Synchronizing Active Directory with Exchange Server Directory Service
Synchronizing Active Directory with Exchange Server Directory Service |
|
Only one instance of the ADC service can be active on a single computer running Windows 2000 Server. However, the ADC can support multiple connection agreements. To prepare for deployment of ADC, consider the requirements and recommendations described in the following section.
There are two network-specific tasks that you should consider as you gather information for your ADC Connection Agreement Plan. These tasks are as follows:
Bridgehead servers receive and forward e-mail traffic at each end of a connection agreement, similar to the task a gateway performs. When you select servers to be ADC bridgehead servers, they should meet the following conditions:
Both the synchronization of directory objects between directories and the replication that occurs within the Active Directory and Exchange Server directory replication environments consume network resources.
Once Active Directory becomes relatively static after the upgrade from Windows NT Server 4.0 to Windows 2000 Server and the synchronization with Exchange Server, only small amounts of data will pass between Active Directory and the Exchange Server 5.5 directory service. Changes to the Exchange Server 5.5 directory that are synchronized to the Active Directory cause slightly more traffic than changes to Active Directory that are synchronized to Exchange Server.
When preparing to use ADC, observe these technical computer requirements:
Depending on the synchronization schedule, the ADC server and other directory servers with which it interacts could face a significant processing load. It is important that these computers are appropriately specified (CPU and memory) and well-connected to the network — ideally they should be on the same LAN. Unlike directory replication schedules in the Exchange Server 5.x environment, if the schedule is set to Always in the user interface, the ADC attempts to synchronize changes between Active Directory and the Exchange Server directory. This synchronization takes place in cycles of maximum continuous replication time and synchronization sleep delay of five minutes.
The expected resource usage for Pentium-class servers (200 MHz) with 128Mb of memory and one connection agreement configured is shown in Table 20.1.
Table 20.1 Pentium-class Server CPU Utilization
| CPU Utilization (approximately every 5 minutes) | Usage |
|---|---|
| Server running the ADC | 8-24% |
| Domain controller | 6-66% |
| Connecting Exchange 5.5 bridgehead | 0-91% |
To compare the differences between types and speeds of CPUs, see the resource usage of Dual Pentium II-class servers (450Mhz) with 256Mb of memory shown in Table 20.2.
Table 20.2 Dual Pentium II-class Server CPU Utilization
| CPU Utilization (approximately every 5 minutes) | Usage |
|---|---|
| Server running the ADC | 1-12% |
| Domain controller | 0-30% |
| Connecting Exchange 5.5 bridgehead | 20-36% |
For enterprise-size Exchange Server 5.5 and Active Directory deployments, you will need to carefully plan for any additional overhead that the ADC and its connection agreements produce. This is particularly important to those who need to accurately size servers and network capacity. This is even more important when the ADC server, domain controller, and Exchange Server 5.5 are connected over relatively slow links.
Consider the following recommendations to promote a successful deployment:
Populate Active Directory with user accounts by upgrading the primary domain controller (PDC) to Microsoft Windows 2000 Server. Use ADC to backfill directory data from the Exchange Server directory to the pre-existing Active Directory accounts. This permits objects synchronized from Exchange Server to be mapped to security objects in Active Directory.
Use Directory Replication Bridgehead servers to facilitate Exchange Server directory replication between Exchange Server sites. Where it is possible, use them as ADC bridgehead servers for connection agreements.
Place the server hosting ADC on the same subnet as the Exchange Server directory and Active Directory bridgeheads, if possible. If you are using ADC in a wide area network (WAN) environment, place it in a strategic location, such as at the hub of a hub-and-spoke topology.
Synchronize the entire Exchange Server site instead of synchronizing individual recipient containers. It is possible to choose the entire Exchange Server site as the source and target on the Exchange Server, and also to choose the Active Directory domain as the source and target on the Active Directory side. This will effectively synchronize the recipient container hierarchy in Exchange Server with the OU hierarchy in Windows 2000 Server. You can choose to change the OU hierarchy or the location of individual recipients created in the Active Directory by the ADC at a later time. By moving recipients or OUs to a new location, the next time the ADC synchronizes, it finds the new locations and synchronizes with the existing recipients — if it is within the search scope of defined import and export containers.
For the best performance, install ADC on a member server in the Windows 2000 Server domain. Depending on the synchronization schedule, if you configure the ADC with multiple connection agreements, it could consume a good deal of processor time. If you intend to install the ADC on a domain controller or global catalog, ensure that the server hardware accommodates the extra processing load.
Either create ADC connection agreements between a global catalog and Exchange Server or deploy the ADC in close network proximity to a global catalog. In a multi-domain environment, the ADC performs searches against the global catalog, even if there is no connection agreement for synchronizing with a global catalog server. The purpose for searching in the global catalog is to ensure that the ADC does not create duplicate objects in the forest.
In order to successfully install the ADC and configure a connection agreement, you must be able to log on to Windows 2000 Server with an account that carries distinctive credentials. Permissions required to perform various tasks are as follows:
When you first install ADC in a Windows 2000 forest, the ADC Setup program extends the Active Directory schema with the Exchange schema extensions. In order to do this, the account that you are running Setup from must belong to a member of the Schema Administrators group or otherwise have permissions to extend the schema.
Additionally, ADC Setup creates objects in the Active directory configuration container. This requires that the account you are running Setup from belongs to a member of the Domain Administrators group or otherwise has permissions to create objects in the Services and Sites containers.
Finally, ADC Setup creates two security groups in the local domain—one is "Exchange Services" and the other is "Exchange Administrators." This requires that the account you are running Setup from belongs to a member of the Domain Administrators Group or otherwise has permissions to create objects in the Users container.
Subsequent installations of the ADC in the same forest do not require Schema Administrator permissions. Subsequent installations do require either Domain Administrator permissions or other specific permissions that allow you to create new objects under the Sites and Services containers in the configuration naming context. Additional installations in the same domain do not require the creation of either the Exchange Services or the Exchange Administrators groups. However, the first ADC installation into any other Windows 2000 Server domain requires the creation of these groups and subsequently the proper permissions to do so.
You can configure the ADC policy by viewing the property pages of the top-level node in the ADC Administrator MMC snap-in. By modifying the policy, you can control the set of attributes synchronized from either directory as well as the set of rules used by the ADC to match objects in either directory.
Each connection agreement uses a table-based schema map for the majority of attributes on objects synchronized between the two directories. The default map is located on the ADC policy object in Active Directory. While it is possible to enable and disable a subset of attributes synchronizing in either direction, it is not possible to modify the schema mapping from the ADC Administrator MMC snap-in.
Tables 20.3, 20.4, 20.5, and 20.6 list many of the mappings defined in the default schema map.
Table 20.3 defines the attribute mappings for all objects in Windows 2000 and Exchange. If an attribute value for an attribute to be mapped does not exist in the source directory, that mapping is ignored.
Table 20.3 Attribute Mappings for All Objects
| Windows 2000 Attribute (LDAP Name) All Object Classes |
Exchange Attribute (LDAP Name) All Object Classes |
|---|---|
| description | Admin-description |
| autoReply | AutoReply |
| businessRoles | Business-Roles |
| co | co |
| company | company |
| delivContLength | deliv-Cont-Length |
| department | department |
| displayName | cn |
| displayNamePrintable | name |
| distinguishedName | distinguishedName |
| dnQualifier | dnQualifier |
| employeeID | employeeNumber |
| extensionAttribute1 | Extension-Attribute-1 |
| extensionAttribute2 | Extension-Attribute-2 |
| extensionAttribute3 | Extension-Attribute-3 |
| extensionAttribute4 | Extension-Attribute-4 |
| extensionAttribute5 | Extension-Attribute-5 |
| extensionAttribute6 | Extension-Attribute-6 |
| extensionAttribute7 | Extension-Attribute-7 |
| extensionAttribute8 | Extension-Attribute-8 |
| extensionAttribute9 | Extension-Attribute-9 |
| extensionAttribute10 | Extension-Attribute-10 |
| extensionAttribute11 | Extension-Attribute-11 |
| extensionAttribute12 | Extension-Attribute-12 |
| extensionAttribute13 | Extension-Attribute-13 |
| extensionAttribute14 | Extension-Attribute-14 |
| extensionAttribute15 | Extension-Attribute-15 |
| facsimileTelephoneNumber | facsimileTelephoneNumber |
| generationQualifier | generationQualifier |
| homephone | homephone |
| homePostalAddress | homePostalAddress |
| houseIdentifier | houseIdentifier |
| info | info |
| initials | initials |
| l | l |
| Language | Language |
| mailnickname | uid |
| mobile | mobile |
| otherTelephone | Telephone-Office2 |
| otherHomePhone | Telephone-Home2 |
| telephoneAssistant | telephone-Assistant |
| pager | pager |
| personalPager | personalPager |
| personalTitle | personalTitle |
| physicalDeliveryOfficeName | physicalDeliveryOfficeName |
| postalCode | postalCode |
| secretary | secretary |
| sn | sn |
| st | st |
| street | street |
| streetAddress | postalAddress |
| telephoneNumber | telephoneNumber |
| telexNumber | telexNumber |
| teletexTerminalIdentifier | teletexTerminalIdentifier |
| textEncodedORAddress | textEncodedORAddress |
| title | title |
| userCertificate | userCertificate |
| userCert | user-Cert |
| userSMIMECertificate | userSMIMECertificate |
| url | url |
| x121Address | x121Address |
| autoReplyMessage | conferenceInformation |
| importedFrom | Imported-From |
Table 20.4 defines the attribute mappings for all User objects and Mailbox objects in Windows 2000 and Exchange.
Table 20.4 Object Class-Specific Mappings
| Windows 2000 Attribute (LDAP Name) User Object |
Exchange Attribute (LDAP Name) Mailbox Object |
|---|---|
| givenName | givenName |
| manager | manager |
| altRecipient | Alt-Recipient |
| publicDelegates | public-Delegates |
| mdbUseDefaults | mdb-use-defaults |
| mdbOverQuotaLimit | MDB-Over-Quota-Limit |
| mdbStorageQuota | MDB-Storage-Quota |
| submissionContLength | submission-cont-length |
| mDBOverHardQuotaLimit | DXA-task |
| protocolSettings | protocol-Settings |
| mapiRecipient | mapi-recipient |
| msExchHomeServerName | home-MDB |
| msExchHomeServerName | home-MTA |
| deliverAndRedirect | deliver-and-redirect |
| garbageCollPeriod | garbage-coll-period |
| securityProtocol | security-Protocol |
| deletedItemFlags | DXA-Flags |
| objectSID | Assoc-NT-Account |
| authOrig | Auth-Orig |
| unauthOrig | Unauth-Orig |
| dLMemSubmitPerms | DL-Mem-Submit-Perms |
| dLMemRejectPerms | DL-Mem-Reject-Perms |
| folderPathname | Folder-Pathname |
Table 20.5 defines the attribute mappings for Contact objects and Custom objects in Windows 2000 and Exchange.
Table 20.5 Object Class-Specific Mappings
| Windows 2000 Attribute (LDAP Name) Contact Object |
Exchange Attribute (LDAP Name) Custom Object |
|---|---|
| givenName | givenName |
| Manager | Manager |
| targetAddress | target-Address |
| protocolSettings | protocol-Settings |
| mapiRecipient | mapi-Recipient |
| AuthOrig | Auth-Orig |
| UnauthOrig | Unauth-Orig |
| dlMemSubmitPerms | dl-Mem-Submit-Perms |
| dlMemRejectPerms | dl-Mem-Reject-Perms |
Table 20.6 defines the attribute mappings for Group objects and Distribution List objects in Windows 2000 and Exchange.
Table 20.6 Object Class-Specific Mappings
| Windows 2000 Attribute (LDAP Name) Group Object: |
Exchange Attribute (LDAP Name) Distribution List Object: |
|---|---|
| member | member |
| msExchExpansionServerName | home-MTA |
| managedby | owner |
| oOFReplyToOriginator | OOF-Reply-To-Originator |
| reportToOriginator | Report-To-Originator |
| reportToOwner | Report-To-Owner |
| hideDLMembership | Hide-DL-Membership |
| authOrig | Auth-Orig |
| unauthOrig | Unauth-Orig |
| dLMemSubmitPerms | DL-Mem-Submit-Perms |
| dLMemRejectPerms | DL-Mem-Reject-Perms |
Base your determination of the number of connection agreements your organization requires on your unique network environment, including your deployment objectives and requirements and your expectations for the outcome of implementation. You must also familiarize yourself with the Exchange Server and Active Directory object attributes that you are not able to synchronize. These attributes are listed in Table 20.7.
Table 20.7 Attributes of Objects That Do Not Synchronize
| Windows 2000 Server Active Directory | Exchange Server 5.5 Directory Service |
|---|---|
| All account information, such as Account Logging, Account Password, and so on | Advance Security Settings |
| Profile information | Access Control Lists (ACLs) |
| Routing and Remote Access dial-up permissions | Home information Store |
| Access Control Lists (ACLs) |