370 likes | 897 Views
Installing and Configuring the Active Directory Connector Lynne Williams Judy MacCallum Support Professionals Product Support Services Microsoft Corporation. Objectives. The importance of preparing the Microsoft® Active Directory® and Exchange 5.5 before the ADC deployment
E N D
Installing and Configuring the Active Directory ConnectorLynne Williams Judy MacCallumSupport ProfessionalsProduct Support ServicesMicrosoft Corporation
Objectives • The importance of preparing the Microsoft® Active Directory® and Exchange 5.5 before the ADC deployment • The process of deploying Microsoft Exchange 2000 Server Active Directory Connector • Troubleshooting replication
Agenda • Function of the Active Directory Connector • Preparing the Active Directory for the ADC • Preparing Exchange 5.5 for the ADC • Common issues you may encounter during installation • Configuration issues • Troubleshooting the ADC
The Active Directory ConnectorFunction • Enables two-way synchronization between the Diectory Service in Exchange 5.5 and the Microsoft Windows® 2000 Active Directory Exchange 5.5 Directory Windows 2000 Active Directory
Preparing the Exchange 5.5 OrganizationSteps to Take • Check account mapping using NTDSAtrb utility • Run DS/IS Consistency Check • Check Application Log in Event Viewer for any existing Exchange 5.5 problems • Resolve any existing Exchange 5.5 problems
Preparing the Exchange 5.5 OrganizationNTDSNoMatch Utility • Also known as NTDSAtrb utility • Located on Exchange 2000 SP1 CD and on the SP2 CD in the Server\Support\Utils\I386 folder • Multiple mailboxes with the same primary Microsoft Windows NT® account must be resolved before installing and configuring the ADC • Mailboxes in Active Directory are attributes of the Active Directory object, not an object itself
Preparing the Exchange 5.5 Organization (2)NTDSNoMatch Utility • Checks for mailboxes with duplicate primary Windows NT account • Creates a comma-separated value (.csv) file that you can import into the Exchange 5.5 directory
Preparing the Exchange 5.5 Organization (3)NTDSNoMatch Utility • User Account has more than one mailbox in Exchange 5.5 association of primary mailboxes with incorrect user accounts • Set the value NTDSNoMatch in the Custom Attribute 10 field for accounts you do not want associated with existing user accounts • Q274173, “Documentation for the NTDSNoMatch Utility”
Associated-NT-Account Mapping Domain A Exchange 5.5 Site 1 Mailbox 1 Mailbox 2 User A User B User C Domain B Exchange 5.5 Site 2 Mailbox 3 Mailbox 4 Mailbox 5 User D
Domain A Exchange 5.5 Site 1 Mailbox 1 Mailbox 2 User A User B User C Exchange 5.5 Site 2 Domain B Mailbox 3 Mailbox 4 Mailbox 5 User D Associated-NT-Account Mapping (2)
Preparing the Exchange 5.5 Organization (4)NTDSNoMatch Utility • NTDSNoMatch must be run from a Windows 2000-based computer. The program will not run from Windows 95, Windows 98, or Windows NT 4.0. • Make sure the account you are using has permissions to read the Exchange 5.5 directory. • Run from command prompt: ntdsatrb servernameor ntdsatrb servername:port#
Preparing the Exchange 5.5 OrganizationDS/IS Consistency • In the Exchange Server 5.5 Administrator program, select a server that runs Exchange Server 5.5 and that contains a public information store • On the File menu, click Properties, and then click the Advanced tab • Click Consistency Adjuster • In DS/IS Consistency Adjustment, click the "Remove unknown user accounts from public folder permissions" check box, click the "Remove unknown user accounts from mailbox permissions" check box, and then click the "All inconsistencies" button Important: Clear all other check boxes
Preparing the Active DirectoryDCDIAG • Run dcdiag from a command prompt: DCDIAG /s:DomainController /v > LogFileName • Check for any errors • Resolve any errors • Re-run dcdiag, until it shows no errors
Preparing the Windows 2000 EnvironmentNETDIAG • Netdiag /v > filename.txt • Check for errors • Resolve any errors • Re-run Netdiag until error free
Preparing the Windows 2000 EnvironmentWindows 2000 User Accounts • If not existing in Active Directory already, import from Windows NT 4.0 using ADMT, or create accounts • If you have already created disabled accounts from ADC replication, follow article: Q316047, “XADM: How to Enable Disabled Accounts That the ADC Creates”
Installing the Active Directory ConnectorPre-installation Considerations • ADC must be installed on a computer that is running Windows 2000 Server or Windows 2000 Advanced Server • Need to know the user ID and password for an account with Domain Administrator, Enterprise Administrator, and Schema Administrator privileges
Installing the Active Directory Connector (2)Pre-installation Considerations • ADC setup extends the schema (must have Schema Administrator permissions) • Creates objects in the Active Directory (must have Enterprise Administrator permissions) • Creates Security Groups in local domain called “Exchange Services” and “Exchange Administrators” (must be member of Domain Administrators Group)
Installing the Active Directory Connector (3)Pre-installation Considerations • ADC Setup creates objects in the Active Directory Configuration container. This requires that the account running Setup belong to the Enterprise Administrators group. • Subsequent installations of ADC require only Domain Administrator permissions.
Active Directory ConnectorAdditional Planning • Before creating the Recipient Connection Agreement, make a full backup • Q319474, “How to remove the ADC-Global-Names Attribute from Exchange 5.5 • Q288569, “XADM: How to Prevent Tombstones from Deleting Mailboxes” • Plan your replication time. Initial replication will be time consuming depending on the number of objects to replicate. The following replications will take less time.
Installation Issues • Not logging on with adequate permissions to complete setup (Q253593) • Installing ADC on Windows 2000 domain controller that is running Exchange 5.5 (Q250989) • Look at the ADC Setup log for errors
User Accounts and the ADCTwo Scenario Considerations • Exchange 5.5 Mailboxes already associated with user accounts in the Active Directory – you can proceed with creating a two-way Recipient CA • Exchange 5.5 Mailboxes associated with Windows NT 4.0 accounts in a different domain – you will need to do one of the following: • Run the ADMT to migrate user accounts and SidHistory (Q260871, “HOW TO: Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration”) • Upgrade Windows NT 4.0 domain to Windows 2000 • Use a third-party utility that supports SidHistory migration
Active Directory ConnectorGather Information • Name of the Exchange 5.5 organization • Name of the service account for the Active Directory ADC • Name of the service account used to access Exchange 5.5 • Name of the server running Exchange and site to which you are connecting • IP address of the target server • Name of the organizational unit (OU) in the Active Directory that you want to replicate • LDAP port • LDAP security
Configuration of the ADCTwo-Way Recipient Connection Agreement • Create connection agreements using the Active Directory Connector Management snap-in
Configuration of the ADC (2)Two-Way Recipient Connection Agreement
Configuration of the ADC (3)Two-Way Recipient Connection Agreement
Configuration of the ADC (4)Two-Way Recipient Connection Agreement
Configuration of the ADC (5)Two-Way Recipient Connection Agreement
Configuration of the ADC (6)Two-Way Recipient Connection Agreement
Configuration of the ADC (7)Two-Way Recipient Connection Agreement Q253829, “Description of Active Directory Connector Deletion Mechanism”
Configuration of the ADCTwo-Way Recipient Connection Agreement Common Issues • On the Connections tab, under Windows Server Information, enter the Global Catalog server • Make sure you choose the correct Recipient container or OU to replicate • Select the correct Exchange 5.5 server • LDAP port on Exchange 5.5
Verifying Replication of the ADC • Looking to see if replication occurred • Turn up logging • Look at event logs • Reference: Q253841, “XADM: Troubleshooting Active Directory Connector Replication Issues”
Troubleshooting ReplicationLooking to See if Replication Occurred • Look at user accounts in Active Directory Users and Computers for mail attributes • Test replication by changing middle initial of a test user to see if change replicates • In Exchange Administrator, change a middle initial of a test user and see if it replicates to Active Directory
Troubleshooting ReplicationTurning Up Diagnostic Logging • On the Start menu, point to Programs, point to Administrative Tools, and then click "Active Directory Connector Management" to start Microsoft Management Console • In the left pane, click Active Directory • On the Action menu, click Properties to view the "Active Directory Connector Properties" dialog box • On the Diagnostics Logging tab, select the logging category that you want to configure, and then click the appropriate logging level from the Category Logging Levels list
Troubleshooting ReplicationDiagnostic Logging Levels • None: Critical events and error events • Minimum: Success or failure of adding or removing a user account • Medium: Proxy error warnings • Maximum: Logs all events - provides complete record of the ADC service and the status of replication Unless you are troubleshooting a problem, avoid using the Maximum logging level because it logs a large amount of information and can affect server performance
Troubleshooting ReplicationCheck Application Event Logs • May need to increase size of event logs • Look for events generated by MSADC • Q313212, “XADM: Mailboxes Do Not Replicate from Active Directory to Exchange” • Q306360, “XADM: Event ID 8270, 1171, and 8146 Error Messages from Active Directory”
Additional Information • Q256862, “How to Correct Mismatched Accounts After Active Directory Connector Replication” • Q326060, “XADM: How to Move a Connection Agreement to Another Server” • Q276440, “XADM:Using CSVDE.EXE to Backup and Restore Connection Agreements”
Thank you for joining today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), visit: http://support.microsoft.com/webcasts/ Your feedback is sincerely appreciated. Please send any comments or suggestions about the Support WebCasts to supweb@microsoft.com.