Nope it doesn't do another mod. Your question about why it needs those perms is a good one. I made the same gripes to MS about the requirements for the ADC install process. Unfortunately it doesn't try to make the changes it needs to make, it just looks at the groups it is in and if it isn't god it assumes it can't make the changes in the config container it needs to make. I figure if enough people chew out the Exchange Dev guys eventually they will get the picture.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, August 01, 2004 2:53 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD replication from 5.5 using ADC Dear all, thanks for the post replies on this one. am still a little nervous about this !!! on a different (but still related to ADC) tack, is anyone able to confirm whether the ADC modifies the schema a second time if the schema has already been modified using with the setup /forestprep i suspect that it does not but then why does the process of ADC installation require such a highly privileged account as one belonging to enterprise ?? GT ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 01, 2004 6:01 PM Subject: RE: [ActiveDir] AD replication from 5.5 using ADC > A small correction... That KB article is actually 269843. Not sure why I > remembered that one off hand except that I was deathly afraid when we kicked > in the ADC that this would happen and our DNs would change for all of our > exchange enabled users which would have been a HUGE disaster for us. While > it isn't the best practice, you can't stop it in a large company, many > people working on LDAP apps would hard code specific DNs or do searches on > the cn or name and this would have wiped out every one of those apps. > > The actual link to the KB is > > http://support.microsoft.com/default.aspx?scid=kb;en-us;269843 > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, July 30, 2004 1:55 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD replication from 5.5 using ADC > > The process for modifying the CAs is the same for E2k3. In our 5.5 to 2K3 > migration we had a bunch of undesirable special characters and group > identifiers in the 5.5 display that the ADC would replicate to the AD cn and > name fields. Following MSKB 269834 stopped the 5.5 display name from > overwriting cn and name, and replicated the 5.5 displayname only to the AD > displayname. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Friday, July 30, 2004 11:41 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] AD replication from 5.5 using ADC > > Al, the document i reference is titled "Understanding an Deploying Exchange > 2000 Active Directory Connector" - sourced from the given URL > > I am aware that this is for Ex2k ADC - but can find no similar document for > Ex2k3 ! so i have taken assumption this is not to far off !?? > > your are perhaps right on "my expectation" - my initial view has been to > replicate data only from the 5.5 where it is required - by implication the > AD is the authoritative data source > > this is the rationale behind my endeavour to understand how to manage, prior > to what will likely be a big hit, the data that is brought into the > directory from 5.5 > > GT > > > > ----- Original Message ----- > From: "Mulnick, Al" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 30, 2004 4:09 PM > Subject: RE: [ActiveDir] AD replication from 5.5 using ADC > > > > Graham, it sounds like you have different expectations of what the ADC > does > > for you. In the scenario you speak of, ADC is considering 5.5 to be > > authoritative for several fields. If you have multiple sites (5.5 or > Active > > Directory) I suggest you get this worked out in some way to maintain > > consistency both before as well as after you join the directories. > > > > On that note, since this is a directory join question, I think it's on > topic > > for this forum. > > > > If this is not something you want to have happen, you can modify the > > behavior for several of the attributes but I was under the impression > > that modifying the flags you mention is not the way it's done in 2003. > > Just can't remember where I saw that at the moment. :) I'll look if > > it's applicable to your situation, but it's likely one of the docs on > > http://www.microsoft.com/exchange/library > > > > > > Finally, what document are you referencing so we can all see the same > > information. If it needs to be fixed, then we should submit that for > > fixing. > > > > Al > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > > Sent: Friday, July 30, 2004 10:04 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] AD replication from 5.5 using ADC > > > > hopefully once again i am not charged with going too O/T with this > > one, > but > > was looking to get a bit of further information on the potential > > impact of > a > > replication from an exchange 5.5 server to a win2k AD > > > > it seems there is potential for the change of attributes already in > > the AD if there is different data in the 5.5 directory. > > > > the most obvious of these seems to be the "display name" given its > > prevalence in most directories, and likelihood (this is true in this > specfic > > case) of different convention being used between the directories; > > > > in 5.5 we have surname ^ firstname , whilst on AD we have the other > > way round ! > > > > i have reviewed the ADC documentation > > > > seems there are two ways we can acheive some sort of control - > > > > i. default adc policy where we can set globally certain attribute data > > not to be replicated > > > > ii. 'connection agreement' policy which is manipulated using ADSI edit > > > > the latter seems preferable given scope for different CA configuration > > > > could anyone possibly explain what this actually does - the ADC doc's > > reference quotes "Do not overwrite RDN with the Exchange 5.5 Alias > > attribute." > > > > don't know if this is a typo but the alias in a 5.5 directory does not > look > > to relate to the display name as the technote seems to suggest > > > > does this ADC configuraton value relate ONLY to the replication of the > > "display name" ?? > > > > am i also right to say that this MSEXCHSERVER1FLAGS value controls the > > behaviour when replicating to Windows (and by implication from > > Exchange > > 5.5 ) ?? and that the msexchserver2flags value controls the behaviour > > the other way round ? > > > > if i am too O/T my apologies - > > > > GT > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
