Merging Duplicate Accounts
When
you merge multiple directories, the possibility exists that you will
encounter duplicate accounts. To handle this situation, Exchange Server
2003 comes with the Active Directory Account Cleanup Wizard
(ADclean.exe). Duplicate accounts can result in performance problems
with an Exchange organization and difficulty in authenticating users.
However, handling duplicate accounts is not always as simple as
deleting one account or the other that isn’t needed. Sometimes both
accounts contain information about the user that needs to be preserved.
The Active Directory Account Cleanup Wizard solves this problem by
allowing you to merge duplicate accounts, combining the settings from
both.
The
wizard attempts to identify duplicate accounts in Active Directory. You
can have the wizard search Active Directory automatically and identify
accounts, or you can manually specify accounts to be merged. You can
also use a mixture of the two methods, by having the wizard do the bulk
of the work by using its search capability, but manually specifying
accounts that it does not recognize. Once the identification phase is
complete, you have the ability to review and modify the merge
operations that will take place. Once you are satisfied with the
settings, you can either perform the actual merge operations or export
the list of accounts to a .csv file to complete the merge process at a
later time. This is useful if you are running the Active Directory
Account Cleanup Wizard initially for informational purposes but do not
want to have to redo the entire process later to perform the merge. At
that time, you can import the .csv file into the wizard and complete
the merge process.
There
are a couple of scenarios in which you would most commonly run the
Active Directory Account Cleanup Wizard. One scenario is after a
migration from a Windows NT 4 domain, where you have some new disabled
Active Directory user accounts that are duplicates of enabled Active
Directory user accounts. You would run the wizard to merge the disabled
and enabled accounts into a single account. Another scenario is to
merge an Active Directory user account with a contact. You can do this
provided that only one of the two being merged is mail-enabled, meaning
it has an e-mail address associated with it.
You will use the Active Directory Account Cleanup Wizard to merge duplicate accounts in the practice at the end of this lesson.
Troubleshooting the ADC
Troubleshooting
the ADC is usually related to replication issues. That is, objects
configured in Exchange Server 5.5 are not being replicated to Active
Directory and vice versa. There are a number of considerations when
troubleshooting the ADC, both in a general sense and how it relates to
Exchange Server 5.5 and Active Directory replication.
Basic ADC Troubleshooting
The following is a checklist to assist you in troubleshooting basic ADC problems.
Is the ADC service running?
Is a connection agreement configured between the Exchange Server computer and the Active Directory server?
Is
the container that you are replicating displayed in the Export
Containers list or under any of the containers that are displayed in
the Export Containers list?
Is the Exchange Server 5.5 computer turned on and running? Is the Exchange Server 5.5 directory service running on the server?
If there is only one Active Directory server, is it online?
If
you set up a connection agreement manually, did you select the object
class that you are trying to replicate on both the From Windows and
From Exchange tabs in the connection agreement properties?
In
the connection agreement properties, on the General tab, did you select
the directions that you want to replicate information to and from? Is
the connection agreement configured to replicate in the direction you
need?
Does the user account that you are using on the target directory have sufficient permissions to create or modify objects?
Are
any error messages logged in the server Application log (for example,
messages that indicate incorrect credentials, that a server is down, or
other errors)?
If
your settings are configured properly, and there are no errors being
generated in the Application log, check the following situations to
determine why replication is not taking place in the direction you need.
Replication from Exchange Server 5.5 to Active Directory
The following list contains situations when an object does not replicate from Exchange Server 5.5 to Active Directory:
Exchange object A matches Active Directory object B, but Active Directory object B was deleted.
Exchange
object A matches Active Directory object B, but Active Directory object
B is not in a domain to which the ADC can write (for example, a
different tree or domain in the same forest).
The
connection agreement is not an inter-organization connection agreement,
and the ADC is matching a mailbox to a mail-enabled user. The ADC
should match only to mailbox-enabled users.
The
connection agreement is not an inter-organization connection agreement,
and the ADC is matching a custom recipient or a distribution list to a
mailbox-enabled user.
The
server is not a bridgehead server for Active Directory, and the object
could not be matched. In this case, the connection agreement does not
create the object. To change this, open the properties of the
connection agreement and, on the Advanced tab, select the This Is The
Primary Connection Agreement For The Connected Windows Domain option.
Replication from Active Directory to Exchange Server 5.5
The following list contains scenarios in which an object does not replicate from Active Directory to Exchange Server 5.5.
Active Directory object A matches Exchange Server 5.5 object B, but Exchange Server 5.5 object B was deleted.
Active
Directory object A matches Exchange Server 5.5 object B, but Exchange
Server 5.5 object B is not in the same site as the Exchange Server 5.5
computer that is specified in the connection agreement.
The
connection agreement is not the primary connection agreement for the
Exchange organization. In this case, the connection agreement does not
create the object. To change this, open the connection agreement
properties and, on the Advanced tab, select the This Is The Primary
Connection Agreement For The Connected Exchange Organization option.
The
object in Active Directory does not contain e-mail information. An
object must contain at least one of the following attributes to
replicate to Exchange: mail, legacyExchangeDN, textEncodedORAddress,
proxyAddresses, or msExchHomeServerName. A group object may contain the
mailNickname attribute, and users or contact objects may contain the
targetAddress attribute.
Diagnostic Logging
Diagnostic logging is a useful tool for troubleshooting the ADC. You can log several categories of errors generated by the ADC. Figure 1
shows the Diagnostic Logging tab in the Active Directory Connector
Services console. Right-click the ADC, then click Properties, and then
click the Diagnostic Logging tab.
In
general, you do not want to leave logging on, or at least not on very
high levels. This is because logging will quickly fill up your
Application log and make it difficult to find useful information in the
Event Viewer. However, if you are troubleshooting, you can turn the
logging up to maximum and then look at the Event Viewer to see the
results. The logging categories are as follows:
Replication Messages about events that occurred during replication
Account Management Errors that occurred when writing or deleting objects during replication
Attribute Mapping Errors that occurred when mapping attributes between Exchange Server 5.5 and Active Directory
Service Controller Messages specifically related to services starting and stopping
LDAP Operations Errors that occurred while making LDAP calls to access Active Directory
Troubleshooting the Site Replication Service
The
Site Replication Service is generally self-managing and does not
require much administrative effort. The primary things to check when an
ADC connection agreement is configured and working properly but
information is not being replicated between the Site Replication
Service and Active Directory are as follows:
Ensure the Site Replication Service is running on an Exchange Server 2003 server.
Ensure
the Config_CA connection agreement used by the Site Replication Service
is configured properly with its settings pointing to the correct
Exchange server and to an Active Directory domain controller. Use the
Browse button to ensure that you select the exact names rather than
trying to type them in.
Ensure
that the LDAP port number is correct and that traffic can reach that
port on the server running the Site Replication Service.
Recreate the connection agreement and possibly create a new Site Replication Service, and then remove the existing one.
