How to install the Active Directory Connector and Establish a Primary Connection Agreement

Sunday Mar 4th 2001 by ServerWatch Staff
Share:

The Active Directory Connector (ADC) tool allows for directory synchronization between Exchange 5.5 (Ex 5.5) sites and Windows 2000 Active Directory. Remember that Exchange 2000 (E2K) uses Active Directory for directory services. Synchronization can be established in either a bi-directional or unidirectional manner.

Jim Skintauy
Overview

The Active Directory Connector (ADC) tool allows for directory synchronization between Exchange 5.5 (Ex 5.5) sites and Windows 2000 Active Directory. Remember that Exchange 2000 (E2K) uses Active Directory for directory services. Synchronization can be established in either a bi-directional or unidirectional manner. Bi-directional replication allows changes made to the Exchange 5.5 Directory Service (DS) to be replicated to Active Directory and vice-versa. This allows for coexistence between the two environments. Unidirectional replication would allow you to move accounts from the existing populated Exchange 5.5 DS to AD. This would be used to do a quick migration or for testing.

The rest of this overview will focus on bi-directional replication, because this is the most likely deployment in large environments where it is not possible to quickly migrate from Ex 5.5 to E2K

What is synchronized?

When synchronization occurs the following objects are synchronized:

Jim Skintauy

You can also synchronize public folders using the same AD Connector tool.

Moving Mailboxes

After the bi-directional connection is built and the two directories have synchronized, you can move mailboxes.

Where do you install ADC's?

In a large environment you will need more than one ADC connector. Because the ADC relies on RPC to communicate with Ex 5.5, ADC's should be on the same network segment as the Ex 5.5 server that hosts the ADC.

Installing the ADC

Installing the ADC involves making sure you have the right software versions on both the existing Ex 5.5 environment and the new W2K environment. Following is a small list.

For the E5.5 environment:

The Ex 5.5 server that hosts the ADC will need Exchange Service Pack (SP) 3. Testing indicates it will also work with SP4. Don't confuse this with NT service packs. Note that only one server in each site needs to have SP 3 or higher installed. The rest can have a lower service pack version.

For the W2K environment:

All W2K servers in the organization should be running SP1. Microsoft also recommends installing the hot fixes described in Q272691. You can download the fixes from Microsoft.

Jim Skintauy

Order of Installation:

Microsoft recommends the following order of install:

1. Install W2K with SP1 and hot fixes.

2. If the server is going to be a DC, run dcpromo.exe

3. Install the ADC

4. Run Forestprep

5. Establish a connection agreement between the Ex 5.5 site and W2K

6. Run Domainprep

7. Install E2K. When you install E2K consider installing the Exchange 5.5 Admin tool. This tool can be used to manage the Ex 5.5 environment from the E2K server.

I also suggest you have a utility handy called NTDSNOMATCH. This utility is used to identify which users have more than one Ex 5.5 mailbox. You can download the utility at http://www.exinternals.com under tools. The documentation for this utility is in Q274173 and can be found at http://support.microsoft.com/support/kb/articles/Q274/1/73.ASP.

Note that the order of installation may change depending on where, in the domain structure, the W2K server resides. If the W2K server is in a child domain, reverse steps 3 and 4.

Jim Skintauy

The next step is to establish a two-way trust relationship between the W2K and the NT domains. Create an account on the W2K server and make it a member of the Schema and Enterprise Admins groups. On the Ex 5.5 server you are establishing the ADC connection with, assign the same account you just created the Service Account Admin role at the organization, site and configuration containers. You will be using the account you created above for the ADC installation. When you install the ADC you must specify an account that has Service Account Administrator role in the Ex 5.5 environment. Otherwise, you will get errors. Note that if you get permission errors during the installation and you decide to make permission changes to the Ex 5.5 machine, you will need to restart the Ex 5.5 services (go to services and stop / start the Microsoft Exchange Server System Attendant) This will start and stop the other services. You are now ready to run the ADC installation. The setup program comes on the E2K CD in the ADC | I386 directory.

You will need to know which accounts you used to install the ADC. They will be important later when you establish your connection agreement(s).

Now the fun starts - establishing the first connection agreement

The connection agreement allows you to specify which recipient containers will be synchronized. This is specified in both directions when using a two-way connection. For example, you can synchronize the Ex 5.5 Recipients container with an Active Directory OU like "Exchange Mailboxes." You can specify this in the other direction - from the OU "Exchange Mailboxes" to the Ex 5.5 Recipients container.

Keep a copy of TechNet close by so you can easily solve any permissions issues. Below you will find a list of the Q articles for common errors.

Before installing the connection, I suggest printing out "A Guide for Upgrading from MS Exchange Server 5.5 to Exchange 2000 Server." It has screen shots of many of the settings, as well as references to additional Q articles when you are having trouble. It is a handy reference.

Jim Skintauy

Before starting, do the following:

1. Make sure that the account you are running the ADC under has the following rights:

                    Access the computer over the network

                    Log on Locally

If you have to reset account permissions after the ADC is installed, be sure to restart the ADC service.

2. Go to services and find the MS Active Directory Service. Select the logon tab and put in the Ex5.5 service account and password, or an account with similar permissions (the account you used to install the ADC should work.)

You are now ready to establish the first connection agreement!

Steps:

1. Start the ADC, select the Active Directory Connect (server), right click and select "New." Select "Recipient Connection Agreement."

2. In the General Tab name the connection and select two-way under Replication. Read the warning and click OK

3. Go to the connection tab. This is where you will set the permissions needed for the connection. You will need to put in accounts that have the required permissions for both Ex 5.5 and W2K/E2K. The Ex 5.5 Service Account is a good choice. An account that is a member of Domain Admins and is a good choice for the W2K side. This account will eventually need to have Exchange Full Admins permissions after E2K is installed. Note: You may have to change the LDAP port on the Ex 5.5 server. See Q224447 for details. If you make mistakes on anything in this tab, you will get errors.

Jim Skintauy

4. Set a schedule to synchronize. Always means every 15 minutes.

5. Select the "From Exchange" tab. In this box, you will be asked to select which Ex 5.5 containers to synchronize from and to which W2K container (usually an OU you create for this purpose) you want to synchronize to. You also select what objects you want to synchronize (Mailboxes, Custom Recipients, DL's)

6. Select the "From Windows" tab. You do the same thing as in the previous step, except in the opposite direction.

7. The deletion tab allows you to specify how deleted accounts are handled. You can either delete the accounts or save the suggested deletions to an update file. If you choose the latter, the accounts are not deleted until you apply the file. They save the files in either a CSV format for Ex. 5.5 updates or an LDF format for W2K updates. To use these files you should be familiar with the W2K tool LDIFDE and the Ex 5.5 Directory Import/Export tools. If you choose to save the changes to a file they are saved in the Winnt\MSADC\"name of connection" folder. You can then modify the deletions in the file and decide how you want to apply them.

8. Next you will look at the Advanced tab. There are two major things to configure. First is the type of connection agreement this will be. Primary agreements can actually create new accounts, while non-primary agreements can only update attributes on existing objects. The second configuration decision is how the new accounts will appear in W2K. The default is to Create a disabled Windows user account. Other choices are to create a new Windows 2000 account or create a contact. Which you choose depends on your W2K migration strategy. Another issue that may come up is if you are replicating DL's. If your W2K environment is in a mixed mode, you will get an error saying you can't create DL's unless the domain is in native mode. This error is correct (i.e., if you want DL's to be migrated, switch to native mode) but leaves the impression that you can't recreate the DL's as Universal Distribution Groups. You can - but you must do it manually and that could be a lot of work.

Jim Skintauy

9. Once all this is done, you click OK and you should be ready to go. One caution - you must make sure that the ADC has write permissions on the target (W2K) domain. Otherwise objects will not replicate from Ex 5.5 to AD.

List of Q Articles for Common Errors Installing and Configuring ADC

XADM: Error c103aa11 Occurs When Configuring ADC [Q277858]

ADM: Error c1031b95 Configuring an ADC Connection Agreement [Q247888]

"C1037ae6" Error When You Install the Active Directory Connector [Q247834]

Active Directory Connector Generates Event 8182 [Q257250]

Hotfix Rollup Package Corrects Problems in Q257357 and Q271907 [Q271976]

"C1037ae6" Error When You Install the Active Directory Connector [Q247834]

Installing Exchange 2000

After the ADC is up and running, you are ready to install E2K. During the installation you will be prompted for the name of an Ex 5.5 server in the site you are joining and for the Ex 5.5 service account. You might want to install the Ex 5.5 Administrator tool with the E2K install to allow you to manage the Ex 5.5 site.

After E2K is installed

After E2K is installed you will see a new connection agreement appear called ConfigCA. The ADC creates this agreement so that the Ex 5.5 and E2K environments can properly replicate. This replication is actually performed by the Site Replication Service (SRS).

Moving Mailboxes

You are now ready to move mailboxes through Active Directory Users and Computers!

Share:
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved


Object Synchronized to
Mailboxes User, if mapped to W2K domain

Mailbox enabled recipient if not mapped to W2K domain

Custom Recipient Contact
Distribution List Universal Distribution Group