[an error occurred while processing this directive]

 


Exploring 2000 - Windows 2000 and Exchange – a marriage made in heaven?
(Oct 1999)
John Savill unpicks another aspect of Windows 2000
.

house
[an error occurred while processing this directive]

It’s no secret that the Windows 2000 directory service, the Active Directory, has been based on the directory service in Exchange 5.5. What not everyone fully understands though, is how this affects future integration of Exchange and Windows 2000. We will also briefly look at Platinum and how it will better integrate with 2000, and the migration path from 5.5 to Platinum which fits well into 5.5 and Active Directory integration.

Installing Exchange 5.5 on a Windows 2000 server


Before we talk about the integration of the two directory services, I’ll quickly run through some of the problems (and their solutions) in installing Exchange 5.5 on a Windows 2000 server. When you install Exchange you have to nominate an account which will be the Exchange Service account and this is our first ‘feature’ to overcome. To run Exchange on a 2000 server, this service account needs to be a member of the local ‘Server Operators’ group or you will encounter a number of problems. It can be a member of a ‘higher’ group such as the Administrators group instead, but ‘Server Operators’ is the minimum.

After you have installed Exchange, be sure to apply Service Pack 2 or above (SP3 will be out by the time you read this). This Service Pack is needed later on in our integration with the Active Directory. The first problem you will hit is how you access the information stored within the directory services. Both Exchange and Windows 2000 use the Lightweight Directory Access Protocol (LDAP) that operates over TCP/IP and listens on port 389 for LDAP requests. Only one service can listen on a TCP/IP port and since Active Directory starts up as a core service of Windows 2000, it grabs port 389 leaving the Exchange LDAP service unable to start as the port is in use.

Fortunately we can modify the port that the Exchange LDAP service listens on enabling us to work around this problem.

  1. Start the Exchange administrator program
  2. Move to the organization\sites\protocols branch
  3. Double click on LDAP (directory) site defaults and change the port number. Make sure you use an unused port!
    Stop and restart the exchange directory service

The Exchange LDAP SSL port (secure socket layer, port 636) cannot be changed at present (as it clashes with the Active Directory LDAP SSL service). The reasoning was there was no way of changing the port at the CLIENT end and thus no point in modifying the server. Microsoft has since changed its minds on this and Exchange 5.5 Service Pack 3 will allow Administrators to modify the LDAP SSL port in the same way the LDAP port can be changed.

There are a couple of other problems that are not so important. The first is Windows 2000 comes with its own SMTP service which again clashes with the Exchange SMTP service and so you need to disable the Windows 2000 SMTP component. You may find other such clashes and when you do, just disable the Windows 2000 element.

The active directory connector


OK, we’ve looked at the problems of running Exchange with Windows 2000, now let’s get them talking and bask in the advantages!

Windows 2000 ships with an optional component called the ‘Active Directory Connector’ which is a self-contained package in the VALUADD\MGMT\ADC directory of the Windows 2000 CD. What the Active Directory Connector does is allow replication between the two directory services, uni- or bi-directional in nature and based around one or more containers on each side. For example you may replicate from the User’s Organizational Unit of the savilltech.com domain in Windows 2000 to the Recipient’s container of the London site in the SavillTech Organization in Exchange. Any objects that exist in one container and not the other will be created, any modifications to objects will be replicated and any objects deleted will either be removed from the other container or written to a list to allow you to manually action (depending on your settings).

The Active Directory Connector has to be installed on a Windows 2000 server (it does not have to be a domain controller) but Exchange does not have to reside on the same server, or even a Windows 2000 server, it will cope quite happily with an Exchange 5.5 server running on NT 4.0. The only pre-requisite is that Exchange has Service Pack 2 or above installed (and this will probably change to Service Pack 3 when 2000 ships).

To install the connector, logon to a Windows 2000 server and perform the following:

  1. Run setup.exe from the VALUADD\MGMT\ADC directory
  2. Click Next to the install wizard
  3. Select both the connector service and management components. Click Next
  4. You will be asked where to install. Accept the default and click Next
  5. Enter the Exchange Service account and click Next. The account specified will be granted the 'Audit' right. Click OK
  6. Files will be copied and click Finish once completed

A new icon 'Active Directory Connector Management' will have been added to the 'Administrative Tools' branch and you are now ready to begin configuration of your connector.

Now we need to set up a connection agreement between the Exchange Server and the Active Directory:

  1. Start the ADC Management MMC snap-in (Start - Programs - Administrative Tools - Active Directory Connector Management)
  2. Right click on the Active Directory Connector (<machine name>) branch and select 'New - Connection Agreement'
  3. Under the General tab enter a name and select the replication direction:
    - Two-way
    - From Exchange to Windows
    - From Windows to Exchange
  4. Select the 'Connections' tab and fill in connection information as shown in figure 2.
    (figure 2: Caption: Notice I have both on the same machine however you will probably have different Exchange and Domain Controller machines. Also notice the use of port 1020 instead of port 389 for Exchange)
  5. Select the Schedule tab to select how often and when to replicate. You can set for every hour of every day. You can also manually replicate at any time using the Active Directory Connector MMC snap-in.
  6. Select the Deletion tab to control how deletions are handled, either delete from both directories when deleted from one or just note the deletion to a log file.
  7. Under the 'From Exchange' and 'From Windows' tab select the items to replicate.
  8. Click OK
  9. The Exchange Schema will be modified and its directory service will be stopped and restarted.

You have now configured a single link between two containers, and depending on the type of replication, changes will either be uni- or bi-directionally replicated.

It may be that you require multiple connection agreements (in fact you probably will) to not only allow full directory service replication but also to give you finer control over the various containers and their content.

Post installation


After you have installed the Active Directory Connector and have a connection agreement you will notice a number of changes to the Active Directory Users and Computer MMC snap-in. The most obvious change is when you create a new user you will be asked to create a mailbox. This replicates the old User Manager changes when installing Exchange.

Currently the Active Directory Connector only replicates recipient containers, HOWEVER, there will be a second version of the ADC that will ship with Platinum that will also support the replication of the Configuration container and is a vital step in the migration to full Windows 2000 Directory Service integration. For those who are not aware, Platinum no longer has its own directory store and instead uses the Windows 2000 Active Directory as its directory service and interacts heavily with Global Catalogs (domain controllers that contain a subset of information about EVERY object in the enterprise forest) and it’s this integration which fixes the problems we currently have with running Exchange 5.5 on Windows 2000.

In order to gain that integration, one of the steps is to copy the content from the Exchange directory service into the Active Directory – that is where the Active Directory Connector comes in. Firstly there will be no LDAP/LDAP SSL port clashes since Platinum no longer has its own directory service. There is no SMTP clash as Exchange uses the Internet Information Service SMTP service (but upgrades it during Platinum installation). Currently, the Active Directory Connector replicates entire objects that have changed, however, in the future version of Exchange, Active Directory replication will be used –meaning only the changed attribute will be replicated and not the entire object thus saving bandwidth.

It’s been said all along that if you know the Exchange directory service you have a head start with Windows 2000, and it’s true, however thanks to the Active Directory Connector you can go one step further. Start populating your Exchange directory service with information about your users, names, addresses, departments, reporting lines etc and when you do install Windows 2000 and upgrade a domain controller you can quickly populate your Windows 2000 directory service with extensive information. It’s an excellent preparation step you can be doing now.

A final word of warning: do not interface with a live Exchange Server at the moment. Current incarnations of the ADC are prone to problems and may result in you either losing information or a bulk creation of unwanted objects (as I found to my dismay!).

Best of luck!

.

[an error occurred while processing this directive]