Microsoft KB Archive/286190

= The Active Directory Management Agent may inadvertently change the user attributes that are related to the user mailbox =

Article ID: 286190

Article Last Modified on 1/18/2006

-

APPLIES TO


 * Microsoft Metadirectory Services 2.2 Service Pack 1

-



This article was previously published under Q286190



SYMPTOMS
When a user account is enabled to use a mailbox, the Active Directory Management Agent (ADMA) may inadvertently change the user attributes that are related to the mailbox, which can disassociate the user from the mailbox.



CAUSE
This problem can occur because of an error in the templates that causes the ADMA to flow certain attributes to the connected directory. This problem can cause the Exchange attributes to be reset, and can occur in situations where:
 * Interforest synchronization is being performed.
 * The same users have accounts in both forests.
 * The connector space objects for the users are joined to the same metaverse object.
 * The Together Administration Management Agent (TAMA) is used to manage the connector space of one or both of the forests.

Under certain conditions, the ADMA can operate as though any entry that is imported from Active Directory and managed by a TAMA profile has its attribute assignments made from the metaverse to the connected directory. The following template code can perform such an operation: if $exists (&quot;$cs.msMMS-ManagedByProfile&quot;) = TRUE then if $cs.creatorsName ! $mv.creatorsName then if $exist($multi_valued(&quot;$MA&quot;, $mv.msMMS-managedByMA)) ! TRUE then $cs.msMMS-TimeToLive = 0 $v_interforestReplicaEntry = TRUE else $v_interforestReplicaEntry = $NULL endif endif endif The disassociated behavior can be caused by the $mv.mailNickname attribute having a NULL value prior to the point when the user account is enabled to use a mailbox. The NULL value is sent to the connected directory by using an attribute flow as demonstrated in the following assignment with the Secndflow.st file (which can be viewed if you click Design MA, click Control Connected Directory, click Output Construction Templates, and then click Secondary Attribute Flow): if ($MA($msMMS-AdMaIsForestExchange2000Enabled)) = TRUE then # This section will set in any AD entry the following attributes # Set remaining optional attributes ...  $cd.mailNickname = $mv.mailNickname ... endif
 * 1) This is an Interforest Replica Entry, thus set the time
 * 2) to live to 0 on these entries



RESOLUTION
This problem is resolved in Microsoft Metadirectory Services version 2.2 Service Pack 1 (SP1). However, during the upgrade process to Microsoft Metadirectory Services 2.2 SP1, the templates are not upgraded so as to avoid overwriting any custom settings that had been previously set up in the templates.

The ADMAs that are created after the upgrade to SP1 are created by using the update templates. The existing ADMAs are not automatically upgraded. For this reason, you need to manually migrate the ADMA to the newer templates.

NOTE: Because most installations have customized templates, it is highly recommended that you use a product, such as, Microsoft Visual SourceSafe, to keep track of progressive changes that can occur to the ADMA during the migration process.

To Upgrade the Templates After You Upgrade to Microsoft Metadirectory Services 2.2 SP1:
 Record the templates to the working directory of the ADMA. When you record the templates, click to select the Update this MA from its working directory templates located at: check box so that the templates in the Management Agent (MA) working directory can be used to update the MA when this step is performed later in this procedure. For additional information about recording templates, click the following article number to view the article in the Microsoft Knowledge Base:

250479 Recording Management Agent templates in Microsoft Metadirectory Services

 If you use Visual SourceSafe, ensure that the computer has the latest templates. Copy the working directory to another location, location1, for the ADMA. Then, you must verify that the templates match Visual SourceSafe. Use either Visual SourceSafe or Windif to make a difference on the templates from the original Microsoft Metadirectory Services 2.2 templates and the templates that are in location1. (You can use this information to move the custom settings to the new templates or other templates.) Copy all of the templates from the C:\Zoomserv\Data\DSGates folder for the ADMA to another location, location2. Copy the Advanced.st and Simple.st files from location1, and then place them into location2.</li> Use the information that you obtained when you made a difference to the files in Step 4 to make any necessary adjustments to your templates files in location2. Whenever possible, you must make all changes in the Advanced.st file as it is not recommended to change the other templates. This step can help you with the troubleshooting process.</li> Copy all of the files in location2, and then paste them in the working directory for the ADMA.</li> On the action panel, click Update Management Agent.</li> Run the MA to verify that the templates work as designed.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem has been resolved in Microsoft Metadirectory Services SP1.

<div class="moreinformation_section">

MORE INFORMATION
<div class="moreinformation_section">

To recover the mailbox attributes for the affected users, use either of the following two methods:
 * Use the Exchange Recipient Update server to rebuild the mailboxes.
 * Perform an authoritative restore of the affected mailboxes.

For additional information about the Recipient Update Service, click the following article number to view the article in the Microsoft Knowledge Base:

277906 MSExchangeISPublic Event 9551 is logged after you grant Public Folder permissions to an Exchange Server 5.5 user

For additional information about the authoritative restore process, click the following article number to view the article in the Microsoft Knowledge Base:

241594 How to perform an authoritative restore to a domain controller in Windows 2000

Additional query words: Zoomit mms metadirectory

Keywords: kbbug kbui KB286190

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.