How to install the Active Directory Connector and Establish a Primary Connection Agreement
by ServerWatch Staff
The Active Directory Connector (ADC) tool allows for directory synchronization between Exchange 5.5 (Ex 5.5) sites and Windows 2000 Active Directory. Remember that Exchange 2000 (E2K) uses Active Directory for directory services. Synchronization can be established in either a bi-directional or unidirectional manner.
The Active Directory Connector (ADC) tool allows for directory
synchronization between Exchange 5.5 (Ex 5.5) sites and Windows 2000 Active
Directory. Remember that Exchange 2000 (E2K) uses Active Directory for directory
services. Synchronization can be established in either a bi-directional or
unidirectional manner. Bi-directional replication allows changes made to the
Exchange 5.5 Directory Service (DS) to be replicated to Active Directory and
vice-versa. This allows for coexistence between the two environments.
Unidirectional replication would allow you to move accounts from the existing
populated Exchange 5.5 DS to AD. This would be used to do a quick migration or
The rest of this overview will focus on bi-directional replication, because
this is the most likely deployment in large environments where it is not
possible to quickly migrate from Ex 5.5 to E2K
What is synchronized?
When synchronization occurs the following objects are synchronized:
User, if mapped to W2K domain
Mailbox enabled recipient if not mapped to W2K domain
You can also synchronize public folders using the same AD Connector tool.
After the bi-directional connection is built and the two directories have
synchronized, you can move mailboxes.
Where do you install ADC's?
In a large environment you will need more than one ADC connector. Because the
ADC relies on RPC to communicate with Ex 5.5, ADC's should be on the same
network segment as the Ex 5.5 server that hosts the ADC.
Installing the ADC
Installing the ADC involves making sure you have the right software versions
on both the existing Ex 5.5 environment and the new W2K environment. Following
is a small list.
For the E5.5 environment:
The Ex 5.5 server that hosts the ADC will need Exchange Service Pack (SP) 3.
Testing indicates it will also work with SP4. Don't confuse this with NT
service packs. Note that only one server in each site needs to have SP 3 or
higher installed. The rest can have a lower service pack version.
For the W2K environment:
All W2K servers in the organization should be running SP1. Microsoft
also recommends installing the hot fixes described in Q272691. You can download
the fixes from Microsoft.
The next step is to establish a two-way trust relationship between the W2K and the NT domains.
Create an account on the W2K server and make it a member of the Schema and
Enterprise Admins groups. On the Ex 5.5 server you are establishing the ADC
connection with, assign the same account you just created the Service
Account Admin role at the organization, site and configuration containers. You
will be using the account you created above for the ADC installation. When
you install the ADC you must specify an account that has Service Account
Administrator role in the Ex 5.5 environment. Otherwise, you will get errors. Note
that if you get permission errors during the installation and you decide to make
permission changes to the Ex 5.5 machine, you will need to restart the Ex 5.5
services (go to services and stop / start the Microsoft Exchange Server System
Attendant) This will start and stop the other services. You are now ready to run
the ADC installation. The setup program comes on the E2K CD in the ADC | I386
You will need to know which accounts you used to install the ADC. They will
be important later when you establish your connection agreement(s).
Now the fun starts - establishing the first connection agreement
The connection agreement allows you to specify which recipient containers
will be synchronized. This is specified in both directions when using a two-way
connection. For example, you can synchronize the Ex 5.5 Recipients container
with an Active Directory OU like "Exchange Mailboxes." You can specify
this in the other direction - from the OU "Exchange Mailboxes" to
the Ex 5.5 Recipients container.
Keep a copy of TechNet close by so you can easily solve any permissions
issues. Below you will find a list of the Q articles for common errors.
Before installing the connection, I suggest printing out "A Guide for
Upgrading from MS Exchange Server 5.5 to Exchange 2000 Server." It has
screen shots of many of the settings, as well as references to additional Q
articles when you are having trouble. It is a handy reference.
1. Make sure that the account you are running the ADC under has the
Access the computer over the network
Log on Locally
If you have to reset account permissions after the ADC is installed, be sure
to restart the ADC service.
2. Go to services and find the MS Active Directory Service. Select the
logon tab and put in the Ex5.5 service account and password, or an account
with similar permissions (the account you used to install the ADC should
You are now ready to establish the first connection agreement!
1. Start the ADC, select the Active Directory Connect (server), right
click and select "New." Select "Recipient Connection
2. In the General Tab name the connection and select two-way under
Replication. Read the warning and click OK
3. Go to the connection tab. This is where you will set the permissions
needed for the connection. You will need to put in accounts that have the
required permissions for both Ex 5.5 and W2K/E2K. The Ex 5.5 Service Account
is a good choice. An account that is a member of Domain Admins and is a good
choice for the W2K side. This account will eventually need to have Exchange
Full Admins permissions after E2K is installed. Note: You may have to change
the LDAP port on the Ex 5.5 server. See Q224447 for details. If you make
mistakes on anything in this tab, you will get errors.
4. Set a schedule to synchronize. Always means every 15 minutes.
5. Select the "From Exchange" tab. In this box, you will be asked
to select which Ex 5.5 containers to synchronize from and to which W2K container
(usually an OU you create for this purpose) you want to synchronize to. You also
select what objects you want to synchronize (Mailboxes, Custom Recipients, DL's)
6. Select the "From Windows" tab. You do the same thing as in the
previous step, except in the opposite direction.
7. The deletion tab allows you to specify how deleted accounts are handled.
You can either delete the accounts or save the suggested deletions to an update
file. If you choose the latter, the accounts are not deleted until you apply the
file. They save the files in either a CSV format for Ex. 5.5 updates or an LDF
format for W2K updates. To use these files you should be familiar with the W2K
tool LDIFDE and the Ex 5.5 Directory Import/Export tools. If you choose to save
the changes to a file they are saved in the Winnt\MSADC\"name of
connection" folder. You can then modify the deletions in the file and
decide how you want to apply them.
8. Next you will look at the Advanced tab. There are two major things to
configure. First is the type of connection agreement this will be. Primary
agreements can actually create new accounts, while non-primary agreements can
only update attributes on existing objects. The second configuration decision is
how the new accounts will appear in W2K. The default is to Create a disabled
Windows user account. Other choices are to create a new Windows 2000 account or
create a contact. Which you choose depends on your W2K migration strategy.
Another issue that may come up is if you are replicating DL's. If your W2K
environment is in a mixed mode, you will get an error saying you can't create
DL's unless the domain is in native mode. This error is correct (i.e., if you
want DL's to be migrated, switch to native mode) but leaves the impression
that you can't recreate the DL's as Universal Distribution Groups. You can
- but you must do it manually and that could be a lot of work.
9. Once all this is done, you click OK and you should be ready to go. One
caution - you must make sure that the ADC has write permissions on the
target (W2K) domain. Otherwise objects will not replicate from Ex 5.5 to AD.
List of Q Articles for Common Errors Installing and Configuring ADC
XADM: Error c103aa11 Occurs When Configuring ADC [Q277858]
ADM: Error c1031b95 Configuring an ADC Connection Agreement [Q247888]
"C1037ae6" Error When You Install the Active Directory Connector
Active Directory Connector Generates Event 8182 [Q257250]
Hotfix Rollup Package Corrects Problems in Q257357 and Q271907 [Q271976]
"C1037ae6" Error When You Install the Active Directory Connector
Installing Exchange 2000
After the ADC is up and running, you are ready to install E2K. During the
installation you will be prompted for the name of an Ex 5.5 server in the site
you are joining and for the Ex 5.5 service account. You might want to install
the Ex 5.5 Administrator tool with the E2K install to allow you to manage the Ex
After E2K is installed
After E2K is installed you will see a new connection agreement appear called
ConfigCA. The ADC creates this agreement so that the Ex 5.5 and E2K environments
can properly replicate. This replication is actually performed by the Site
Replication Service (SRS).
You are now ready to move mailboxes through Active Directory Users and
This article was originally published on Monday Mar 5th 2001