How do I configure Active Directory Connector Connection Agreements (CA)?
MSKB 296260 has the following information:
In most ADC deployments, your configuration falls under one of the following scenarios; before you configure Connection Agreements (CA), determine which scenario applies to your situation:
First scenario. The Exchange Server 5.5 mailboxes are associated with accounts in a Windows 2000 Active Directory domain.
Second scenario. The Exchange Server 5.5 mailboxes are associated with accounts that are located in a Windows NT 4.0 domain, even though a new Windows 2000 Active Directory domain has been created.
To configure the two-way user Connection Agreement:
On the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Connector Management.
Right-click Active Directory Connector, point to New, and then click Connection Agreement.
Click the General tab, and then:
Type the name of the Connection Agreement in the Name box.
Under Replication Direction, click Two-way.
When you receive the following message, click OK:
The connection agreement must now write to the Exchange directory.
Click the Active Directory Connector server that you want to use.
Note: If this is the first installation, there is only be one server available.
Click the Connections tab, and then:
Under Windows Server Information:
Make sure that:
The Server box contains the name of your Windows 2000-based server.
The Authentication box defaults to “Windows Challenge/Response”.
The account that you are using has write permissions to the directory because the agreement is a two-way agreement, and read and write permissions are necessary.
Under Connect as, click Modify, and then select an Administrative account that has write permissions to Active Directory.
Under Exchange Server Information:
Make sure that:
The Server box contains the name of your Exchange Server 5.5 computer.
The Authentication box defaults to “Windows Challenge/Response”.
The account that you are using has at least Admin permissions to the directory because the agreement is a two-way agreement, and read and write permissions are necessary.
The Lightweight Directory Access Protocol (LDAP) port on the Exchange Server 5.5 directory is correct (by default, this port is 389).
In the Connect as list, click Modify, and then select an account that has Admin privileges in the Exchange Server 5.5 directory.
Click the Schedule tab, and then set the Replication time to Always.
Note: The ADC automatically replicates all of the objects during the first replication cycle; therefore, if you select the Replicate the entire directory the next time the agreement is run check box, you do not affect the first replication cycle.
Click the From Exchange tab, and then:
Under Exchange Recipients containers, click Add, and then add each top-level Recipients container from your Exchange Server 5.5 site.
Important: Do not add any containers from other sites. If you use multiple sites, you need to set up additional two-way connection agreements to servers in each of the other sites.
Under Default destination, click Modify, and then click the Users container.
Note: This is the default container in which the ADC will create new objects if the ADC cannot match the Exchange Server 5.5 object to an existing Active Directory object. If user accounts exist in different organizational units, see the IMPORTANT note in step 6.c.
Make sure that all of the objects under Select the objects that you want to replicate are selected (all of the objects are selected by default).
Important: The ADC replicates all of the Exchange Server distribution lists (DLs) to Active Directory as Universal Distribution Groups (UDGs). You can create these UDGs in either a mixed-mode or native-mode Active Directory domain. However, if you use the equivalent Exchange Server DL object to control access to public folders in Exchange Server, the Exchange 2000 information store process tries to convert the UDG to a Universal Security Groups (USG) because distribution groups are not security principals. If the UDG exists in a mixed-mode Active Directory domain, the USG conversion process does not succeed because USGs can only exist in native-mode domains. This results in a public folder in Exchange 2000 that has an ambiguous Access Control List (ACL); because of this, only the folder owner can access the folder’s content, and other Exchange 2000 users cannot even see the public folder in the client hierarchy. When a UDG-to-USG conversion does not succeed, a 9552 event ID message is logged in the Exchange 2000 Application event log. In this scenario, you need a separate Recipient Connection Agreement to replicate the DLs to a native-mode domain.
Click the From Windows tab, and then:
Under Windows Organizational Units, click Add, and then add the Users container.
Important: If the Active Directory domain contains additional organizational units that contain users with Exchange mailboxes, you must specify these organizational units under Windows Organizational Units. If you do not specify the organizational units as export containers, the ADC cannot replicate the users back to the Exchange Server 5.5 directory.
Under Default destination box, click Modify, and then click the appropriate Recipients container.
Make sure that all of the objects under Select the objects that you want to replicate box are selected (all of the objects are selected by default).
Click to select the Replicate secured Active Directory objects to the Exchange directory check box. Secured Active Directory objects are Active Directory objects that contain an explicit Deny Access Control Entry (ACE).
Determine whether or not you want to select the Create objects in location specified by Exchange 5.5 DN check box. If you select this check box, the ADC creates new objects in a location that is based on the Exchange Server 5.5 distinguished name (legacyExchangeDN). If the organizational units that you selected as export containers contain subcontainers, you can select this check box to prevent the ADC from creating these subcontainers in the Exchange Server 5.5 directory.
Click the Deletions tab.
You are now finished configuring the recipient Connection Agreement. To force replication, right-click the two-way agreement, and then click Replicate Now.
This scenario describes how to create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain. This scenario requires at least a one-way trust relationship in which Windows 2000 Active Directory trusts the Windows NT 4.0 domain. However, to ease administrative effort, a two-way trust relationship is recommended. Important: if your migration strategy is to have users log on to your newly-created Active Directory, then you can run the ADMT before you create your two-way recipient Connection Agreement. If you run a domain migration tool that migrates SidHistory such as ADMT before you create your two-way recipient Connection Agreement, you do not have to run the ADClean Utility. ADMT settings allow the Administrator to create enabled users with which a valid 5.5 mailbox can match.
To create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain:
Perform all of the steps in the “First Scenario” section of this article.
Start the Windows 2000 Active Directory Users and Computers snap-in, and then confirm that Exchange Server 5.5 users have been replicated as disabled users. Note that these objects are located in the default import container that is specified on the From Exchange tab of the Recipient Connection Agreement.
Important: Do not enable these disabled users. These accounts are only place holders for the Exchange Server 5.5 mailboxes; these accounts are not security principals, and are not meant to be logged on to.
Determine which one of the following methods you want to use to migrate your user accounts to Windows 2000 Active Directory:
Upgrade the Windows NT 4.0 domain to Windows 2000.
Use the Active Directory Migration Tool (ADMT) to migrate users, including SidHistory.
Use a third-party migration utility that supports SidHistory migration.
After you migrate the users to Windows 2000 Active Directory, you can run the Active Directory Cleanup Wizard (ADClean) to merge the mail attributes from the ADC-created place holder accounts with your newly migrated users.