RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Joe]

Title: Message

Well for better or worse, what you explained is how I understood it myself. Though I admit to not knowing it really well, never wanted to know it all but damn MS to hell for inserting AD and Exchange into each other like they did...   (Hey I haven't ranted on here about E2K in at least a week....)   Oh one other thing is that some of that info gets stamped into the msExchADCGlobalNames attribute but in a DN format. I believe the AD side of that gets stamped by the E55->AD work and then the E55 side gets stamped by the opposite direction. Though the 5.5 directory side would have the location in the AD tree being stamped, not the 5.5 location.   For Exchange, I'm only an egg. I don't Grok it.      joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, October 16, 2003 4:23 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Let me play this back to see if I have it straight:   One Domain = Empty Root Domain A = Child Domain Domain B = Child Domain   Domain A  = Exchange 2000 (really, this is Forest Wide, but we'll assume that you only consider it installed in this domain) Domain B = Exchange 5.5 installed   Is that right so far?   How many ADC's do you have?  I assume just the one from Exchange 2000 media rev'd to SP3 or later with the standard CA's plus the recipients and public folders.     When you create a user in domain A, it's (presumably) an Exchange 2000 mail-enabled user object.  Correct?  The ADC CA picks this up from Domain A where it originated as new, and replicates the data to the Exchange 5.5 directory.  At the point of creation and RUS processing, the mail-enabled user object has a legacyExchangeDN ending in \Recipients.  If you stopped the CA prior to creating the user-object, this would still be the case because Exchange 2000 has no concept of containers like Exchange 5.5 does. The legacyExchangeDN gets created assuming that the Recipients container is the only one.  Now turn the ADC CA back on to replicate.  The replication starts, picks up the new mail-enabled user object, realizes there is no corresponding object, checks its rules regarding this situation (advanced tab as I recall) and creates the 5.5 directory entry in the container that follows those rules.  Often, these rules will be set to follow legacyExchangeDN so you don't get a bazillion containers to mimic the OU structure in Active Directory.  Your's probably is set that way.  It doesn't end there.  Now on the next replication cycle, the ADC CA realizes that 5.5 has a new object and replicates it back to the Active Directory.  Anything that was changed on the 5.5 side is now replicated to Active Directory and the CA is now done with that object.   If you create the mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by nature, whatever the relative path is for the object in the directory.  So if you have an object that is in a different container called "new" then your legacyExchangeDN would end in \new.  Right?  So when the ADC CA wakes up, it realizes it has a new 5.5 object, replicates it to the target OU in Active Directory and then replicates the information back to the 5.5 directory.  As far as 5.5 users are concerned, it is in the "correct container".    What you described is expected behavior.  What you seem to want to do is modify that behavior so that if you create a user in a particular OU in Active Directory, the ADC knows to put in a particular CN in 5.5. Unfortunately, you'll have to get somewhat complex with CA's (which I don't recommend), else change your process to accomodate (e.g. create the account on 5.5 in the container you want it in, and then move it to the appropriate 2000 server).  You could also educate your users on the finer points of GAL usage to get them to understand how to find a user, but that may not be an option (I am being totally serious about that even if email makes it sound sarcastic). You could also use address book views or even GAL views to mimic this behavior, but I think that's lipstick on a pig in this situation.   If I've misunderstood, please correct me as I'd hate to think I didn't understand this stuff.  ;-)   Al  -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Al, test-bed scenario:  empty root w/1 dc/gc, child domain A w/1 dc/gc E2K ADC installed, child domain B w/1 dc/gc E55 ADC installed.  Created the new user in domain A and tests showed that the GAL in domain B was not showing the new user in the proper container.  Found the legacyExchangeDN to be mis-represented.  Created new user in domain B and it displayed correctly.   R/Bill   -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN   When you created the mailbox, it was on a 5.5 server or a 2000 server?  -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Nice reply Al - however I do not believe that the legacyExchangeDN of the first administrative group has anything to do with the legacyExchangeDN of a newly created user in AD.  Well, maybe I am missing something here.  I do not intend on "mucking about" with the attributes for anything other than the users that need correction.  Additionally, I question the fact about the ADC being the mechanism involved with the setting.  The reason I state that is because I created a new user in AD in the domain that handles the E55 server and then a mailbox for the user.  Guess what?  ADSI Edit shows the legacyExchangeDN attribute correctly for that user and that information was populated via the ADC.  Finally, I believe that there can be a delivery issue involved when the user legacyExchangeDN does not match up with what E55 "sees" in the DS attribute OBJ-DIST-NAME...   R/Bill   -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN   http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description of how to do this.  However, I should caution you that mucking about with the legacyExchangeDN attribute is not a good idea.  Getting your users to live with it now is a better approach.  They will be living with it going forward since Exchange GAL in Exchange 200x doesn't care about containers.  You could also create ABV's to mimic this, but again, I don't recommend spending much time on the legacy system.   At some point, you're going to have to work with these users to make the change.  If they cannot make that change, there might be a reason to use the GAL views in Exchange 200x and it's best to know that early.    Finally, keep in mind that the ADC is the mechanism involved in this setting.  To move them between 5.5 containers is not as simple as changing the legacyExchangeDN since 5.x didn't understand or allow movement between containers; it requires the Microsoft shuffle (copy, delete, create) on the 5.5 side + replication times.  In other words, there's a lot of moving parts to make this scenario work.   Luck! :)   Al -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Al,   The immediate thing that comes to mind is that in our mixed mode environment [that we will have to live with for a while yet...] is that in the E55 sites the GAL lists these folks as being in the Recipients container (ou) where they are really in a different departmental container (ou).  Believe it or not - we have users that insist on going to a container listing in the GAL and picking their send to addresses!  Short of that - I am sure there are other issues.  Lastly, if MS put the attribute into AD - I think the attribute should represent the user exactly and this is not the case.   R/Bill   -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN   Plenty, but I have a question first.  Why are you wanting to change it?  What benefit is there if you change it? -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:01 AM To: ActiveDirList Subject: [ActiveDir] OT? - LEGACY EXCHANGE DN To All, When I create a user in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what ou the user was created under.  Using ADSI Edit to change the value to reflect the correct setting fails as the value is immediately changed back.  Does anyone have any thoughts on this??? R/Bill