Dave, I don't know your exact circumstances or plans, but this was our ADC plan. We generally had flat Recipients' containers in Exchange
Moved all users with mailboxes to an OU (not Users as we've reserved that for built in accounts and service accounts). Create a CA on a 'Never Run' schedule that linked Recipients to the AD OU. Manually ran that CA to match up the accounts and mailboxes Moved accounts to their proper Ous Created a CA per OU, that was primary for the Exchange organisation, but not for Windows, ie could create objects in Exchange but not in AD This allows to have different OU structures on AD and Exchange - essential as we're consolidating several previously autonomous Exchange sites and NT4 domains onto a single domain AD/Exchange 2000, but means that Exchange admin can be a bit peculiar... We create accounts with enough data to allow ADC to create the 5.5 mailbox in AD, mailboxes created in Exchange will not be replicated to AD in that setup. If you want a bit more detail let me know.... dave -----Original Message----- From: Dave Kinnamon [mailto:[EMAIL PROTECTED]] Sent: 19 November 2002 14:24 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC and Exch 5.5 Yikes! OK, now that everyone has eaten me up ... let me say this. All I want is do things "correctly" and by that I mean I want to follow best practices, have good performance, and not kluge things up. So, ... why doesn't someone just point me towards some of the links/white papers/whatever that I obviuosly missed. ---------------------- All I'm trying to achieve is a structure that will allow me to more easily implement GPs and allows me to delegate control of groups of users and/or computers to people other than administrators. I have a dozen articles from Microsoft on my desk telling me that I should use OUs for this. So with that in mind, I set about making it happen. What I didn't catch was that filtering using DACLs is a better approach - and I'm sure sure that's what everybody is driving at. Right? I'm sure someone will tell me if I'm wrong again ... Just let me know what your thinking so I can get this right. As you all know, OU/GPOs are extremely important !!! A Cisco engineer trying to make it in a Microsoft world, Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 7:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADC and Exch 5.5 Domain Level Policies regulate containers, but you can't apply a GPO directly to a container. -----Original Message----- From: Andries Thijssen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:31 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADC and Exch 5.5 One I can think of: by default you cannot put any group policies on a container. Don't know whether that can be changed as well. Andries -----Original Message----- From: Andy Grafton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] ADC and Exch 5.5 Rick the question is also... why wouldn't you? If you step back and look... There's a nice object called Users which you kinda need and has Users in it anyhow. Why not use it to house OUs to help you organise other users? Its not enabled by default, so would one go to the trouble of making a [very simple] Schema change to make it happen, rather than just making a different OU? Who knows? There's no accounting for mindset, and perhaps the schema change was done by someone else before this administrator took over, so they're not aware that it "can't" be done? I've had to point out more than once to budding "admins" that a) the Users don't *have* to be in the Users container and b) that the users they can't find actually reside somewhere down the tree in \\department\nightmareAdminsFromHell\users. Its not a chore to get them to understand, but the point is that they needed to be told. Seems that placement is a matter of opinion, so my question would be... Are there any technical reasons why you shouldn't create OUs under the Users container? All the best, Andy (Just made some pretty "dumb" workarounds in AD for a customer, but if thats how they want it...) ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 19, 2002 4:11 AM Subject: RE: [ActiveDir] ADC and Exch 5.5 > Yep - sure did, Karen. And, as Linton points out, you *CAN* do it.... > Question is, as we all seem to agree, why *WOULD* you? :-) > > Rick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Dryden, > > Karen > > Sent: Monday, November 18, 2002 9:07 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > Sorry, I wasn't really thinking about the OU in particular since we > > wouldn't want to create OUs under the User container either, but his > > note did say: > > > > ---- All W2K user accounts are placed in multiple OUs that > > > > reside in > > > > > the Users container > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > > Sent: Monday, November 18, 2002 9:04 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > Linton, > > > > Yep - I've seen this. However - For the record - I'm with you. Why, > > truly, would you want to? > > > > Thanks much! > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]] On Behalf Of Linton > > > Smith (WBTQ) > > > Sent: Monday, November 18, 2002 7:56 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > Hi Rick, > > > > > > A schema update allows this. See Q224377. Not sure why > > I'd bother, > > > however. > > > > > > Linton > > > > > > -----Original Message----- > > > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, November 18, 2002 8:49 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > Nope - that's not the point. The Users Container is just that - a > > > container. It's not an AD Object, per se. You cannot create OUs > > > under it. > > > > > > If I'm mistaken, please tell me how. I'm able to err - and > > quick to > > > admit it. > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > Microsoft MVP - Active Directory > > > Associate Expert > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > Dryden, Karen > > > > Sent: Monday, November 18, 2002 7:44 PM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > > > > If your sub-OUs already reside under the users container > > and ALL of > > > > your mailboxes (or user objects) are in those OUs, the CA > > will match > > > > them up, not create new OUs. At least that's the way it > > works here. > > > > > > > > -----Original Message----- > > > > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > > > > Sent: Monday, November 18, 2002 7:40 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > > > > Dave, Justin - > > > > > > > > Hold the show here for just a second..... Let me see if I > > > > understand what you're stating here. You're going to CREATE OUs > > > > *under* the USERS Container? > > > > > > > > Or, if the CA is created in one scenario, OUs will be created > > > > *under* the USERS container? > > > > > > > > Really? > > > > > > > > I'd re-think this...... > > > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > > Microsoft MVP - Active Directory > > > > Associate Expert > > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > Salandra, > > > > > Justin A. > > > > > Sent: Monday, November 18, 2002 10:48 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: RE: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > > > > > > > You need to create a CA that includes all sub Ous otherwise > > > > you will > > > > > get a replicate of your sub ous in your user containers > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Dave Kinnamon [mailto:[EMAIL PROTECTED]] > > > > > Sent: Monday, November 18, 2002 11:39 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] ADC and Exch 5.5 > > > > > > > > > > Given the following: > > > > > > > > > > ---- All W2K user accounts are placed in multiple OUs that > > > > reside in > > > > > the Users container > > > > > > > > > > Will and ADC agreement that points at the 'Users' container > > > > locate the > > > > > W2K user accounts in the sub-OUs? > > > > > > > > > > -OR- > > > > > > > > > > Do I need to leave all acounts in the Users container, > > > > configure ADC > > > > > and add the mailbox info, and then move user accounts to > > > > their proper > > > > > OU? > > > > > > > > > > > > > > > Dave Kinnamon > > > > > Network Administrator > > > > > ETC International > > > > > > > > > > p. 608-662-2314 > > > > > m. 608-209-0609 > > > > > f. 608-662-8514 > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > List info : > > > > > http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ----------------------------------------------------------------- ATTENTION: No legal consequences can be derived from the content of this e-mail and/or its attachments. Neither is sender committed to these. The content of this e-mail is exclusively intended for addressee(s) and information purposes. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Sender accepts no liability for any damage resulting from the use and/or acceptation of the content of this e-mail. Always scan attachments for viruses before opening them. ----------------------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
