Contents Overview 1 Lesson 1: Changes to the ADC 2 Lab 7.1: Troubleshooting LDAP queries 12 Lesson 2: DSAccess Usage and troubleshooting 16 Lesson 3: Changes in DSAccess 28 Lab 7.2: Exomatic tool 37 Lesson 4: Other Directory Changes 38 Lab 7.3: Per-Attribute change troubleshooting 59 Lab 7.4: Post-Setup and SRS replication troubleshooting 59 Appendix A: Numeric registry keys used by DSAccess and their values 68 Appendix B: Answers to some of the Labs 69 Acknowledgments 70 Module 7: Exchange Directory Components Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server 5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server, Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus Notes) may be the trademarks of their respective owners. Module 7: Exchange Directory Components 1 Overview For this module, we will discuss the new deployment features available with Exchange Server 2003 and differentiate the deployment process from Exchange 2000. Topic 1 Changes to the Active Directory Connector (ADC) Topic 2 DSAccess Usage and Troubleshooting Topic 3 DSAccess Changes Topic 4 Other Directory Changes Prerequisites  Experience with troubleshooting ADC and DSAccess.  Understanding of the ADCTools/Deployment Tools module 2 Module 7: Exchange Directory Components Lesson 1: Changes to the ADC This topic discusses changes to the Active Directory connector that are not covered in the Deployment and ADC Tools module. Module 7: Exchange Directory Components 3 ADC Setup includes the entire Exchange Server 2003 schema In Exchange 2000, the ADC schema files were a subset of the Exchange 2000 core schema files. So although the ADC’s setup /schemaonly switch extended the schema, customers were required to perform further schema extensions using setup /forestprep. This meant longer lockdown periods for larger customers whose custom applications were sensitive to schema extensions due to the delayed nature of replications and resetting of indexed attributes. (You may refer to KB article 230662 for more information on indexed attributes) In Exchange 2003, the schema files imported during the installation or upgrade of an Active Directory Connector service are identical to the core Exchange 2003 schema; therefore, the schema is only updated once. So if the Exchange 2003 version of ADC setup detects the existence of the Exchange 2003 schema, then no further schema updates will be applied. On the other hand, if ADC setup detects a schema version below 6870, the Exchange 2003 schema updates will be applied. ADC Setup detects the schema by examining the RangeUpper attribute of this object in Active Directory: cn=ms-Exch-Schema-Version- Pt,cn=schema,cn=configuration,dc=<DN-of-forest-root-domain> If a domain controller does not show a value of 6870 for the RangeUpper attribute, the schema extension has not completed. There are no more schema updates beyond RangeUpper, since it is the last entry added to the schema9.ldf file: dn: CN=ms-Exch-Schema-Version-Pt,<SchemaContainerDN> changetype: modify replace: rangeUpper rangeUpper: 6870 4 Module 7: Exchange Directory Components Note: Although Exchange 2003’s ADC setup includes the entire schema, it does not mean it is equal to a setup /forestprep. This is because ADC Setup does not perform many of forestprep’s actions, such as importing the Outlook templates and set access control lists (ACLs) on some Active Directory containers. Additionally, forestprep cleans up some address templates and display specifiers. (The removed display specifiers were Exchange 5.5 classes that were never used nor shown in Active Directory.) Therefore, forestprep is still required if ADC’s setup executable is run first, but customers who follow change-control procedures within large environments will not need to plan for additional administrative lockdowns while waiting for schema changes to replicate, since schema extensions will be skipped upon running forestprep later. Module 7: Exchange Directory Components 5 Exchange 2003 ADC upgrades “versionNumber” on connection agreements When the ADC is upgraded to the Exchange 2003 version, the ADC setup program will not only upgrade the ADC binaries; it will also modify the “versionNumber” attribute on any connection agreements owned by that ADC service. (To determine what connection agreements are owned by an ADC service, use the Active Directory Connector Services snap-in, and highlight the ADC server indicated by the name “Active Directory Connector (servername)” on the left- hand pane. Its owned connection agreements will be viewable on the right hand pane) When ADC setup upgrades connection agreements’ versionNumber attribute, the values are set to 16973842. Older ADC management snap-ins (such as Windows ADC and Exchange 2000 Service Pack 3 (SP3) ADC snap-in versions) will not be able to administer these new Connection agreements because they expect the older Major version (versionNumber = 16908296). If an Exchange 2000 or Windows 2000 ADC manager snap-in is used to administer an upgraded or new Exchange 2003 connection agreement, this warning is displayed: 6 Module 7: Exchange Directory Components Figure 1.1: Version-incompatibility message when using the Exchange 2000 ADC snap-in to administer an Exchange 2003 connection agreement. By the same token, whenever an Exchange 2003 ADC Services snap-in is used to open the properties of an Exchange 2000 or Windows 2000 connection agreement, the same popup warning as in Figure 1.1 will appear. The reasons for increasing the major versions on Public Folder Connection agreements and Recipient Connection agreements are so that:  Windows 2000 ADC services will not be able to run any newer Connection agreements. (Any public folder Controller Agreement re-homed to the Windows 2000 version of the ADC service caused corruption.)  The new connection agreements use Kerberos for authentication, which are not understood by Exchange 2000 ADC services. In summary, an Exchange 2000 ADC service cannot run a connection agreement whose version is incompatible with its own. Conversely, an Exchange 2003 service cannot run a connection agreement whose version number is below 16973842. Eventually, all ADC services must be upgraded prior to the installation of the first Exchange 2003 server. Otherwise, Exchange 2003 setup may not proceed. Customers must in-place upgrade all pre-Exchange 2003 ADC services prior to installation, so that all legacy connection agreements are phased out. Module 7: Exchange Directory Components 7 ADC randomizes user logon names (Integrated CleanSAM functionality) In the situation where an Exchange 5.5 object exists, but its primary Windows account (assoc-NT-account) resides in a Windows NT 4 domain or in a separate forest, a properly-configured connection agreement directs the ADC service to perform object-creation. (By contrast, if the mailbox’s “Primary Windows NT Account” pre-existed within the forest, the ADC performs “object matching” and stamps pre-existing user accounts during the initial replication cycle.) In the object-creation case, a disabled account is created by the ADC service. In the past, the Exchange 2000 ADC services would generate the disabled security principal (a.k.a. “samaccountname” or “Pre-Windows 2000 logon name”) that matched the Exchange 5.5 object’s alias name. This caused problems for a couple of reasons:  Customers often had the misunderstanding that ADC object creation was an easy way to migrate Windows NT 4 accounts to Active Directory. Although it was not proper, customers would simply enable these “placeholder” accounts that were generated by the ADC, not knowing that this will cause delegation problems, Public Folder ACL conversion problems, and other permissions problems that may prevent logon or mailbox moves. (For more information regarding problems caused by enabling placeholder accounts, see Knowledge Base articles Q300346 and Q316047.)  ADC-generated objects conflict with the Active Directory Migration Tool’s (ADMT) ability to migrate user logon names from their source domains. (This situation only applies if ADMT is used after initial ADC replication, and if aliasname=userlogonname of the source domain). So when ADMT attempts to create user objects in the target domain, it encounters conflicts with the ADC-generated accounts. ADMT was designed to resolve these conflicts by appending “-1” to each samaccountname it generates – thus satisfying the samaccountname uniqueness within a domain. Although ADMT is a proper and supported migration method for user accounts, the “- 8 Module 7: Exchange Directory Components 1” object causes an issue for customers because their users prefer not to append a “-1” to their logon process. One may believe that ADClean may be used to merge the two objects into a single account, thereby resolving this issue. However, ADClean excludes transferring samaccountname when it merges the disabled objects’ attributes to the ADMT-generated account. In the end, users are still stuck with different user logon names (i.e. User was accustomed to logging onto source domain as “johnsmith,” but must now logon as “johnsmith-1”). In Exchange 2003, by randomizing samaccountnames (a.k.a. Pre-Windows 2000 logon name) whenever the ADC generates a placeholder object, both previous problem scenarios are resolved. A typical user logon name for an ADC-generated account would be “ADC_BDZQOKNUIZDWPPHG” where the characters following the underscore are always randomized. Since this random username is difficult to use for any logon prompt, it detracts administrators from improperly enabling the placeholder accounts generated by the ADC. Secondly, the prepared random name will not cause naming conflicts when the future ADMT migrations try to create new users in the Exchange 2003 forest. Although the Exchange 2003 ADC corrects this issue upon object creation, any existing objects that were created prior to an ADC was upgraded may still need their account names renamed. Cleansam.vbs, a script used by Microsoft Product Support Services to correct the above issues for Exchange 2000 topologies, may be used against accounts residing in Exchange 2003 environments that were upgraded from Exchange 2000. The script may be obtained from a Microsoft Product Support Services Professional. CleanSAM also resolved the behavior where in some instances, ADMT would “match” with the disabled accounts and subsequently merge on top of them, thereby enabling the accounts but failing to clear the msExchMasterAccountSID attribute. Note [...]... capture, examine it The TCP traffic over port 389 should have readable data now Module 7: Exchange Directory Components 15 16 Module 7: Exchange Directory Components Lesson 2: DSAccess Usage and troubleshooting This topic discusses DSAccess as it is applicable to both Exchange 2000 and Exchange 2003 The changes specific to Exchange 2003 are discussed in the next topic This topic is an attempt to put... troubleshooting Module 7: Exchange Directory Components 17 What is DSAccess? DSAccess is a common Exchange component used for interactions with Active Directory DSAccess is loaded by most Exchange processes: inetinfo.exe (or IIS worker processes in Exchange 2003) mad.exe store.exe winmgmt.exe emsmta.exe It is worth mentioning that DSAccess is not the only Active Directory interface for Exchange Transport components. .. If a DSAccess caller placed a notification, and the target server was marked as Module 7: Exchange Directory Components 21 being down, the notification gets reissued and the client is notified of a change, because the monitored value could have changed while we were reissuing the search 22 Module 7: Exchange Directory Components Versioning DSAccess.dll is the main DLL that implements DSAccess, but... Transport components use their own Active Directory access mechanism, but it uses the list of domain controllers/global catalogs that DSAccess discovers Setup and System Attendant typically use ADSI instead of DSAccess Exchange components use DSAccess to store and retrieve user information as well as Exchange configuration data 18 Module 7: Exchange Directory Components How DSAccess works Permissions... of 192 MB Module 7: Exchange Directory Components 13 Exercise 1: Creating a new admin account 1 Log onto Z2 as ms\administrator 2 Open Active Directory Users and Computers, and use the administrator account as a template to COPY another user Name the new user “Admin2” 3 Open Exchange System Manager, and delegate Admin2 Exchange Full Administrator at the Organization Level 4 Log onto Z3 (Exchange 2003)... the server acts in the primary domain controller (PDC) 20 Module 7: Exchange Directory Components role (only if MinUserDCs regkey is set) SACL right Boolean Value is 1 if the Exchange server has permission to read SACL on the domain controller Critical Data Boolean Value is 1 if the domain controllerhas the Exchange server name in the “Microsoft Exchange container Netlogon Bitmask 0-7 Bitmask values... the Active Directory, Exchange needs special permissions These permissions are given by setup during the forestprep and domainprep stage to the Exchange Enterprise Servers group and Exchange Domain Server group During the “Core” setup, the Exchange server’s machine account is made a member of Exchange Domain Servers group, and that group is a member of Exchange Enterprise Servers group All Exchange services... multiple Exchange components You can turn it on and off without restarting a service See Appendix A for details on how to get useful traces 26 Module 7: Exchange Directory Components DSAccess events DSAccess has a rich eventing system designed for easy troubleshooting It should be possible to diagnose a problem by looking at the eventlog only The events are logged under the source name “MSExchangeDSAccess”... any category by launching Exchange System Manager, right-clicking on the server, selecting Properties and going to the “Diagnostics logging” tab When any Active Directory- related malfunction is happening, it is a good idea to increase Configuration, Topology and LDAP to Minimum or Maximum Chart 3.1 contains a list of all new Exchange 2003 events Module 7: Exchange Directory Components 27 DSAccess Tips:... reason, it is best to import a regfile, or even better: using the Directory Access tab If Exchange System Manager cannot be launched (for example, if System Attendant service won’t start) logging levels can be changed directly in registry They are located in MsExchangeDSAccess\Diagnostics Logging regkey 28 Module 7: Exchange Directory Components Lesson 3: Changes in DSAccess Although the behavior of . should have readable data now. Module 7: Exchange Directory Components 15 16 Module 7: Exchange Directory Components Lesson 2: DSAccess. and ADC Tools module. Module 7: Exchange Directory Components 3 ADC Setup includes the entire Exchange Server 2003 schema In Exchange 2000,