Last Update: Sep 17, 2024 | Published: Jan 06, 2009
How do I configure Active Directory Connector Connection Agreements (CA)?
MSKB 296260 has the following information:
In most ADC deployments, your configuration falls under one of the following scenarios; before you configure Connection Agreements (CA), determine which scenario applies to your situation:
In both scenarios, you need to install the ADC. To install the ADC follow this article: Active Directory Connector Installation
To configure the two-way user Connection Agreement:
Note: If this is the first installation, there is only be one server available.
Note: The ADC automatically replicates all of the objects during the first replication cycle; therefore, if you select the Replicate the entire directory the next time the agreement is run check box, you do not affect the first replication cycle.
Important: Do not add any containers from other sites. If you use multiple sites, you need to set up additional two-way connection agreements to servers in each of the other sites.
Note: This is the default container in which the ADC will create new objects if the ADC cannot match the Exchange Server 5.5 object to an existing Active Directory object. If user accounts exist in different organizational units, see the IMPORTANT note in step 6.c.
Important: The ADC replicates all of the Exchange Server distribution lists (DLs) to Active Directory as Universal Distribution Groups (UDGs). You can create these UDGs in either a mixed-mode or native-mode Active Directory domain. However, if you use the equivalent Exchange Server DL object to control access to public folders in Exchange Server, the Exchange 2000 information store process tries to convert the UDG to a Universal Security Groups (USG) because distribution groups are not security principals. If the UDG exists in a mixed-mode Active Directory domain, the USG conversion process does not succeed because USGs can only exist in native-mode domains. This results in a public folder in Exchange 2000 that has an ambiguous Access Control List (ACL); because of this, only the folder owner can access the folder’s content, and other Exchange 2000 users cannot even see the public folder in the client hierarchy. When a UDG-to-USG conversion does not succeed, a 9552 event ID message is logged in the Exchange 2000 Application event log. In this scenario, you need a separate Recipient Connection Agreement to replicate the DLs to a native-mode domain.
Important: If the Active Directory domain contains additional organizational units that contain users with Exchange mailboxes, you must specify these organizational units under Windows Organizational Units. If you do not specify the organizational units as export containers, the ADC cannot replicate the users back to the Exchange Server 5.5 directory.
This scenario describes how to create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain. This scenario requires at least a one-way trust relationship in which Windows 2000 Active Directory trusts the Windows NT 4.0 domain. However, to ease administrative effort, a two-way trust relationship is recommended.
Important: if your migration strategy is to have users log on to your newly-created Active Directory, then you can run the ADMT before you create your two-way recipient Connection Agreement. If you run a domain migration tool that migrates SidHistory such as ADMT before you create your two-way recipient Connection Agreement, you do not have to run the ADClean Utility. ADMT settings allow the Administrator to create enabled users with which a valid 5.5 mailbox can match.
To create a two-way recipient Connection Agreement between an Exchange Server 5.5 computer that is running in a separate Windows NT 4.0 domain and a new Windows 2000 Active Directory domain:
Important: Do not enable these disabled users. These accounts are only place holders for the Exchange Server 5.5 mailboxes; these accounts are not security principals, and are not meant to be logged on to.
XGEN: How to Configure a Two-Way Recipient Connection Agreement for Exchange Server 5.5 Users – 296260
XADM: ADC Installation Requirements – 253286
XADM: Description of the Active Directory Connector Deletion Mechanism – 253829
XADM: How Active Directory Connector Replicates Subcontainers – 253826
How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration – 260871
XADM: Possible Uses of Active Directory Account Cleanup Wizard – 270652