The Active Directory Connector (ADC) has existed since Microsoft Exchange 2000 Server's debut. The ADC's function is to synchronize information from the Exchange Server 5.5 Directory Service (DS) to Active Directory (AD) so that a mixed-mode Exchange organization containing Exchange 5.5 and Exchange Server 2003 or Exchange 2000 servers has one consistent view of user and configuration information.
Although the ADC has undergone many improvements since its inception (most notably Exchange 2003 Service Pack 1's—SP1's—support for cross-site mailbox moves), the ADC's core functionality remains the same. But not all the mechanisms that underlie that functionality are well understood. Studying these mechanisms will help you properly implement an ADC-based synchronization environment. In a subsequent article, I'll describe how to fine-tune the ADC.
Synchronizing Hidden Objects
You can hide objects in the Exchange 5.5 DS from the Global Address List (GAL). Hidden objects, which can include mailboxes, custom recipients, and distribution lists (DLs), have a Hide-From-Address-Book attribute value of 1. By default, Exchange Administrator doesn't display hidden objects in recipient containers. To see hidden objects, you must select Hidden Recipients from Exchange Administrator's View menu.
The ADC will synchronize hidden objects to AD, but unlike Exchange Administrator, the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in makes hidden objects visible by default. You can also see hidden objects from Exchange System Manager (ESM) when you browse an organizational unit (OU). However, end users can't see hidden objects in the GAL. To determine whether objects are hidden from client view, start the Active Directory Users and Computers snap-in, select Advanced Features from the View menu, click the Exchange Advanced tab, and see whether the Hide from Exchange address book check box is selected. Exchange 2003 users can't see AD objects (e.g., users, contacts, groups) for which this option is selected.
When the ADC synchronizes an Exchange 5.5 object that's hidden from the address book, the ADC sets that object's msExchHideFromAddressLists attribute to TRUE. Similarly, when the ADC synchronizes a hidden object from AD to the Exchange 5.5 DS, it hides the object from the Exchange 5.5 GAL, so the object isn't visible by default in Exchange Administrator. As you can see, hidden-object functionality isn't symmetrical between Exchange 5.5 and Exchange 2000 and later. A hidden object in Exchange 5.5 is hidden from the GAL and Exchange Administrator, whereas hidden objects in Exchange 2003 or Exchange 2000 are hidden from the GAL but are visible in ESM and the Active Directory Users and Computers snap-in. Understanding how the ADC deals with hidden objects helps you plan and implement a synchronization environment.
Processing Hidden DL Membership
In Exchange 5.5, you can control whether clients can view a DL's membership information. Start Exchange Administrator, click a DL, select Properties from the File menu, click the Advanced tab, and select the Hide membership from address book check box.
When the ADC synchronizes a DL from the Exchange 5.5 DS, the ADC reads the DS's Hide-DL-Membership attribute and sets the AD hide-DLMembership attribute on the synchronized object accordingly. When the DL's membership is hidden, this action effectively applies a set of access control entries (ACEs) to the corresponding Universal Distribution Group (UDG) in AD to deny access to view the membership. Although the ACEs prevent Exchange 2003 clients (e.g., Microsoft Office Outlook 2003) from enumerating the UDG membership, some security principals need access to the membership list. For example, Exchange 2003 needs to enumerate the membership to send mail to UDG members.
To facilitate this type of Exchange operation, as the ADC synchronizes a DL with hidden membership, the ADC reads the msExchServerGlobalGroups attribute from AD's Organization container entry. This attribute contains the list of Exchange 2003 servers in the organization that need access to the membership. The Exchange Enterprise Servers and Exchange Domain Servers security groups define this list of servers. (The DomainPrep utility creates these security groups.) The servers listed in the msExchServerGlobalGroups attribute can view the UDG membership, although the UDG is hidden from users in the GAL. By default, Exchange 2003 servers belong to the Exchange Enterprise Servers and Exchange Domain Servers security groups.
If you add to your Exchange organization a Windows Server 2003 domain that includes Exchange 2003 servers, the Recipient Update Service (RUS) will detect the change and update all UDGs that have hide-DLMembership set to TRUE with the new Exchange Domain Servers group's security principals so that the new Exchange 2003 server can access the hidden membership. Likewise, if you make other changes to the hide-DLMembership attribute on the synchronized object in AD, the RUS will detect your changes and update the ACE as necessary.
In reverse synchronization (i.e., from AD to the Exchange 5.5 DS), the ADC checks the AD object's hide-DLMembership attribute value and sets the corresponding Hide-DLMembership attribute on the new Exchange 5.5 DL. You can use the Active Directory Users and Computers snap-in to control whether UDG membership is visible. Start the snapin, right-click the UDG, select Exchange Tasks, and select Hide Membership. Understanding how the ADC handles hidden DLs lets you build a correctly functioning synchronization environment.
Dealing with Latency During Synchronization
Mistaking ADC synchronization latency for a failure in ADC functionality is a common error. Sometimes the ADC synchronizes Exchange 5.5 DLs to AD before synchronizing the discrete objects that constitute the DLs' membership. For example, you might be using one connection agreement (CA) to synchronize a new DL, and this synchronization might be scheduled to run before another CA that synchronizes mailbox objects in the DL. If the DL has membership objects that reference as-yet-uncreated AD objects, AD's referential integrity feature prevents the UDG from populating the membership for those phantom objects.
In this case, if no other precautions are in place, when the CA that controls the reverse synchronization runs, the partial AD UDG might alter the original Exchange 5.5 DL membership. AD's unmergedAtts attribute prevents this problem in the ADC and in AD. During the initial synchronization, if the ADC can't add objects to the UDG because the corresponding membership objects don't yet exist in AD, the ADC adds these objects to the unmergedAtts attribute. The ADC uses the unmergedAtts attribute on the subsequent reverse synchronization to ensure that no membership information is lost.
The Exchange 5.5 DS has no referential integrity mechanism. Therefore, when the ADC synchronizes a UDG object from AD to the Exchange 5.5 DS as a DL, the Members attribute is fully populated with all members, even if the member object doesn't yet exist in the Exchange 5.5 DS. Thus, Exchange 5.5 DLs don't have or need the unmergedAtts attribute.
Prev. page
[1]
2
next page 
