Hmm I think you echoed all of the thoughts I had when I read that post. I can now retire. I have been replaced by a younger model.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, November 23, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] mailNickName(OT) Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in "firstname.lastname" format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an "[EMAIL PROTECTED]". Later, the dirsync process adds "[EMAIL PROTECTED]", so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > I think I see the reason that it hasn't been as big a problem as it could > be. The id is not yet everywhere. You will run into those collisions. > Statistically (note, I'm not a statistician, but I sometimes play one on the > internet) your numbers are just too large not to. When you hook in MIIS, > you'll start to see a lot of john smith's and you'll have to map them and > come up with rules to automatically resolve those if possible. I dunno > though, you may be an organization that enjoys manual processes. > > Even for first.lastname for smtp addresses I'm reasonably sure there's > either a really strong nepotism policy in your organization or you've got > some *process* that allows for making those unique. I've worked in much > smaller shops that had such policies (sadly, no strong nepotism rule, but > that's another story altogether.) > > I second what joe says about not taking their word for anything. I'll go so > far as to qualify that and say that the best answer you should get from a > consultant or on-site resource is "it depends." What that really means is > that depending on the information available, your current best practice as > it was intended is to do x. I can't begin to tell you how many things that > started from the product teams as "the product only does this" later ends up > to be, " for the love of <insert your favorite deity here> don't do this!!!" > Think clustering and you'll know what I'm talking about. > > Every bit of it depends. But Microsoft developers need more parameters than > "it depends" so they come up with scenarios. And they narrow those down out > of necessity. If you fit in that scenario, your stuff is a tested scenario. > If not, it's something they may have thought of but didn't think enough > customers would use and so didn't spend time testing thoroughly - aka if it > works, it was meant to do that. If it does not, what the ^%$# were you > thinking? Don't you read that (often non-existent) documentation that > explicitly says not to do that? Or didn't you know that it wouldn't work > like that? I mean, it's common sense right? > > Anyhow, I always remember two things about consultants - without common > understanding, there can be no common sense (I ripped that off in case you > wonder) and everything should be explicitly written down. When in doubt ask > for the project notes and verify that the information you're working off of > is explicitly stated and see if you can find out why. I can tell you if it's > a Microsoft employee, you should have no issue asking that person directly > to see if they can remember what the thinking was behind that and if that's > still considered a best practice in light of what you want to do. It's > entirely possible that the way the question was asked, the answer makes > perfect sense (within that context anyway). It's more probable the question > wasn't asked because nobody thought it was important to ask at the time. > Exchange folks rarely care about such things unless they also happen to be > deep in Directory Services - rare animal that can do that and carry on a > conversation with a non-geek ;) > > Out of curiousity, what made you ask in the first place? > > > > On 11/22/06, Tom Kern <[EMAIL PROTECTED]> wrote: > > The place I'm currently at is a large 110,000 + user bank. > > They use the hr employee id# for sAMAccountName and upn and in turn the > dn. > > They use firstname.lastname for smtp and mailNickName and > > consquently legacyExchangeDN. > > Why, I have no idea. > > > > They had a lot of input from MS in setting up their forest/exchange > > ORG, so I'm not sure why it is this way. > > > > For some backround, they use lotus as well as exchange and use a dirX > > ldap server for common address book and sendmail address rewrite. > > For the hour db, they use peoplesoft which they are going to sync up > > with AD with MIIS soon. > > I'm not sure what all this has to do with mailNickName format, but it > > may provide some backround or potential trouble in the future. > > Thanks for all your input. > > > > > > On 11/22/06, Al Mulnick < [EMAIL PROTECTED]> wrote: > > > Other than being used for access by other protocols such as pop, imap, > and > > > owa, last I checked it's also the value used for the x.400 like address > > > which is used for mail delivery internally by Exchange. You wouldn't > want > > > that to be non-unique else you might have to call somebody like joe to > come > > > in and help clean up :) > > > > > > I'm surprised that this company you're at has not gone to unique values > for > > > this. I'm equally surprised they don't have other issues with their > > > Exchange deployment, but it's possible you haven't gotten far enough > into it > > > yet to notice some of them. > > > > > > I've blogged about my thoughts regarding what should be globally unique > in > > > an AD/Exchange environment. It's a long enough blog it may even be a > good > > > candidate for an essay or possibly a sleep aid. > > > > > > If you want the details, have a read. The short answer is that you want > > > every user to be unique and to have a consistent and trouble-free > > > experience. That keeps you from being up late at night with > international > > > customers first and your local in-country customers the next day. > > > Mailnickname is one of the attributes that should be unique same as > > > samaccountname and smtp address (some are enforced per forest, some per > > > domain but all should be enforced regardless in my opinion). Since they > can > > > often feed on one another, I maintan that samaccountname should be the > > > user's foundational, non-changing, never touched as long as that person > is a > > > member of the company in good standing, network id. Exchange relies on > > > Active Directory and as such you're better following the same rules . > > > > > > > > > Al > > > > > > On 11/22/06, joe <[EMAIL PROTECTED]> wrote: > > > > > > > > The mailnickname isn't populated in a similar way to display name. The > > > > common ways for mailnickname generation and its population are through > the > > > > RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't > use > > > > CDOEXM). This is unlike displayname which has ADUC as its common way > to be > > > > populated. Certainly they could have done something like that but they > > > > didn't. > > > > > > > > Changing the format is ok, most companies don't do it but some do. But > if > > > > there is going to be a change, change to something that is guaranteed > to > > > > be > > > > unique in your organization. Display names are very often not unique; > > > > definitely not unique at scale which is why Al said, it don't > scale.... Go > > > > to any larger company in the US and type in Smith, Jones, Brown, or > > > > Johnson > > > > in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, > > > > Bob's, > > > > Carol's, Fred's, John's, Steve's, etc... If you are multi-national try > > > > Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, > Berg, > > > > Schulz, or Schmidt. > > > > > > > > The attribute is used quite a bit in Exchange. Where all it is used I > will > > > > let some Exchange person respond if they want, but look quickly at a > > > > mailbox > > > > enabled user and check how many times you see the value. Note that > none of > > > > the other attributes that use mailNickname in their initial generation > > > > will > > > > change if you change mailnickname, you absolutely wouldn't want that > or > > > > else > > > > it would break certain types of delivery for that user. I have seen > some > > > > nasty issues in larger orgs that resulted in mailNicknames not being > > > > unique. > > > > The problems can be solved by mechanisms other than unique > mailNicknames > > > > but > > > > unique mailNicknames is by far the easiest way to handle it. I have a > tool > > > > that reports bad Exchange attribute settings in an Org and duplicate > > > > mailNickname is one of them that I flag as fairly high priority due to > my > > > > experiences. > > > > > > > > joe > > > > > > > > > > > > -- > > > > O'Reilly Active Directory Third Edition - > > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf > Of Tom Kern > > > > Sent: Tuesday, November 21, 2006 10:07 PM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: Re: [ActiveDir] mailNickName(OT) > > > > > > > > well, the company i currently work for sets the mailNickName of all > > > > users to "firstname.lastname". > > > > I didnt know there was any issue with changing the format of that > > > > attribute. > > > > > > > > we have around 110,000 users mixed between Exchange and Lotus Domino > > > > and this is the format they have been using(why, i'm not sure, I just > > > > started here) > > > > > > > > I thought there could be a way to change the default format of the > > > > mailNickName attribute the same way you could change the format of the > > > > displayname. > > > > > > > > What issues can arise by changing the mailNickname format. > > > > > > > > I mean, what is this attibute for used exactly? > > > > I thought this was only used for POP3 and IMAP and maybe OWA and ADC. > > > > And I didnt think changing it could affect anything. > > > > Can you guys educate me, please? > > > > > > > > Thanks > > > > > > > > On 11/21/06, joe < [EMAIL PROTECTED]> wrote: > > > > > Not that I am aware of. > > > > > > > > > > I am with Al on this, keep it as the sAMAccountName. This value > while > > > > isn't > > > > > enforced to be unique really should be. Using sAMAccountName helps > with > > > > that > > > > > though it still allows duplicates in different domains. > > > > > > > > > > joe > > > > > > > > > > -- > > > > > O'Reilly Active Directory Third Edition - > > > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On > Behalf Of Tom Kern > > > > > Sent: Tuesday, November 21, 2006 5:19 AM > > > > > To: activedirectory > > > > > Subject: [ActiveDir] mailNickName(OT) > > > > > > > > > > Is there anyway to change the format of the mailNickName attibute to > > > > > be something other than sAMAccountName automatically? > > > > > Is there something like a "display specifiers" change that could > > > > > change the format during the automatic generation of it to be > > > > > "firstname.lastname" or can this only be scripted? > > > > > > > > > > Thanks > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/