MCSE-06-Implementing of a Exchange Server 2003-08-Theory

8/6/2019 MCSE-06-Implementing of a Exchange Server 2003-08-Theory

1/35

ADVANTAGE PRO Chennais Premier Networking Training Centre

Connection Exchange 5.5 toActive Directory Service


2/35


Microsoft Active Directory Connector

Installation

Deploying connection agreements

Administering connection agreements

Matching rules

Attribute mapping


3/35


Introduction

Exchange server 5.5 runs in windows NT

platform

It maintain its own directory in its enviroment

We require ADC connector tool to different

exchange versions


4/35


ADC Components

Connection Agreements

Define replication characteristics

Servers, credentials, schedule, export/importcontainer, etc.

ADC Policy

Defines how objects get matched

Defines how attributes flowService

Executes configured settings


5/35


ActiveActive

DirectoryDirectory

ExchangeExchange

5.55.5ADCADC

ADCADC

ADCADC

PolicyPolicy

ADC Components


6/35


ADC Connector

Type of ADC Connectors

Windows Server 2000 Version

Exchange 2000 Version

Exchange 2003 Version


7/35


ADC Installation

Consideration before installing ADC Connector

The account should be member of Schema and

Enterprise Admin group

You should run forestprep and domain prep to

install ADC


8/35


Merging Duplicate Account

Duplicate account can result in performance

problems with an exchange organisation and

difficult in authentication

The Active Directory Account Cleanup Wizard

solve the above problem (ADClean.exe)


9/35


Troubleshootingthe ADC

Checklist to troubleshoot ADC Problem Is the ADC service running?

Is there only one ADC Server, is it online?

Does the user account that you are using onthe target directory have sufficient permission

to create or modify objects?

Is a connection agreement configured betweenthe exchange server computer and the active

directory server?


10/35


Diagnostic Logging

Diagnostic Logging is a useful tool fortroubleshooting the ADC

The Logging categories are as follows

Replication

Account management]

Attribute mappingService Controller

LDAP Operations


11/35


InstallingThe Active Directory Connector

Permissions required to run Setup

Schema Administrator

Enterprise AdministratorService account permissions

Exchange 2000 Full Administrator (delegated from theorganization level)

Member of the Built-In\Administrators group for thedomain to which the server belongs


12/35


Understanding Your Exchange 5.5

Structure

Understand the location and container hierarchy of your:

Mailboxes

Custom recipientsDistribution lists

Exchange 5.5 site structure

How many Exchange 5.5 sites are there?

Determine from which Windows NT domain(s) yourExchange 5.5 mailboxes have associated WindowsNT accounts (for each 5.5 site)


13/35


14/35


Domain ADomain A

Domain BDomain B

Mailbox 1Mailbox 1Mailbox 2Mailbox 2

User AUser A

U

ser BU

ser BUser CUser C

User DUser D

Associated-NT-AccountMapping

Exchange 5.5Exchange 5.5

Site 1Site 1

Exchange 5.5Exchange 5.5Site 2Site 2

Mailbox 3Mailbox 3Mailbox 4Mailbox 4Mailbox 5Mailbox 5


15/35


ResourceMailbox Issue

Definition

Multiple mailboxes with same primary Windows NTaccount

Issue

How to link the correct mailbox to the correspondinguser object when one is a personal mailbox and theother is the resource mailbox

ADC should map personal mailbox to Windows NTaccount


16/35


Domain ADomain A

Domain BDomain B


User AUser A

User BUser B

User CUser C

U

ser DU

ser D

Associated-NT-AccountMapping


Site 1Site 1


Site 2Site 2


Mailbox 5Mailbox 5


17/35


Preparing Your Exchange 5.5 Directory

Set extension-attribute-10 with the valueNTDSNoMatch on ALL resource mailboxes

Run ntdsatrb tool

Formerly known as NTDSNoMatch

Searches Exchange 5.5 directory for ambiguousassociated-nt-accounts

Creates CSV file for import back into Exchange 5.5

Knowledge Base article Q274173

Included in the Exchange 2000 Resource Kit


18/35


One-Wayvs. Two-Way Connection

Agreements

One-way connection agreements

All mailbox management must occur from the sourcedirectory

Creation, modification, deletion

Cannot administer mailbox security on Exchange2000 mailboxes from Exchange 5.5

Two-way connection agreements

Mailbox management can occur from any directoryCannot administer mailbox security on Exchange2000 mailboxes from Exchange 5.5


19/35


Primary VS Non-Primary Connection Agreements

Active Directory

Primary connection agreements create objects if theydont already exist in the Active Directory

Exchange 5.5

Primary connection agreements create objects if no

legacy DN is specified on the Active Directory object


20/35


Single Exchange 5.5 Site Export

Use a single Exchange 5.5 site to export data into theActive Directory

Advantages

Fewer connection agreements to manageDisadvantages

Cannot manage Exchange 5.5 read-only sites

Replication latency for Address Book updates within

Active DirectoryOverhead when changing CA structure

Tombstone issues


21/35


Mailbox 1Mailbox 1Mailbox 2Mailbox 2Mailbox 3Mailbox 3Mailbox 4Mailbox 4Mailbox 5Mailbox 5


Site 1Site 1


Site 2Site 2Mailbox 1Mailbox 1Mailbox 2Mailbox 2Mailbox 3Mailbox 3Mailbox 4Mailbox 4

Mailbox 5Mailbox 5

Domain ADomain A

Domain BDomain B

User AUser A

User BUser B

User CUser C

User DUser D

Single Exchange 5.5 Site Export


22/35


Multiple Exchange 5.5 Site Export

Export only read/write replicas from Exchange 5.5 into theActive Directory

Advantages

Manage recipients anywhere

Less replication latency for Address Book updateswithin Active Directory

Disadvantages

Too many connection agreements to create andmanage!


23/35


Domain ADomain A

Domain BDomain B

Mailbox 1Mailbox 1Mailbox 2Mailbox 2Mailbox 3Mailbox 3Mailbox 4Mailbox 4Mailbox 5Mailbox 5

User AUser A

User BUser B

User CUser C

User DUser D

Multiple Exchange 5.5 Site Export


Site 1Site 1


Site 2Site 2Mailbox 1Mailbox 1Mailbox 2Mailbox 2Mailbox 3Mailbox 3Mailbox 4Mailbox 4

Mailbox 5Mailbox 5


24/35


Active Directory ConnectorManagement

Node


25/35


Active Directory ConnectorManagement

The Active Directory Connector Management nodeallows you to:

Customize attribute mapping rules

Customize object matching rules

assoc-nt-account = object-sid/sid-history (Exchange 5.5 Active Directory)

object-sid = assoc-nt-account (Active Directory Exchange 5.5)

Applies to all connection agreements


26/35


AttributeMapping


27/35


AttributeMapping

Attribute maps can be stored on both the ADCpolicy and connection agreement

msExchServer1SchemaMap (AD->Ex)msExchServer2SchemaMap (Ex->AD)

Local.map and remote.map files on the ADCinstallation media

Maps from both the policy and CA are merged


28/35


AttributeMapping Format

Source and target object-classEntire object-class hierarchy with a dollar delimiter ($)between each object-class

Example: user$organizationalPerson$person$top

Leaving this blank assumes all object-classes

Source and target attribute

LDAP-display-name of attribute

Prefix

Common value appended to source valueSyntax

DN Should always be used when mapping to a targetattribute which is of type DN syntaxed


29/35


ObjectMatchingUserInterface


30/35


ObjectMatchingRules

The UI allows you to match objects with the followingattributes

Exchange 5.5 (19 attributes)

object-guid, assoc-nt-account, mail-nickname, target-address, extension-attribute-1 15

Active Directory (22 attributes)

object-guid, legacy-exchange-dn, object-sid, sam-account-name, sid-history, smtp mail address, userprincipal name (upn), extension-attribute-1 15


31/35


Active Directory Connector ServiceNode


32/35


Diagnostics Logging


33/35


Active Directory Connector ServiceNode

Properties

The Active Directory Connector service node allows you to:

Enable diagnostic logging

Replication, account management, attribute

mapping, service controller, LDAP operations Registry key

HKLM\SYSTEM\CurrentControlSet\Services\MSADC\Diagnostics (DWORD)

1 = minimum, 3 = medium, 5 = maximum

TIP: To assist in troubleshooting, disable all CAs except the one youare concerned with.(Minimizes log output.)


34/35


Debugging ADC ReplicationIssues

Is the ADC started?

Do I have connection agreements ex

porting thenecessary containers?

Are there any errors in the event log?

Force replication of the connection agreement and

check event log for errorsTurn up event logs


35/35


ALL THE BEST

Documents

MCSE-06-Implementing of a Exchange Server 2003-08-Theory