|
Al, sorry about the delay in responding – minor incident here at the
house! FIRE!!! All resolved and back up and running. Thank you for the very good tutorial
and I must agree w/Joe that MS has snookered us in their handling of this
product. Having said that, I have
a pretty good understanding of the workings. Obviously I need to bump up the schedule of the E2K migration effort –
although I do not control the funding – just make recommendations. I did find one problem with my
methodology. In using ADSI Edit to
change the user attribute, I was just copying and pasting – then editing. That does not work – looks like it
does, but goes right back after you exit.
Tried hitting the Clear button – that cleared the attribute and copied
it to the edit line. I then edited
the attribute, hit Set and Apply, and exited. Worked fine. Went
back after a couple of reps and it was staying as put. Deleted the user – forced a replication,
saw that it was gone from the domain B GAL. Turned off the ADC Service, created a new user w/mailbox, edited
the attribute to show the proper container (ou), turned on the ADC Service, and
the user shows up in the correct container of domain B GAL. If only MS allowed the AD to “pickup”
on the value of the container that a user resides in … Again, thanks for your assistance! R/Bill -----Original
Message----- Well for better or worse,
what you explained is how I understood it myself. Though I admit to not knowing
it really well, never wanted to know it all but damn MS to hell for inserting
AD and Exchange into each other like they did... (Hey I haven't
ranted on here about E2K in at least a week....) Oh one other thing is
that some of that info gets stamped into the msExchADCGlobalNames attribute but
in a DN format. I believe the AD side of that gets stamped by the
E55->AD work and then the E55 side gets stamped by the opposite
direction. Though the 5.5 directory side would have the location in the AD tree
being stamped, not the 5.5 location. For Exchange, I'm only an
egg. I don't Grok it. joe From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al Let me play this back to
see if I have it straight: One Domain = Empty Root Domain A = Child Domain Domain B = Child Domain Domain A = Exchange
2000 (really, this is Forest Wide, but we'll assume that you only consider it
installed in this domain) Domain B = Exchange 5.5
installed Is that right so far? How many ADC's do you
have? I assume just the one from Exchange 2000 media rev'd to SP3 or
later with the standard CA's plus the recipients and public folders. When you create a user in
domain A, it's (presumably) an Exchange 2000 mail-enabled user object.
Correct? The ADC CA picks this up from Domain A where it originated as
new, and replicates the data to the Exchange 5.5 directory. At the point
of creation and RUS processing, the mail-enabled user object has a
legacyExchangeDN ending in \Recipients. If you stopped the CA prior to
creating the user-object, this would still be the case because Exchange 2000
has no concept of containers like Exchange 5.5 does. The legacyExchangeDN gets
created assuming that the Recipients container is the only one. Now turn
the ADC CA back on to replicate. The replication starts, picks up the new
mail-enabled user object, realizes there is no corresponding object, checks its
rules regarding this situation (advanced tab as I recall) and creates the 5.5
directory entry in the container that follows those rules. Often, these
rules will be set to follow legacyExchangeDN so you don't get a bazillion
containers to mimic the OU structure in Active Directory. Your's probably
is set that way. It doesn't end there. Now on the next replication
cycle, the ADC CA realizes that 5.5 has a new object and replicates it back to
the Active Directory. Anything that was changed on the 5.5 side is now
replicated to Active Directory and the CA is now done with that object. If you create the
mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by nature,
whatever the relative path is for the object in the directory. So if you
have an object that is in a different container called "new" then
your legacyExchangeDN would end in \new. Right? So when the ADC CA
wakes up, it realizes it has a new 5.5 object, replicates it to the target OU
in Active Directory and then replicates the information back to the 5.5
directory. As far as 5.5 users are concerned, it is in the "correct
container". What you described is
expected behavior. What you seem to want to do is modify that behavior so
that if you create a user in a particular OU in Active Directory, the ADC knows
to put in a particular CN in 5.5. Unfortunately, you'll have to get somewhat
complex with CA's (which I don't recommend), else change your process to
accomodate (e.g. create the account on 5.5 in the container you want it in, and
then move it to the appropriate 2000 server). You could also educate
your users on the finer points of GAL usage to get them to understand how to
find a user, but that may not be an option (I am being totally serious about
that even if email makes it sound sarcastic). You could also use address
book views or even GAL views to mimic this behavior, but I think that's
lipstick on a pig in this situation. If I've misunderstood,
please correct me as I'd hate to think I didn't understand this stuff.
;-) Al -----Original Message----- Al, test-bed scenario: empty root w/1 dc/gc, child domain A w/1 dc/gc E2K ADC
installed, child domain B w/1 dc/gc E55 ADC installed. Created the new user in domain A and
tests showed that the GAL in domain B was not showing the new user in the
proper container. Found the
legacyExchangeDN to be mis-represented.
Created new user in domain B and it displayed correctly. R/Bill -----Original
Message----- When you
created the mailbox, it was on a 5.5 server or a 2000 server? -----Original Message----- Nice reply Al - however I do not believe that the
legacyExchangeDN of the first administrative group has anything to do with the
legacyExchangeDN of a newly created user in AD. Well, maybe I am missing something here. I do not intend on "mucking
about" with the attributes for anything other than the users that need
correction. Additionally, I
question the fact about the ADC being the mechanism involved with the setting. The reason I state that is because I
created a new user in AD in the domain that handles the E55 server and then a
mailbox for the user. Guess
what? ADSI Edit shows the
legacyExchangeDN attribute correctly for that user and that information was
populated via the ADC. Finally, I
believe that there can be a delivery issue involved when the user
legacyExchangeDN does not match up with what E55 "sees" in the DS
attribute OBJ-DIST-NAME... R/Bill -----Original
Message----- http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description of how to do this. However, I should
caution you that mucking about with the legacyExchangeDN attribute is not a
good idea. Getting your users to live with it now is a better
approach. They will be living with it going forward since Exchange GAL in
Exchange 200x doesn't care about containers. You could also create ABV's
to mimic this, but again, I don't recommend spending much time on the legacy
system. At some point,
you're going to have to work with these users to make the change. If they
cannot make that change, there might be a reason to use the GAL views in
Exchange 200x and it's best to know that early. Finally,
keep in mind that the ADC is the mechanism involved in this
setting. To move them between 5.5 containers is not as simple as changing
the legacyExchangeDN since 5.x didn't understand or allow movement between
containers; it requires the Microsoft shuffle (copy, delete, create) on the 5.5
side + replication times. In other words, there's a lot of moving parts
to make this scenario work. Luck! :) Al -----Original Message----- Al, The immediate thing that comes to mind is that in our
mixed mode environment [that we will have to live with for a while yet...] is
that in the E55 sites the GAL lists these folks as being in the Recipients
container (ou) where they are really in a different departmental container
(ou). Believe it or not - we have
users that insist on going to a container listing in the GAL and picking their
send to addresses! Short of that -
I am sure there are other issues.
Lastly, if MS put the attribute into AD - I think the attribute should
represent the user exactly and this is not the case. R/Bill -----Original
Message----- Plenty,
but I have a question first. Why are you wanting to change it? What
benefit is there if you change it? -----Original Message----- To
All, When I create a user in
AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what
ou the user was created under. Using ADSI Edit to change the value to
reflect the correct setting fails as the value is immediately
changed back. Does anyone have any thoughts on this??? R/Bill |
Title: Message
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Mulnick, Al
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Brown, Bill [contractor]
- [ActiveDir] Using LDAP to turn off Recipient... Jerry Welch
- Re: [ActiveDir] Using LDAP to turn off R... Manjeet
- RE: [ActiveDir] Using LDAP to turn off R... Deji Akomolafe
- RE: [ActiveDir] Using LDAP to turn o... Jerry Welch
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Mulnick, Al
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Brown, Bill [contractor]
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Mulnick, Al
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Brown, Bill [contractor]
- RE: [ActiveDir] OT? - LEGACY EXCHANGE DN deji
