This connection agreement is not set to create disabled accounts when no match is made
Topic Last Modified: 2005-11-17
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value for the msExchServer1AlwaysCreateAs attribute of each connection agreement object. If the Exchange Server Analyzer determines that the msExchServer1AlwaysCreateAs attribute is not set to 1, a warning is displayed.
The msExchServer1AlwaysCreateAs attribute determines how X.500 objects are synchronized with Active Directory. A value of 0 indicates the connection agreement has been configured to create Microsoft Windows® contacts. A value of 1 for this attribute indicates that the connection agreement has been configured to create disabled Windows user accounts in Active Directory. A value of 2 indicates the connection agreement has been configured to create new Windows user accounts.
The Exchange Server Analyzer issues a warning because in a situation where Exchange Server 5.5 must coexist with Active Directory and a full migration to Exchange Server 2003 is planned, it is important to have Active Directory Connector (ADC) create disabled Windows user accounts. These disabled Windows user accounts are "mailbox-enabled" meaning they are logically attached to a mailbox that exists on the Exchange Server 5.5 computer. Having disabled Windows user accounts created is necessary for the user object that represents this disabled Windows account, to eventually have access to public folders and other secured objects in Active Directory.
In the ADC user interface, there are three options for creating new objects when a matching object is not found in Active Directory for a mailbox in Exchange Server 5.5. These are listed on the Advanced tab in the properties of the connection agreement, as follows:
- Create a Windows Contact This is not recommended because a Contact object has no security context.
- Create a new Windows user account This is not recommended because the new account that is created will have a new SID and, therefore, the SID history of the Microsoft Windows NT® Server 4.0 user account will not be carried over to this new account during migration (because the SIDs are different).
- Create a disabled Windows user account This is recommended because it allows the Windows NT Server 4.0 user to coexist (with correct access to resources) until the full migration is complete.
Configure the Active Directory Recipient Connection Agreement to create mailbox-enabled disabled Windows user accounts.
Use the Active Directory Migration Tool, which migrates Windows NT Server 4.0 user accounts to Active Directory and creates enabled Windows accounts. These enabled Windows accounts will have the same SID as the disabled Windows accounts created by ADC.
Use the Active Directory Cleanup Wizard (ADClean), which merges the information from the Active Directory Migration Tool-created account into the ADC-created account.
For more information about Active Directory Connector recipient connection agreements, see the following Microsoft Knowledge Base articles:
823601, "Active Directory Connector Requirements and Implications Throughout an Organization" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823601)
303180, "Active Directory Connector Requirements for Mixed Administrative Groups" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=303180)
296260, "XGEN: How to Configure a Two-Way Recipient Connection Agreement for Exchange 5.5 Users" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=296260)
For more information about the Active Directory Cleanup Wizard, see the following Knowledge Base article:
270652, "Possible Uses of the Active Directory Account Cleanup Wizard" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=270652)
For more information about the Active Directory Migration Tool, see the following Knowledge Base article:
260871, "How To Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=260871)