Microsoft KB Archive/822921

= How to configure a two-way recipient Connection Agreement for Exchange Server 5.5 and Exchange Server 2003 users =

Article ID: 822921

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 5.5 Service Pack 3
 * Microsoft Exchange Server 5.5 Service Pack 4

-





IN THIS TASK

 * SUMMARY
 * Identify Mailboxes That Are Associated with the Same Windows NT Account
 * Determine Your Recipient Connection Agreement Configuration and Install the Active Directory Connector
 * Install ADC
 * Scenario 1: Exchange Server 5.5 Mailboxes Are Associated with Accounts That Are Located in a Windows 2000 or a Windows Server 2003 Active Directory Domain
 * Scenario 2: Exchange Server 5.5 Mailboxes Are Associated with Accounts That Are Located in a Windows NT 4.0 Domain, Even Though a New Windows 2000 or a New Windows Server 2003 Active Directory Domain Exists



SUMMARY
This step-by-step article describes how to create a two-way recipient Connection Agreement to replicate an Exchange Server 5.5 directory to a Microsoft Active Directory directory service domain that is on a computer that is running Microsoft Windows 2000 Server or Microsoft Windows Server 2003. Exchange 2003 uses Active Directory to store and to share directory information instead of using a separate directory structure like Exchange Server 5.5.

back to the top



Identify Mailboxes That Are Associated with the Same Windows NT Account
In Exchange Server 2003, unlike in Exchange Server 5.5, a mailbox is an attribute of an object in Active Directory, not an object itself. Therefore, each user object in Active Directory can only be matched to one mailbox. For every mailbox that exists in the information store, a matching user account must exist in Active Directory.

Before you use the Active Directory Connector (ADC) to replicate mailboxes from Exchange Server 5.5 to Active Directory, you must identify and mark mailboxes that are associated with the same Microsoft Windows NT account.

For additional information about how to identify and mark mailboxes that are associated with the same Windows NT account, click the following article number to view the article in the Microsoft Knowledge Base:

274173 Documentation for the NTDSNoMatch utility

back to the top

Determine Your Recipient Connection Agreement Configuration and Install the Active Directory Connector
In most ADC deployments, your configuration falls under one of the following two scenarios. Before you configure your recipient Connection Agreements, determine the scenario that applies to you:
 * Scenario 1: The Exchange Server 5.5 mailboxes are associated with accounts that are located in a Windows 2000 or a Windows Server 2003 Active Directory domain.
 * Scenario 2: The Exchange Server 5.5 mailboxes are associated with accounts that are located in a Microsoft Windows NT 4.0 domain, even though a new Windows 2000 or a new Windows Server 2003 Active Directory domain has been created.

After you determine your configuration, install the ADC.

back to the top

Install ADC
To install the ADC, do the following:
 * 1) Log on to the Windows 2000 or the Windows Server 2003 domain controller as a member of the domain administrators, enterprise administrators, and schema administrators groups.
 * 2) Insert the Exchange Server 2003 CD in the CD-ROM drive.
 * 3) Click Start, click Run, type  :\adc\i386\setup.exe (where   is your CD-ROM drive), and then click OK.
 * 4) In the Welcome dialog box, click Next.
 * 5) Click to accept the license agreement, and then click Next.
 * 6) Click to select the Microsoft Active Directory Connector Service component and the Microsoft Active Directory Connector Management components check boxes, and then click Next.
 * 7) Specify an install location, and then click Next.
 * 8) Specify the service account name that the ADC will use, type the password, and then click Next.
 * 9) When Setup is complete, click Finish.

For additional information about how to configure the ADC, click the following article number to view the article in the Microsoft Knowledge Base:

253286 ADC installation requirements

For additional information about ADC service account requirements, click the following article number to view the article in the Microsoft Knowledge Base:

249817 ADC service account requirements

back to the top

Scenario 1: Exchange Server 5.5 Mailboxes Are Associated with Accounts That Are Located in a Windows 2000 or a Windows Server 2003 Active Directory Domain
To configure the two-way recipient Connection Agreement, do the following:  Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Connector. Right-click Active Directory Connector, point to New, and then click Recipient Connection Agreement. Click the General tab, and then:  In the Name box, type the name of the recipient Connection Agreement. Under Replication Direction, click Two-way. Click OK in response to the following message:

The Connection Agreement must now write to the Exchange directory.

</li> Under Active Directory Connector Service, click the server that you want to use to run the Connection Agreement.

Note If this is the first installation, there is only one server available.</li></ol> </li> Click the Connections tab, and then follow these steps: <ol style="list-style-type: lower-alpha;"> Under Windows Server information, do the following: <ol> Make sure that the Server box contains the name of your Windows 2000-based or Windows Server 2003-based server.</li> Make sure that the Authentication box is set to Kerberos as the authentication method.</li> Under Connect as, click Modify, and then select an administrative account that has write permissions to Active Directory. Type the password, and then click OK.</li></ol> </li> Under Exchange Server Information, do the following: <ol> Make sure that the Server box contains the name of your Exchange Server 5.5 computer.</li> Make sure that the Authentication box is set to Windows Challenge/Response as the authentication method.</li> Under Port, make sure that the Lightweight Directory Access Protocol (LDAP) port on the Exchange Server 5.5 directory is correct. By default, this port is 389.</li> Under Connect as, click Modify, and then select an account that has administrator credentials in the Exchange Server 5.5 directory. The account that you use must have at least administrator permissions to the directory because the recipient Connection Agreement is a two-way agreement, and read and write permissions are required.</li></ol> </li></ol> </li> Click the Schedule tab, and then click to set the replication time to Always.

Note The ADC automatically replicates all the objects during the first replication cycle. Therefore, if you select the Replicate the entire directory the next time the agreement is run check box, you do not affect the first replication cycle.</li> Click the From Exchange tab, and then follow these steps: <ol style="list-style-type: lower-alpha;"> Under Exchange recipients containers, click Add, and then add the site object for the Exchange Server 5.5 site that this connection agreement is going to replicate with.

Important Do not add any containers from other sites. If you use multiple sites, you must set up additional two-way recipient Connection Agreements to servers in each of the other sites.</li> Under Default destination, click Modify, click the Users container, and then click OK.

Note This is the default container that the ADC creates new objects in if the ADC cannot match the Exchange Server 5.5 object to an existing Active Directory object. If user accounts exist in different organizational units, see the &quot;Important&quot; note in step 7a.</li> Make sure that all the objects that are under Select the objects that you want to replicate are selected. By default, all the objects are selected.

Important The ADC replicates all the Exchange Server distribution lists (DLs) to Active Directory as universal distribution groups. You can create these universal distribution groups in either a mixed-mode or a native-mode Active Directory domain. However, if you use the equivalent Exchange Server DL object to control access to public folders in Exchange Server, the Exchange 2003 information store process tries to convert the universal distribution group to a universal security group because distribution groups are not security principals. If the universal distribution group exists in a mixed-mode Active Directory domain, the universal security group conversion process does not succeed because universal security groups can only exist in native-mode domains. This results in a public folder in Exchange 2003 that has an ambiguous access control list (ACL). Because of this, only the folder owner can access the folder's content, and other Exchange 2003 users cannot even see the public folder in the client directory hierarchy. When a conversion from a universal distribution group to a universal security group does not succeed, an event ID 9552 message is logged in the Exchange 2003 application event log. In this scenario, you must have a separate recipient Connection Agreement to replicate the DLs to a native-mode domain.</li></ol> </li> <li>Click the From Windows tab, and then follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Under Windows Organizational Units, click Add, click the root of the domain, and then click OK.

Important We recommend that you specify the root of the domain under Windows Organization Units. Specifying individual Organization Units is supported, but you should do this only if there is a specific need. If you specify individual Organization Units, it is important that all OU’s that contain users, groups, or contacts are listed. If you do not specify the Organization Units as export containers, the ADC cannot replicate the users back to the Exchange Server 5.5 directory.</li> <li>In the Default destination box, click Modify, click the appropriate Recipients container, and then click OK.</li> <li>Make sure that all the objects that are listed under Select the objects that you want to replicate are selected. By default, all the objects are selected.</li> <li>Click to select the Replicate secured Active Directory objects to the Exchange Directory check box. Secured Active Directory objects are Active Directory objects that contain an explicit Deny Access Control Entry (ACE).</li> <li>Determine whether you want to select the Create objects in location specified by Exchange 5.5 DN check box. If you select this check box, the ADC creates new objects in a location that is based on the Exchange Server 5.5 distinguished name (legacyExchangeDN). If the organizational units that you selected as export containers contain subcontainers, you can select this check box to prevent the ADC from creating these subcontainers in the Exchange Server 5.5 directory. For additional information about subcontainer replication, click the following article number to view the article in the Microsoft Knowledge Base:

253826 How the Active Directory Connector replicates subcontainers

</li></ol> </li> <li>Click the Deletion tab. For additional information about the options to select on the Deletion tab, click the following article number to view the article in the Microsoft Knowledge Base:

253829 Description of the Active Directory Connector deletion mechanism

</li> <li>Click OK to complete the recipient Connection Agreement. To force replication, right-click the two-way agreement, and then click Replicate Now.</li></ol>

back to the top

Scenario 2: Exchange Server 5.5 Mailboxes Are Associated with Accounts That Are in a Windows NT 4.0 Domain, Even Though a New Windows 2000 or a New Windows Server 2003 Active Directory Domain Exists
This scenario describes how to create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain, and a new Windows 2000 or a new Windows Server 2003 Active Directory domain. This scenario requires at least a one-way trust relationship where Windows 2000 or Windows Server 2003 Active Directory trusts the Windows NT 4.0 domain. However, for ease of administration, a two-way trust relationship is better.

Important If your migration strategy is to have users log on to your newly-created Active Directory, then you can run Active Directory Migration Tool before you create your two-way recipient Connection Agreement. If you run a domain migration tool that migrates information that is contained in sIDHistory attributes, such as Active Directory Migration Tool (ADMT), before you create your two-way recipient Connection Agreement, you do not have to run the ADClean Utility. Active Directory Migration Tool settings permit administrators to create enabled user accounts that a valid Exchange 5.5 mailbox can match.

For additional information about how to use Active Directory Migration Tool to migrate users, click the following article number to view the article in the Microsoft Knowledge Base:

260871 How to set Up ADMT for Windows NT 4.0 to Windows 2000 migration

To create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is in a separate Windows NT 4.0 domain and a new Windows 2000 or Windows Server 2003 Active Directory domain, do the following: <ol> <li>Perform all the steps in the &quot;Scenario 1&quot; section of this article.</li> <li>In Windows 2000 or Windows Server 2003, start Active Directory Users and Computers, and then confirm that Exchange Server 5.5 users have been replicated as disabled users. These objects are located in the default import container that is specified on the From Exchange tab of the recipient Connection Agreement.

Important Do not enable these disabled users. These accounts are only placeholders for the Exchange Server 5.5 mailboxes. These accounts are not security principals, and are not meant to be logged on to.</li> <li>Use one of the following methods to migrate your user accounts to Active Directory in Windows 2000 or in Windows Server 2003: <ul> <li>Upgrade the Windows NT 4.0 domain to Windows 2000 or Windows Server 2003.</li> <li>Use Active Directory Migration Tool to migrate users, including the sIDHistory attributes. For additional information about how to use Active Directory Migration Tool to migrate users, click the following article number to view the article in the Microsoft Knowledge Base:

260871 How to set up ADMT for Windows NT 4.0 to Windows 2000 migration

</li> <li>Use a third-party migration utility that supports sIDHistory attribute migration.</li></ul> </li> <li>After you migrate the users to Active Directory in Windows 2000 or in Windows Server 2003, you can run Active Directory Cleanup Wizard (ADClean) to merge the mail attributes from the ADC-created placeholder accounts with your newly migrated users. For additional information about Active Directory Account Cleanup Wizard, click the following article numbers to view the articles in the Microsoft Knowledge Base:

270652 Possible uses of the Active Directory Account Cleanup Wizard

270655 ADClean command line options

</li></ol>

back to the top

Additional query words: XGEN udg USG

Keywords: kbhowtomaster KB822921

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.