*
Microsoft.com Home|Site Map
Microsoft TechNet*
Search Microsoft.com for:
Microsoft Exchange Server TechCenter 
Search for



Chapter 3 - Deploying the Active Directory Connector

Updated: June 14, 2001

Deployment Guide

Abstract

This chapter describes how to configure the Active Directory Connector to achieve coexistence between Microsoft® Windows® 2000 Active Directory™ service and your existing Microsoft Exchange Server 5.5 environment. Topics include how to use the ADC in single organization scenarios, as well as the step-by-step process for configuring the ADC in this situations.

If you are not upgrading or migrating from Exchange 5.5 then you can skip this chapter.

*
On This Page
IntroductionIntroduction
ADC Configuration and Operational RequirementsADC Configuration and Operational Requirements
FlowchartsFlowcharts
Creating an Intraorganizational Connection AgreementCreating an Intraorganizational Connection Agreement
SummarySummary

Introduction

The full integration of Microsoft® Exchange 2000 with Microsoft Windows® 2000 Active Directory™ service can pose a number of challenges when you want to link to an existing Microsoft Exchange Server 5.5 environment. Depending on your Exchange 5.5 architecture, you might have a large number of sites and organizations, a small number of sites and organizations, or some combination in the middle. To provide coexistence for Exchange 2000 with your existing environment, you will need to install and configure the Active Directory Connector (ADC), which replicates mailbox, distribution lists, and routing information between Active Directory and the Exchange 5.5 directory.

Note: The ADC is designed to provide temporary coexistence for an eventual migration to Exchange 2000.

The coexistence options discussed in this chapter are Intra-organization, for example the Exchange 5.5 and Exchange 2000 systems are configured in the same organization.

Inter-organizational scenarios, where one or more Exchange 5.5 organizations are using a different organization name than the Exchange 2000 system, are not covered.

Exchange Coexistence Design Considerations

Coexistence of Exchange 2000 can be broken into three categories:

Coexistence between Exchange 5.5 and Exchange 2000

Coexistence between two or more Exchange 2000 forests

Coexistence with another messaging system like Lotus Notes, cc:Mail, or GroupWise.

This section will discuss the solutions and design considerations concerning the first coexistence category. The other categories are covered separately in the migration white papers available on the Internet at:

You should have already have planned the design considerations for implementing the Active Directory Connector in Planning Chapters 3 and 4.

ADC Configuration and Operational Requirements

This section discusses the ADC configuration requirements. You should have covered planning the Active Directory Connector and the Connection Agreements (CAs) that you will require in Planning Chapter 4, Connecting Active Directory to Exchange 5.5. For information on how to install the Active Directory Connector, refer to Deployment Chapter 2, Configuring Windows 2000 Active Directory for Exchange 2000 Server.

Before deploying the Active Directory Connector (ADC) and creating Configuration Agreements (CAs), it is crucial that all pertinent business requirements are taken into account in order to avoid problems later on. You should have recorded this information on

Installation and Configuration Time Factors

Although it should take less than an hour to install the ADC in most environments, it can take anywhere from a few hours to a few days for you to create the CAs. The time required depends upon the number of CAs involved and the complexity of your recipient container mapping to Active Directory.

For a 5,000 user system, plan for at least two hours to install a one-way CA and have it replicate all the changes to Active Directory or Exchange 5.5. For two-way agreements, allocate at least five hours for the changes to be replicated to both directories. The length of time for your particular implementation depends upon the number and type of objects in the directory that you are replicating.

Essentially, plan for the initial replication cycle to be a time consuming process, but any subsequent incremental updates should be relatively quick. Keep the time it takes to do the first full replication in mind in case you decide to force a full replication, as you can use that to estimate how long a full update will take.

Operational Requirements

As a general rule, ADC operation requires no more time or effort than any other service included with the Microsoft Windows® 2000 operating system. All errors and warnings are written to the Windows 2000 Event Log, so monitoring this allows you to determine the health of the ADC and alerts your support staff to any issues.

Any unplanned operations, like a forced full update, will require you to keep a closer eye on the CA processes running under the ADC. This process should normally be done during the maintenance window dictated by your organization's Service Level Agreement (SLA), so that CA traffic has the least impact on Active Directory replication and user access.

Disaster Prevention

You can configure the ADC to make fundamental changes to directories (including deleting objects). Therefore, incorrect deployment can result in destabilization of your existing Exchange infrastructure. Any operation that you perform on using the ADC should be planned carefully and all possible implications covered.

If you are going to make large changes using the ADC, you should perform a backup of Active Directory before proceeding. If you then delete something that you shouldn't have done, you can perform an authoritative restore using NTDSUTIL to recreate the accidentally deleted objects.

Creating an Intraorganizational Connection Agreement

The intra-organizational replication is the simplest to configure and is the most common arrangement for directory synchronization.

What You Will Need

To create an intra-organizational connection agreement you will require:

Windows 2000 Server or Advanced Server.

Active Directory Connector installed on a Windows 2000 domain controller.

Exchange 5.5 Service Pack 3.

What You Should Know

In addition, you will need to know the following:

Name of the Exchange 5.5 organization to which you are connecting.

Name of the service account for the Active Directory ADC CA.

Name of the service account used to access Exchange 5.5.

Name of the server running Exchange and site to which you are connecting.

IP address of the target server

Name of an organizational unit (OU) or container in the Active Directory in which you will create user accounts from the Exchange 5.5 organization. This could be the default Users container, or it could be a separate OU that you create using the Active Directory Users and Computers console.

You should also check the following items, to ensure that they have not been changed from their default settings:

LDAP Port

LDAP Security

Since the intra-org CA is designed to be a migration tool to move from an Exchange 5.5 environment to an Exchange 2000 environment, it is important for you to have already determined which objects from the Exchange 5.5 sites will be represented in Active Directory.

Step-By-Step Procedure

To configure the ADC for intra-organizational replication, perform the following steps:

1.

Login to Windows 2000 with a domain administrator account.

2.

Open the Active Directory Connector MMC console.

3.

Select, then right-click the Active Directory Connector object.

4.

Point to New, and then click Recipient Connection Agreement.

5.

In the Name field, type Connection to Server1 (where Server1 is the name of your server). Just make sure that you use a name that is clear and intuitive.

6.

Configure the direction as either one-way (From Exchange to Windows) or two-way, depending on the type of linkage that you require between the two directories.

7.

Click the Connections tab and, in the Windows Server information text box, click Modify for the Connect as option. Click Browse and select the service account that you will use for the ADC, and then click OK. Enter the appropriate password for this service account and then click OK.

8.

In the Exchange Server information field, type the name of the server running Exchange to which you will be connecting.

Note: You must enter the name of the server running Exchange and IP address in the LMHOSTS file if you cannot resolve the computer using DNS or WINS.

9.

Click Modify next to the Connect as textbox. In the Connect as text box, type DOMAIN\Account (where DOMAIN is the Windows NT domain and Account has the appropriate permissions to the server running Exchange that you are accessing). Enter the appropriate password and then click OK.

10.

Click the Schedule tab, and then set the schedule to Always (that is, every 15 minutes). Optionally, you can configure the connection to run at specific times of the day.

11.

Click the Advanced tab, and change the Paged results values to 99 for both the Windows Server entries per page and the Exchange Server entries per page.

12.

Click the From Exchange tab and then click the Add button underneath Choose the Exchange recipients containers to take updates from to select the containers to import. Select the containers you want to import and then click OK. Repeat as necessary, choosing other sites and containers if the Exchange system has multiple sites or containers.

13.

Click Modify next to the Default destination text box. Select the OU container in which you want the ADC to create new accounts. This will be the OU that you identified during your planning process. Click OK.

14.

Choose which objects to replicate by checking or clearing the selections shown in the scrolling list box. The default is that all options are selected.

15.

Click OK to save changes, then right-click the new connection and click Replicate Now to force the first replication. Verify that the objects are showing up in the OU container in Windows 2000 and the ADC is not generating any errors in the Application Event Log.

Fallback Plan

Removing a CA and removing its effects are very delicate processes. If you are not careful, you might delete objects in Active Directory or Exchange 5.5, which would require a complete system restore to recover. If you decide to remove a CA you just configured, the first thing you should do is configure that CA to save deletes to a file instead of writing them to the directory service. This way, if something goes wrong, all you will end up with is a file of deletes, not actual deletes. For more information on this topic, refer to the TechNet articles 254821 and 249831.

After you have properly removed the CA, you can clean up the accounts it created. This is best accomplished by using the Active Directory Users and Computers MMC, or by using an ADSI script. Depending on your requirements, you may not need to delete the objects the ADC created, and in this case you are finished rolling-back.

Related Topics

For information about installing the ADC, refer to Deployment Chapter 2, Configuring Windows 2000 Active Directory for Exchange 2000 Server.

Summary

This chapter covered the synchronization of Exchange 5.5 and the Active Directory. You should now have accounts in Active Directory that have a one-to-one mapping with the mailboxes in Exchange 5.5.

More Information

For more information about the ADC, refer to the following links:

Give Us Your Feedback

We would like you to give us feedback on this material. In particular, we would be grateful for any guidance on the following topics:

How useful was the information provided?

Were the step-by-step procedures accurate?

Did you use the job aids and were they useful?

Were the chapters readable and interesting?

Overall, how do you rate the series?

Send your feedback to the following e-mail address:

We look forward to hearing from you.



© 2005 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
Microsoft