Active Directory Connector


Topic Last Modified: 2005-07-28

What permissions do I need to install the first Active Directory Connector (ADC) in my Microsoft Windows® 2000 or Windows Server 2003 Active Directory forest?

To install the first Active Directory Connector (ADC), you must update the schema of Active Directory and copy the binary files to the local computer. Therefore, you must be logged on as a user with the following permissions:

  • Schema Admins

  • Enterprise Admins

  • Member of the local Administrators group on the target ADC server

As an alternative, an administrator in the Schema Admins group can use the /SchemaOnly command-line switch with Active Directory Connector Setup to extend the Active Directory schema. In this scenario, the person who actually installs the ADC service does not need to be a member of the Schema Admins group. An advantage to this method is that, if a company has very strict control over the schema, personnel who have the responsibility of monitoring the schema can make the schema adjustments required, and the ADC/Exchange administrator can perform his or her job independently.

It is recommended that you follow the best practices defined in the Exchange Server 2003 Deployment Guide when deploying the ADC Service. The best practice recommendation is to run ForestPrep, run DomainPrep, and then install the ADC service.

What permissions do I need to install subsequent Active Directory Connector servers into my Active Directory forest?

Because the schema has already been updated, you need the following Active Directory permissions to install additional connectors:

  • Domain Administrator

  • Member of the local Administrators group on the target ADC server

The ADC setup program has a hard-coded prerequisite where you must belong to the Domain Admins group in Active Directory. You must belong to this group even if you only want to install the ADC Management snap-ins on a computer.

When installing the Active Directory Connector service, I need to enter a service account. Why is this required when Exchange services start as LocalSystem? What permissions will the service account require?

The ADC requires a service account because a subset of the ADC technology is shipped with the Windows Server operating system. Exchange has features to prepare the Active Directory forest and domains for installation of the server (with the use of ForestPrep and DomainPrep). Part of this preparation involves setting permissions for LocalSystem services to Active Directory. Because the ADC can be used without Microsoft Exchange 2000 Server or Exchange Server 2003 installed, a separate service account is used to achieve the same functionality.

The ADC service account requires the following permissions:

  • Member of the local Administrators group on the target ADC server (to write local security authority, or LSA, Global Secrets).

  • Member of the Enterprise Admins group if the ADC is used in a Windows 2000 or Windows Server 2003–based environment without Exchange 2000 Server or Exchange Server 2003.

  • Either a member of the Enterprise Admins group or the role of Exchange Full Administrator at the Organization level if the ADC is used with Exchange 2000 Server or Exchange Server 2003 and not just Windows 2000 or Windows Server 2003.

For more information about how the ADC writes to LSA Global Secrets, see Microsoft Knowledge Base article 253830, "XADM: How the Active Directory Connector Stores Passwords."

The ADC service account requires permissions to modify the Exchange configuration information in the Active Directory database because configuration connection agreements (CCAs) do not have credentials set on them by default. Therefore, the ADC must assume that the service account has all the necessary permissions to make the Active Directory changes.

If you are going to deploy Exchange Server 2003 by joining an existing Exchange Server version 5.5 organization, you may install the ADC first. If you want, you can put the ADC service account into the Enterprise Admins group for the initial installation, and subsequently delegate the correct Exchange role after the first server running Exchange Server 2003 has been installed. You can then remove the ADC service account from the Enterprise Admins group.

As mentioned above, however, if you follow the best practices in the Exchange Server 2003 Deployment Guide, you can grant the ADC service account Exchange Full Admin permissions by means of the Exchange System Manager Administration Delegation Wizard.

What user rights does the ADC service account require?

On member servers, ADC configures the ADC service account to have the following user rights in the member server’s local security policy:

  • Act as Part of the Operating System

  • Log on as a Service

  • Generate Security Audits

  • Restore Files and Directories

If ADC is installed on a server running Active Directory, then these user rights are configured on the Default Domain Controller group policy.

If you have implemented other policies on your domain controller organizational units, you must add these rights to the highest applicable policy.

Is it possible to change the password for the ADC service account after installation?

Yes. To change the password, see "How to Change the Password for the Active Directory Connector Service Account."

What permissions do I need to create connection agreements?

You need to have the following permissions:

  • Read on the "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=your-domain-here" object

  • Full Control on the "CN=Active Directory Connections,CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=your-domain-here" object

  • Membership of the local Administrators group on the ADC server where the connection agreement is to be executed. You need this permission so that passwords can be securely transmitted to the ADC server.

The above permissions can be manually granted using the ADSI Edit (AdsiEdit.msc) MMC snap-in. If you do not want to manually grant permissions, either of the following user roles can be used to manage the ADC:

  • The ADC service account

  • A Full Exchange Administrator at the Organization level

When I create a connection agreement in the Active Directory Connector, I need to specify the credentials for accessing the Active Directory and Exchange Server 5.5 Directory Service. What permissions does this account need?

The permissions that you need are:

  • Exchange Server 5.5

    • Admin role on the Exchange Server 5.5 site naming context

    • Admin role on the Exchange Server 5.5 organization naming context

  • Active Directory

    • Domain Admins (of the local domain)

    • Exchange View Only Administrator role on the Exchange 2000 Server organization (so that the homeMDB and homeMTA attributes can be properly expanded)

    • Account Operator (of the local domain) if there are any Exchange Server 5.5 distribution lists with hidden membership. For more information about hidden membership, see Microsoft Knowledge Base article 321205 "XADM: Hidden Group Membership Does Not Replicate to Exchange Server 5.5."