exchange-to-Active Directory and Active Directory-to-Exchange attribute mapping.

The ADC uses mapping rules to associate the objects in both directories with each other. For instance, the objectGUID attribute in Exchange is mapped to the objectGUID attribute in Active Directory, which allows a reliable association of directory objects. If the ADC cannot find the counterpart of an object in the other directory (or if custom attribute 10 is set to NTDSNoMatch), it creates a new object.

For mailboxes with users in Windows NT domains, this means that Windows 2000 user accounts are created for the primary Windows NT accounts because a corresponding user object does not yet exist in Active Directory. The ADC adds the SIDs of the primary Windows NT accounts to the Active Directory user objects’ SID History attribute to facilitate the migration to Windows 2000. The ADC also grants the original Windows NT account the Full Mailbox Access and Associated External Account rights. The new object is placed in the Windows 2000 OU identified as the default destination for new objects in the configuration of your recipient CA. You can read more about SIDs and the purpose of the SID History in Chapter 3, "Assessing the Current Network Environment."

Matching rules have the following characteristics:

  • They apply to all CAs of an ADC.
  • Active Directory-to-Exchange matching rules are stored in the msExchServer1SchemaMap attribute of the Default ADC Policy object.
  • Exchange-to-Active Directory matching rules are stored in the msExchServer2SchemaMap attribute of the Default ADC Policy object.
  • The Default ADC Policy object resides in the configuration NC under Configuration\Services\Microsoft Exchange\Active Directory Connector. You can use ADSI Edit to examine the attributes.
  • You seldom are required to customize the mapping rules.

Designing Connection Agreement Topologies

User account information is not replicated across domain boundaries. Within a domain, every domain controller holds a read/write copy of the local domain NC. Across a multidomain forest, only GCs hold a read-only replica of remote domain NCs. Similar dependencies exist for Exchange Server 5.5, as well. Exchange servers fully replicate directory information to each other, but information from remote Exchange sites is also read-only.

This means that if you want to write information into a directory object in Active Directory, you need to connect to a domain controller in the Windows 2000 domain where the directory object resides. To write information from Active Directory into a recipient object in the Exchange Directory, on the other hand, you need to physically connect to a server in the recipient’s Exchange site. These dependencies greatly influence the configuration of CAs.

Single Domain with Multiple Exchange Sites

Applied to a single-domain environment with multiple Exchange sites, this requires you to configure multiple CAs to write account changes back into all recipient objects (see Figure 6.5). Having multiple CAs, however, implies having multiple default destinations. What happens if you create a new object in the Windows 2000 domain, such as a mail-enabled contact object? You may end up with duplicated recipients in Exchange—one in each site. To prevent this, in the secondary CA’s Advanced tab, deselect the This Is A Primary Connection Agreement For The Connected Exchange Organization check box.

Figure 6.5 - Multiple Exchange sites in one Windows 2000 domain

Note


Although a recipient CA is required for each Exchange site, there should only be one primary CA per domain. A primary CA synchronizes existing directory objects and creates new objects for those that could not be matched to an existing recipient. A nonprimary CA, on the other hand, replicates information in existing objects but does not create new recipients or accounts.

An Exchange Organization with One Site in an Active Directory Forest with Multiple Domains

The situation is similar when working with an Exchange organization in a multidomain forest. Multiple CAs are required to update recipient information in all user accounts of all domains (see Figure 6.6). Again, you must prevent the creation of duplicated objects. This time, in the secondary CA’s Advanced tab, clear the This Is A Primary Connection Agreement For The Connected Windows Domain check box.

Note


There should be only one primary CA from an Exchange organization to any Active Directory forest. Microsoft recommends installing a separate ADC in each Windows 2000 domain.

Figure 6.6 - One Exchange site for multiple Windows 2000 domains

Multiple Sites and Multiple Domains

The configuration of CAs can be very complex in environments with multiple Exchange sites and Windows 2000 domains. You may have to configure separate CAs to synchronize every Exchange site with every domain, or you can synchronize a particular site with only a particular domain if your Exchange site topology matches the Windows 2000 domain structure. Make sure you include all Exchange recipient containers in the CAs.

It is advisable to configure all CAs initially as nonprimary, two-way CAs. With nonprimary CAs, you avoid the accidental duplication of directory objects, and two-way CAs allow you to minimize the number of CAs in your environment (see Figure 6.7). Of course, you can also configure separate CAs for each site, domain, recipient container, and OU, but this complicates the configuration. Remember that you need to synchronize the directories in both directions if you are planning to integrate Exchange 2000 Server later. For this reason, two-way CAs are generally preferable.

Ideally, all of your Exchange users will already have a user account in Active Directory, which the nonprimary CAs can synchronize with Exchange recipient information. Distribution lists and custom recipients, however, may not exist in Active Directory yet. To populate Active Directory with the missing Exchange recipient information, configure an additional primary one-way CA for the entire Active Directory forest (synchronization from Exchange to Active Directory). This requires you to identify a domain to host all the distribution groups and contact objects. As mentioned earlier, this domain should operate in native mode.

Figure 6.7 - Multiple nonprimary CAs between Exchange sites and Windows 2000 domains

You do not need to explicitly specify all recipient containers in the primary CA’s configuration. In the From Exchange tab, select the organization object under Exchange Recipients Containers. You also need to specify an appropriate OU under Default Destination. The ADC then automatically creates sublevel OUs under the destination OU in Active Directory for all recipient containers. This may not represent an ideal OU structure, but in the Active Directory Users and Computers console, you can easily move newly created objects to other OUs. Even though the Active Directory objects do not reside in the default destination OU any longer, ADC will continue to synchronize them. As mentioned earlier, the ADC retains the relationship between directory objects based on object matching rules, which work independent of the object locations.

At this point, you have enabled directory synchronization between existing directory objects as well as the automatic creation of new objects in Active Directory. To support seamless coexistence with Exchange 2000, you also need to allow the automatic creation of recipient objects in the Exchange Directory. This requires you to identify one CA per domain and enable its This Is A Primary Connection Agreement For The Connected Exchange Organization check box. Make sure that only one CA per domain is able to create new Exchange objects and that the default destination points to the desired recipient container.

To fully enable directory synchronization between all domains and Exchange sites, complete the following steps:

  1. Create nonprimary, two-way CAs for every Exchange site to every Windows 2000 domain (or to those sites and domains that you want to synchronize with each other).
  2. Include all local recipient containers and desired OUs in the nonprimary CAs.
  3. Create one primary one-way CA from the entire Exchange organization to the Active Directory forest.
  4. Identify exactly one of the existing nonprimary, two-way CAs in each domain and, in the Advanced tab, enable its This Is A Primary Connection Agreement For The Connected Exchange Organization check box.

Synchronizing Multiple Exchange Server Organizations in One Forest

The ADC is a powerful directory synchronization tool that allows you to import address information from different Exchange organizations into Active Directory (see Figure 6.8). Instead of intraorganizational CAs, you only need to configure an interorganizational CA. The configuration does not differ much between the two CA types. Most important, in the CA’s Advanced tab, you must select the This Is An Inter-Organizational Connection Agreement check box. Two-way interorganizational CAs are not supported. You have to configure separate interorganizational CAs if you want to replicate directory information in both directions. Because interorganizational CAs synchronize Active Directory objects with recipient information from external organizations, you should create contact objects for Exchange recipients. You can choose the object type in the CA’s Advanced tab. You may choose enabled or disabled Windows user accounts instead if you plan to merge different organizations into the same Active Directory and Exchange 2000 environment. The consolidation of domain resources in a single Active Directory forest is covered in Chapter 3, "Assessing the Current Network Environment."

Note


Interorganizational CAs that replicate information from Windows 2000 to Exchange Server will create custom recipients in the specified default recipient container.

Developing a Directory Integration Strategy for Wide World Importers

Wide World Importers, introduced in Chapter 1, is a fictitious company with headquarters in New York, 400 offices, agencies in 60 countries, and numerous partnerships. According to Barbara Hoffman, Senior Manager of the Information Systems Department, Wide World Importers implemented Microsoft Exchange Server in 1997. The Exchange organization comprises roughly 100 servers that support the company’s 45,000 users. Traffic averages about 1 million messages daily. The company has fully deployed Windows 2000 Server and Active Directory, and the Exchange organization is currently synchronized with Active Directory. The company plans to upgrade the entire organization to Exchange 2000 Server. Hoffman asked Peter Waxman, Head of Communications Technology, to develop an appropriate directory integration strategy.

Figure 6.8 - Synchronizing multiple Exchange Server organizations in one forest

Waxman concludes that Wide World Importers has to do the following:

  1. Upgrade the installed Windows 2000 ADCs to Exchange 2000 ADCs.
  2. Switch at least one Windows 2000 domain into native mode and use it for distribution groups created by the ADCs.
  3. Verify that the correct mailbox information is synchronized with the user objects and, if necessary, identify secondary mailboxes through the NTDSNoMatch value in custom attribute 10, or clean up directory objects that already hold incorrect mailbox information.
  4. Optimize the existing ADC installation and recipient CA configuration to synchronize directory information in both directions. The configuration must be modified to create distribution groups in a native-mode ADC domain.

Activity: Developing Directory Integration Strategies

In this activity, you will develop a directory integration strategy for a fictitious company that plans to upgrade their environment to Exchange 2000 Server. The company is Adventure Works, which was introduced in Chapter 3.

Tip


You can use Figure B.17 in Appendix B as a guideline to accomplish this activity.

Scenario: Adventure Works

Adventure Works has globally deployed Exchange Server 5.5 and Active Directory. According to John Y. Chen, Senior IT Administrator at Adventure Works, the current environment operates reliably and fast. Currently, Exchange and Active Directory are not integrated with each other. The company has not yet deployed ADCs. Adventure Works’ current Windows 2000 and Exchange Server 5.5 environment is shown in Figure 6.9.

Figure 6.9 - The current Windows 2000 and Exchange Server 5.5 environment of Adventure Works

Adventure Works has not implemented any additional recipient containers. In each site, the default Recipients container holds all directory objects. In Active Directory, only the root domain adventure-works.com is operating in native mode. For security reasons, the demilitarized zone (DMZ) domain does not contain any user accounts. All Exchange servers run on domain controllers. The servers VAC-02-EX, JHB-01-EX, and MLB-01-EX are the directory replication bridgehead servers in the Exchange organization.

Summarizing the situation for Adventure Works, it is your task to develop an appropriate directory integration strategy for a later upgrade to Exchange 2000 Server:

  1. Do you need to configure intraorganizational or interorganizational CAs?
  2. Which version of the ADC do you need to install?
  3. How should you prepare the Active Directory forest to minimize GC rebuilds and related replication traffic over the wide area network (WAN) connections?
  4. In which domain should you place the distribution groups that the ADC creates for Exchange distribution lists?
  5. How many ADCs should you install provided that it is only necessary to synchronize recipient information in the local sites?
  6. How should you configure the CAs for all ADCs, provided that it is only necessary to synchronize recipient information in the local sites?
  7. What do you have to accomplish on the Exchange servers before you can configure any CAs?
  8. Which Exchange servers should you specify in the CAs’ Connections tab?
  9. Optional question: Which Windows 2000 servers should you specify in the CAs’ Connections tab (see Figure 3.15)?

Lesson Summary

When developing directory integration strategies, it is important to determine whether it is possible to upgrade all servers to Windows 2000 Server and switch the entire environment into native mode. Although desirable, this is not always possible. For instance, if a Windows NT 4.0 server is running Exchange Server 5.5 legacy connectors, such as an X.400 connector over Transport Protocol class 4 (TP4), you cannot upgrade the system because this network protocol is not supported under Windows 2000 Server. Third-party connectivity software may also cause problems and may require you to purchase software upgrades that support Windows 2000. As long as Windows NT 4.0 servers exist, your domain must remain in mixed mode, in which case you should locate or create another domain for the ADC and switch it into native mode to support universal security groups. You need to have a thorough understanding of the current server base and network infrastructure to develop a directory integration strategy.

A review of the domain topology is also required to determine the best location for the ADC in the network. You must prepare the forest for Exchange 2000 Server by running Setup /ForestPrep in the root domain and you should place the ADC close to a GC. If your hardware can cope with the extra workload, you may want to install the ADC directly on a GC server to minimize network traffic. If Exchange Server is running on a domain controller or GC as well, do not forget to change the LDAP port number for the Exchange Directory.

It is a very good idea to test the directory integration in a lab to verify that the ADC writes the mailbox information into the correct user objects and does not create duplicate objects in either directory. It is hard to clean up user accounts and mailboxes in the production environment after they have been matched incorrectly. If there are multiple accounts for a particular user, set custom attribute 10 to NTDSNoMatch in all mailboxes that you want to synchronize with separate user objects. To avoid duplicating directory objects, carefully check the configuration and topology of your CAs.

A review of the domain topology and Exchange site architecture, including replication schedules and location of directory replication bridgehead servers, will reveal essential CA configuration parameters. You should configure one primary recipient CA for the entire Active Directory forest, one primary CA per Windows 2000 domain for the Exchange organization, and nonprimary CAs for the recipient containers in each Exchange site. Intraorganizational CAs support one-way or two-way replication. In a mixed Exchange organization, you need to enable directory synchronization in both directions, as recipient information may change on both sides while the systems coexist.



MCSE Microsoft Exchange 2000 Server Design and Deployment Training Kit(c) Exam 70-225
MCSE Training Kit (Exam 70-225): Microsoft Exchange 2000 Server Design and Deployment (Pro-Certification)
ISBN: 0735612579
EAN: 2147483647
Year: 2001
Pages: 89

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net