Installing Exchange 5.5 on a
Windows 2000 server
The active directory connector
Post installation
Its no secret that the Windows 2000 directory service, the
Active Directory, has been based on the directory service in Exchange 5.5. What not
everyone fully understands though, is how this affects future integration of Exchange and
Windows 2000. We will also briefly look at Platinum and how it will better integrate with
2000, and the migration path from 5.5 to Platinum which fits well into 5.5 and Active
Directory integration.
Installing Exchange 5.5 on a Windows 2000 server
Before we talk about the integration of the two directory services, Ill quickly run
through some of the problems (and their solutions) in installing Exchange 5.5 on a Windows
2000 server. When you install Exchange you have to nominate an account which will be the
Exchange Service account and this is our first feature to overcome. To run
Exchange on a 2000 server, this service account needs to be a member of the local
Server Operators group or you will encounter a number of problems. It can be a
member of a higher group such as the Administrators group instead, but
Server Operators is the minimum.
After you have installed Exchange, be sure to apply Service Pack 2 or above (SP3 will be
out by the time you read this). This Service Pack is needed later on in our integration
with the Active Directory. The first problem you will hit is how you access the
information stored within the directory services. Both Exchange and Windows 2000 use the
Lightweight Directory Access Protocol (LDAP) that operates over TCP/IP and listens on port
389 for LDAP requests. Only one service can listen on a TCP/IP port and since Active
Directory starts up as a core service of Windows 2000, it grabs port 389 leaving the
Exchange LDAP service unable to start as the port is in use.
Fortunately we can modify the port that the Exchange LDAP service listens on enabling us
to work around this problem.
- Start the Exchange administrator program
- Move to the organization\sites\protocols branch
- Double click on LDAP (directory) site defaults and change the port
number. Make sure you use an unused port!
Stop and restart the exchange directory service
The Exchange
LDAP SSL port (secure socket layer, port 636) cannot be changed at present (as it clashes
with the Active Directory LDAP SSL service). The reasoning was there was no way of
changing the port at the CLIENT end and thus no point in modifying the server. Microsoft
has since changed its minds on this and Exchange 5.5 Service Pack 3 will allow
Administrators to modify the LDAP SSL port in the same way the LDAP port can be changed.
There are a couple of other problems that are not so important. The first is Windows 2000
comes with its own SMTP service which again clashes with the Exchange SMTP service and so
you need to disable the Windows 2000 SMTP component. You may find other such clashes and
when you do, just disable the Windows 2000 element.
The active directory connector
OK, weve looked at the problems of running Exchange with Windows 2000, now
lets get them talking and bask in the advantages!
Windows 2000 ships with an optional component called the Active Directory
Connector which is a self-contained package in the VALUADD\MGMT\ADC directory of the
Windows 2000 CD. What the Active Directory Connector does is allow replication between the
two directory services, uni- or bi-directional in nature and based around one or more
containers on each side. For example you may replicate from the Users Organizational
Unit of the savilltech.com domain in Windows 2000 to the Recipients container of the
London site in the SavillTech Organization in Exchange. Any objects that exist in one
container and not the other will be created, any modifications to objects will be
replicated and any objects deleted will either be removed from the other container or
written to a list to allow you to manually action (depending on your settings).
The Active Directory Connector has to be installed on a Windows 2000 server (it does not
have to be a domain controller) but Exchange does not have to reside on the same server,
or even a Windows 2000 server, it will cope quite happily with an Exchange 5.5 server
running on NT 4.0. The only pre-requisite is that Exchange has Service Pack 2 or above
installed (and this will probably change to Service Pack 3 when 2000 ships).
To install the connector, logon to a Windows 2000 server and perform the following:
- Run setup.exe from the VALUADD\MGMT\ADC directory
- Click Next to the install wizard
- Select both the connector service and management components. Click
Next
- You will be asked where to install. Accept the default and click Next
- Enter the Exchange Service account and click Next. The account
specified will be granted the 'Audit' right. Click OK
- Files will be copied and click Finish once completed
A new icon 'Active Directory Connector Management' will have been
added to the 'Administrative Tools' branch and you are now ready to begin configuration of
your connector.
Now we need to set up a connection agreement between the Exchange Server and the Active
Directory:
- Start the ADC Management MMC snap-in (Start - Programs -
Administrative Tools - Active Directory Connector Management)
- Right click on the Active Directory Connector (<machine name>)
branch and select 'New - Connection Agreement'
- Under the General tab enter a name and select the replication
direction:
- Two-way
- From Exchange to Windows
- From Windows to Exchange
- Select the 'Connections' tab and fill in connection information as
shown in figure 2.
(figure 2: Caption: Notice I have both on the same machine however you will probably have
different Exchange and Domain Controller machines. Also notice the use of port 1020
instead of port 389 for Exchange)
- Select the Schedule tab to select how often and when to replicate.
You can set for every hour of every day. You can also manually replicate at any time using
the Active Directory Connector MMC snap-in.
- Select the Deletion tab to control how deletions are handled, either
delete from both directories when deleted from one or just note the deletion to a log
file.
- Under the 'From Exchange' and 'From Windows' tab select the items to
replicate.
- Click OK
- The Exchange Schema will be modified and its directory service will
be stopped and restarted.
You have now configured a single link between two containers, and
depending on the type of replication, changes will either be uni- or bi-directionally
replicated.
It may be that you require multiple connection agreements (in fact you probably will) to
not only allow full directory service replication but also to give you finer control over
the various containers and their content.
Post installation
After you have installed the Active Directory Connector and have a connection agreement
you will notice a number of changes to the Active Directory Users and Computer MMC
snap-in. The most obvious change is when you create a new user you will be asked to create
a mailbox. This replicates the old User Manager changes when installing Exchange.
Currently the Active Directory Connector only replicates recipient containers, HOWEVER,
there will be a second version of the ADC that will ship with Platinum that will also
support the replication of the Configuration container and is a vital step in the
migration to full Windows 2000 Directory Service integration. For those who are not aware,
Platinum no longer has its own directory store and instead uses the Windows 2000 Active
Directory as its directory service and interacts heavily with Global Catalogs (domain
controllers that contain a subset of information about EVERY object in the enterprise
forest) and its this integration which fixes the problems we currently have with
running Exchange 5.5 on Windows 2000.
In order to gain that integration, one of the steps is to copy the content from the
Exchange directory service into the Active Directory that is where the Active
Directory Connector comes in. Firstly there will be no LDAP/LDAP SSL port clashes since
Platinum no longer has its own directory service. There is no SMTP clash as Exchange uses
the Internet Information Service SMTP service (but upgrades it during Platinum
installation). Currently, the Active Directory Connector replicates entire objects that
have changed, however, in the future version of Exchange, Active Directory replication
will be used meaning only the changed attribute will be replicated and not the
entire object thus saving bandwidth.
Its been said all along that if you know the Exchange directory service you have a
head start with Windows 2000, and its true, however thanks to the Active Directory
Connector you can go one step further. Start populating your Exchange directory service
with information about your users, names, addresses, departments, reporting lines etc and
when you do install Windows 2000 and upgrade a domain controller you can quickly populate
your Windows 2000 directory service with extensive information. Its an excellent
preparation step you can be doing now.
A final word of warning: do not interface with a live Exchange Server at the moment.
Current incarnations of the ADC are prone to problems and may result in you either losing
information or a bulk creation of unwanted objects (as I found to my dismay!).
Best of luck!
.
[an error occurred while processing this directive] |