That is correct. But I believe there has been some fixes released for this issue, and it is no longer an issue. I could be wrong. I'd like to disagree with Todd's "proper" way, though. The more I do it, the more I'm convinced that the upgrade/move/retire approach works best for me - unless there is absolute necessity to change the org name. I upgrade the old exchange, install additional (more robust) servers, move mailboxes, PFs, connectors, etc, to the new servers, then decommission the old server. Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Joe Sent: Tue 10/21/2003 6:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN This is going way off into OT Exchange Land, but isn't there an issue when people try to respond to an email that they got sent when they were on the old system when they get moved to a new Org or maybe Site? Something where the x400 address tied to the email won't allow a direct response and you have to readdress everything? It seems that is what MCS brought up when I was asking why in the world we went down the path we did for our large migration. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, October 21, 2003 6:53 AM To: '[EMAIL PROTECTED]' The more I use ADC, the more I am convinced that the proper way to do Exchange Migrations is to build a brand new AD and Exchange 2x Org and move people into it and sync to the Exchange 5.5 org. Aelita's Exchange Migration tool is pretty slick, it syncs the Free Busy, and PF's and allows for a controlled cut over from a Exchange 5.5 org to a pure Exchange 200x org. Also here is a little warning for all you ADC users out there. If you install Exchange 2003 Schema extensions into your AD that has Exchange 2000 ADC's. You will need to use the new Exchange 2003 ADC tools to unADC accounts. Interesting qwerk we found out. My personal recommendation... down with the ADC in medium to large Exchange environments! NEW ORG Rules! Todd Myrick http://www.toddm.org/adog Become ADOG now! -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, October 20, 2003 9:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN No worries on the delay; glad you got it worked out. " If only MS allowed the AD to "pickup" on the value of the container that a user resides in ..." I need to point out that they did do this. You can override this, but they do pick up on the container as expected. What they can't do is allow you to do unnatural things to the 5.5 directory. That's the limiting factor here, not the ADC, Exchange, or Active Directory. When you bridge a gap, one side of the bridge has got to adhere to the standards of that side, right? Don't overcomplicate the ADC and what it can do for you. Think of it in as simple of terms as you can and as few moving parts as possible and it will start to make sense. Most people who make mistakes with the ADC do so because they overcomplicate how it works and what it's there for. Trust me on that one ;-) As for the Exchange piece, Joe, I'd like to point out that the brass ring of email architecture is to have a centralized directory where you only enter information about a user one time. Whether or not you use a meta-directory or just a single directory depends on the requirements. But to enter information about the same user over and over is an inefficient waste of time. Hence, Active Directory became the directory for Exchange vs. the NT4.0/Exchange 5.5 model where we create separate authentication and whitepages directories. I for one, prefer the centralized directory even with it's complexities and "gee whiz, we could have done that better". I also understand the frustrations though. (FYI Joe, the msexchadcglobalnames attribute contains a multivalued value such as NT5:0193431244BD0944982EADAD00FF753A00000000343266700910C30 or EX5:cn=XXXXXey,cn=Recipients,ou=SIGE,o=SiGe Microsystems:organizationalperson$ person$top01000000ECDD29915016C301 vs. just a DN. For a more precise description, http://support.microsoft.com/default.aspx?scid=kb;en-us;316280). Al -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 6:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Al, sorry about the delay in responding - minor incident here at the house! FIRE!!! All resolved and back up and running. Thank you for the very good tutorial and I must agree w/Joe that MS has snookered us in their handling of this product. Having said that, I have a pretty good understanding of the workings. Obviously I need to bump up the schedule of the E2K migration effort - although I do not control the funding - just make recommendations. I did find one problem with my methodology. In using ADSI Edit to change the user attribute, I was just copying and pasting - then editing. That does not work - looks like it does, but goes right back after you exit. Tried hitting the Clear button - that cleared the attribute and copied it to the edit line. I then edited the attribute, hit Set and Apply, and exited. Worked fine. Went back after a couple of reps and it was staying as put. Deleted the user - forced a replication, saw that it was gone from the domain B GAL. Turned off the ADC Service, created a new user w/mailbox, edited the attribute to show the proper container (ou), turned on the ADC Service, and the user shows up in the correct container of domain B GAL. If only MS allowed the AD to "pickup" on the value of the container that a user resides in ... Again, thanks for your assistance! R/Bill -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Well for better or worse, what you explained is how I understood it myself. Though I admit to not knowing it really well, never wanted to know it all but damn MS to hell for inserting AD and Exchange into each other like they did... (Hey I haven't ranted on here about E2K in at least a week....) Oh one other thing is that some of that info gets stamped into the msExchADCGlobalNames attribute but in a DN format. I believe the AD side of that gets stamped by the E55->AD work and then the E55 side gets stamped by the opposite direction. Though the 5.5 directory side would have the location in the AD tree being stamped, not the 5.5 location. For Exchange, I'm only an egg. I don't Grok it. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, October 16, 2003 4:23 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Let me play this back to see if I have it straight: One Domain = Empty Root Domain A = Child Domain Domain B = Child Domain Domain A = Exchange 2000 (really, this is Forest Wide, but we'll assume that you only consider it installed in this domain) Domain B = Exchange 5.5 installed Is that right so far? How many ADC's do you have? I assume just the one from Exchange 2000 media rev'd to SP3 or later with the standard CA's plus the recipients and public folders. When you create a user in domain A, it's (presumably) an Exchange 2000 mail-enabled user object. Correct? The ADC CA picks this up from Domain A where it originated as new, and replicates the data to the Exchange 5.5 directory. At the point of creation and RUS processing, the mail-enabled user object has a legacyExchangeDN ending in \Recipients. If you stopped the CA prior to creating the user-object, this would still be the case because Exchange 2000 has no concept of containers like Exchange 5.5 does. The legacyExchangeDN gets created assuming that the Recipients container is the only one. Now turn the ADC CA back on to replicate. The replication starts, picks up the new mail-enabled user object, realizes there is no corresponding object, checks its rules regarding this situation (advanced tab as I recall) and creates the 5.5 directory entry in the container that follows those rules. Often, these rules will be set to follow legacyExchangeDN so you don't get a bazillion containers to mimic the OU structure in Active Directory. Your's probably is set that way. It doesn't end there. Now on the next replication cycle, the ADC CA realizes that 5.5 has a new object and replicates it back to the Active Directory. Anything that was changed on the 5.5 side is now replicated to Active Directory and the CA is now done with that object. If you create the mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by nature, whatever the relative path is for the object in the directory. So if you have an object that is in a different container called "new" then your legacyExchangeDN would end in \new. Right? So when the ADC CA wakes up, it realizes it has a new 5.5 object, replicates it to the target OU in Active Directory and then replicates the information back to the 5.5 directory. As far as 5.5 users are concerned, it is in the "correct container". What you described is expected behavior. What you seem to want to do is modify that behavior so that if you create a user in a particular OU in Active Directory, the ADC knows to put in a particular CN in 5.5. Unfortunately, you'll have to get somewhat complex with CA's (which I don't recommend), else change your process to accomodate (e.g. create the account on 5.5 in the container you want it in, and then move it to the appropriate 2000 server). You could also educate your users on the finer points of GAL usage to get them to understand how to find a user, but that may not be an option (I am being totally serious about that even if email makes it sound sarcastic). You could also use address book views or even GAL views to mimic this behavior, but I think that's lipstick on a pig in this situation. If I've misunderstood, please correct me as I'd hate to think I didn't understand this stuff. ;-) Al -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Al, test-bed scenario: empty root w/1 dc/gc, child domain A w/1 dc/gc E2K ADC installed, child domain B w/1 dc/gc E55 ADC installed. Created the new user in domain A and tests showed that the GAL in domain B was not showing the new user in the proper container. Found the legacyExchangeDN to be mis-represented. Created new user in domain B and it displayed correctly. R/Bill -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN When you created the mailbox, it was on a 5.5 server or a 2000 server? -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Nice reply Al - however I do not believe that the legacyExchangeDN of the first administrative group has anything to do with the legacyExchangeDN of a newly created user in AD. Well, maybe I am missing something here. I do not intend on "mucking about" with the attributes for anything other than the users that need correction. Additionally, I question the fact about the ADC being the mechanism involved with the setting. The reason I state that is because I created a new user in AD in the domain that handles the E55 server and then a mailbox for the user. Guess what? ADSI Edit shows the legacyExchangeDN attribute correctly for that user and that information was populated via the ADC. Finally, I believe that there can be a delivery issue involved when the user legacyExchangeDN does not match up with what E55 "sees" in the DS attribute OBJ-DIST-NAME... R/Bill -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863> is the description of how to do this. However, I should caution you that mucking about with the legacyExchangeDN attribute is not a good idea. Getting your users to live with it now is a better approach. They will be living with it going forward since Exchange GAL in Exchange 200x doesn't care about containers. You could also create ABV's to mimic this, but again, I don't recommend spending much time on the legacy system. At some point, you're going to have to work with these users to make the change. If they cannot make that change, there might be a reason to use the GAL views in Exchange 200x and it's best to know that early. Finally, keep in mind that the ADC is the mechanism involved in this setting. To move them between 5.5 containers is not as simple as changing the legacyExchangeDN since 5.x didn't understand or allow movement between containers; it requires the Microsoft shuffle (copy, delete, create) on the 5.5 side + replication times. In other words, there's a lot of moving parts to make this scenario work. Luck! :) Al -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Al, The immediate thing that comes to mind is that in our mixed mode environment [that we will have to live with for a while yet...] is that in the E55 sites the GAL lists these folks as being in the Recipients container (ou) where they are really in a different departmental container (ou). Believe it or not - we have users that insist on going to a container listing in the GAL and picking their send to addresses! Short of that - I am sure there are other issues. Lastly, if MS put the attribute into AD - I think the attribute should represent the user exactly and this is not the case. R/Bill -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Plenty, but I have a question first. Why are you wanting to change it? What benefit is there if you change it? -----Original Message----- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:01 AM To: ActiveDirList Subject: [ActiveDir] OT? - LEGACY EXCHANGE DN To All, When I create a user in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what ou the user was created under. Using ADSI Edit to change the value to reflect the correct setting fails as the value is immediately changed back. Does anyone have any thoughts on this??? R/Bill
<<winmail.dat>>
