Installing and Configuring the Active Directory Connector

Unlike in Exchange 2000, the Active Directory Connector (ADC) does not need to be installed until after the /forestprep command has run. This was designed so that only a single schema extension is required for upgrading to Exchange Server 2003, as opposed to the dual-extension of Exchange 2000.

After the prompt by the Exchange Deployment Tools, the ADC can be installed. The connection agreements in ADC are necessary to synchronize directory entries between the Exchange 5.5 and Exchange Server 2003 systems. Unlike in Exchange 2000, the Exchange Server 2003 ADC can be installed on a member server and is often installed on the first Exchange Server 2003 system in a site.

Organizations can choose to implement one or more Active Directory Connectors in the organization. Implementing additional ADC connectors and connection agreements should not be seen as a fault-tolerant solution for the ADC. The ADC should be seen as a temporary coexistence solution, with the migration being the intended end goal.

ADC installations are better off being left as simple as possible. A single ADC installed with one connection agreement to each Exchange 5.5 site is much easier to manage than multiple ADCs, all with their own connection agreements. This might or might not be possible based on the Exchange 5.5 site design and WAN layout. The ADC and its connection agreements should communicate with servers on the same network segment that will require multiple ADC installations.

Installing the ADC

Both the Active Directory domain controller and the Exchange 5.5 server that will be joined through the Active Directory Connector should be on the same physical network segment. Schema Admin and Enterprise Administrator rights are required to install the ADC.

Plan a few days to install and configure the ADC and the connection agreements. The initial installation and configuration take only a few hours, but it generally takes a few days to work out the kinks and resolve the errors in the Application Event Log. Problems in the ADC will show up later and complicate the migration, so don't rush the ADC installation. Microsoft recommends allocating 2 hours for replicating about 5,000 objects in a single direction, but the length of time for replication really varies on the number of connection agreements, recipient containers, and populated attributes on the actual directory objects.

The ADC has the capability to delete objects in both directories, so check whether the backup media and procedures have been recently verified before configuring the ADC. The organization should be familiar with how to perform an authoritative restore through NTDSUTIL for the Active Directory database.

The first step in installing the ADC is to create or choose a user account that will be used to run the ADC service and manage the connection agreements. This account does not have to be the same account that is used in each of the connection agreements configured later in the chapter. This account needs to be added to the Administrators group in the domain if the ADC is installed on a domain controller or to the local Administrators group if the ADC is installed on a member server.

To manually start the ADC installation, insert the Exchange Server 2003 CD and select ADC Setup from the autorun menu, or simply invoke the setup from the Exchange Deployment Tools. The ADC prompts for the component selection and allows just the MMC administration snap-in to be installed or the ADC service. Select both components when installing the ADC on the server. If the ADC will need to be remotely managed, the administration component can be installed later on the administrator's workstation.

Next, the installation prompts for the path to install the ADC and the ADC service account credentials. When the installation is complete, the next step is to configure the connection agreements to begin synchronizing the Active Directory and Exchange 5.5 directories.

Creating Connection Agreements

Configuring connection agreements (CAs) has been the bane of many an Exchange 2000 administrator. Improperly configured connection agreements can seriously corrupt an Active Directory or Exchange 5.5 database, so it is extremely important to properly configure CAs for the migration process. Luckily, Exchange Server 2003 includes a series of ADC Tools that streamline the process of creating CAs for migration, as illustrated in Figure 15.3. After installation, it is highly recommended that you use these wizards to install and configure the CAs.

Two tools in particular are extremely helpful in the migration process. The first tool, the Resource Mailbox Wizard, illustrated in Figure 15.4, can help to identify users with multiple mailboxes and fix them in advance of the migration. This tool streamlines the process that the ntdsutil utility previously utilized.

The second tool, the Connection Agreement Wizard, walks an administrator through the tricky process of creating the connection agreements required to migrate from Exchange 5.5. The wizard helps to identify "gotchas" such as the AD domain being in Mixed Mode (it should be changed to Native Mode in advance of the migration) and other important factors. As illustrated in Figure 15.5, it automatically creates a recipient CA and a public folder CA, which can then be manually tweaked as necessary.

After initial setup, several properties can be configured on the ADC to give the administrator more information and control over the ADC and its connection agreements. Attribute replication, account-matching rules, and diagnostic logging properties should all be configured before building the connection agreements and replicating directory entries. Even when using the default settings on the ADC, it is a best practice to prototype the ADC replication processes in a lab before attempting the synchronization on production systems.

Connection agreements are configured by an administrator who controls the type of objects that are replicated between Active Directory and Exchange 5.5. They also contain the credentials and connection information needed to connect to both systems and other attributes, such as handling deletion and what to do when there is no matching account for the mailbox in the destination directory. Connection agreements operate using two different approaches:

• One way Information is synchronized only one way. The connection agreement can be from Windows or from Exchange, but not from both. After the direction is selected, the opposite system's tabs and controls are grayed out.

• Two way Information is synchronized in both directions. This is generally the preferred method and keeps the configuration simple.

Connection agreements also need to be designated as primary or not. A primary connection agreement has the capability to create objects in the directory. A connection agreement that is not marked as primary cannot create new objects and can only update the attributes of existing objects. To ensure that objects are created, the ADC marks all connection agreements as primary by default.

Configuration Connection Agreements

Configuration connection agreements are used for coexistence between the Exchange 5.5 and Exchange 2003 servers, and they transfer information such as site addressing and routing information between the Exchange platforms. The configuration connection agreement cannot be created manually and is created by the Exchange Server 2003 set-up program when the first Exchange Server 2003 system is installed. After the replication of the configuration information, Exchange 5.5 sites are visible in the Exchange System Manager program and are represented as Administrative Groups. Exchange Server 2003 systems are also visible in the Exchange 5.5 Administrator program.

Recipient Connection Agreements

Recipient connection agreements are responsible for replicating mailbox, distribution list, and custom recipient information from the Exchange 5.5 directory to Active Directory. They are also used to send users, groups, and contacts from Active Directory to Exchange 5.5. Recipient Connection Agreements can be configured as one-way or two-way connection agreements. Most often a two-way connection agreement is used. Each connection agreement has its own schedule, so using one-way connection agreements might be preferred if the organization has specific requirements on when each side should be updated.

Public Folder Connection Agreements

Public folder connection agreements are responsible for replicating mail-enabled public folder information from and to Exchange 5.5 and Active Directory. Public folder connection agreements can be configured only as two-way connection agreements. It is a best practice to create one public folder connection agreement per Exchange 5.5 site. This is true even if the organization does not mail-enable public folders. Administrators might not be aware of some folders that are mail-enabled, and it is best to create the connection agreement for each Exchange 5.5 site, to reduce the likelihood of problems with the folders during the migration.

Configuring Connection Agreements

As previously mentioned, it is wise to allow the ADC Tools to create the necessary CAs for the migration process. If a manual CA will need to be configured, however, it can be done in the following fashion. Open the ADC MMC snap-in on the domain controller running the ADC by selecting Start, All Programs, Microsoft Exchange, Active Directory Connector. Right-click the Active Directory Connector service icon for the server and select New, Recipient Connection Agreement.

The following tabs must be populated:

• General Select the direction and the ADC server responsible for the connection agreement. It's usually best to select a two-way connection agreement for the primary connection agreement.

• Connections Enter the username and password combination that will be used to read and write to Active Directory. Next enter the server name and LDAP port number for the Exchange 5.5 server, and the username and password that will be used to read and write to the Exchange 5.5 directory. When entering the user credentials, use the format domain\user ”that is, companyabc\administrator.

  TIP

  To locate the LDAP port number on the Exchange 5.5 server, open Exchange Administrator and access the LDAP protocol properties under the Protocols container beneath the server object.

  
  

• Schedule The directory synchronization process takes place between midnight and 6 a.m. daily under the default schedule. Use the grid to modify the schedule, or select Always, which replicates every five minutes. Remember to select the check box for Replicate the Entire Directory the Next Time the Agreement Is Run to perform a full synchronization on the first run.

• From Exchange Select all the recipient containers in the Exchange 5.5 site to synchronize with Active Directory. Remember to select any containers that might be used as import containers for foreign mail connectors. Next select the destination container in Active Directory where the ADC will search for matching accounts and create new accounts. Select the object types to replicate, such as mailboxes, distribution lists, and custom recipients.

• From Windows Select the Organizational Units in Active Directory to take updates from and the Exchange 5.5 container to place the updates in. The object types to replicate are selectable for users, groups, and contacts. The check boxes for Replicate Secured Active Directory Objects to the Exchange Directory and Create Objects in Location Specified by Exchange 5.5 DN are best left blank in most instances. Click Help while in the From Windows tab for more information on these options.

• Deletion The Deletion option controls whether deletions are processed or stored in a CSV or LDF file, depending on the platform. If this is a short- term connection for migration, it's usually best to mark these options to not process the deletions and store the change in a file. The CSV and LDF files get created in the path that the ADC was installed into. Each connection agreement has its own subdirectory, and the output CSV and LDF files get created there.

• Advanced The Advanced tab is set correctly for the first primary connection agreement and does not need to be modified. The settings on this tab should be modified when multiple connection agreements exist or when configuring the ADC to replicate between Exchange organizations. Leaving the Primary Connection Agreement check box selected on multiple connection agreements for the same containers creates duplicate directory entries. Never have the ADC create contacts unless the ADC is being used to link two Exchange organizations for collaboration purposes.

To configure a public folder connection agreement, right-click the Active Directory Connector service icon for the server and select New, Public Folder Connection Agreement.

• General Select the ADC server responsible for the connection agreement. The direction can be only two-way on public folder connection agreements.

• Connections Enter the username and password combination that will be used to read and write to Active Directory. Next enter the server name and LDAP port number for the Exchange 5.5 server, and the username and password that will be used to read and write to the Exchange 5.5 directory. When entering the user credentials, use the format domain\user ”in this case, companyabc\administrator.

• Schedule The directory-synchronization process will take place between midnight and 6 a.m. daily under the default schedule. Use the grid to modify the schedule. Select the check box for Replicate the Entire Directory the Next Time the Agreement Is Run to perform a full synchronization on the first run.

• From Windows The only option available here is the check box for Replicate Secured Active Directory Objects to the Exchange Directory. This replicates objects that contain an explicit deny in the Access Control List to Exchange 5.5. Exchange 5.5 does not support explicit deny entries, so the objects are not replicated by default.

The final step is to force the connection agreement to replicate immediately. To force the replication, right-click the connection agreement and select Replicate Now. Be sure to check the Application Event Log in Event Viewer for errors during the replication process.