• Article

This connection agreement is not set to create disabled accounts when no match is made

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-17

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value for the msExchServer1AlwaysCreateAs attribute of each connection agreement object. If the Exchange Server Analyzer determines that the msExchServer1AlwaysCreateAs attribute is not set to 1, a warning is displayed.

The msExchServer1AlwaysCreateAs attribute determines how X.500 objects are synchronized with Active Directory. A value of 0 indicates the connection agreement has been configured to create Microsoft Windows® contacts. A value of 1 for this attribute indicates that the connection agreement has been configured to create disabled Windows user accounts in Active Directory. A value of 2 indicates the connection agreement has been configured to create new Windows user accounts.

The Exchange Server Analyzer issues a warning because in a situation where Exchange Server 5.5 must coexist with Active Directory and a full migration to Exchange Server 2003 is planned, it is important to have Active Directory Connector (ADC) create disabled Windows user accounts. These disabled Windows user accounts are "mailbox-enabled" meaning they are logically attached to a mailbox that exists on the Exchange Server 5.5 computer. Having disabled Windows user accounts created is necessary for the user object that represents this disabled Windows account, to eventually have access to public folders and other secured objects in Active Directory.

In the ADC user interface, there are three options for creating new objects when a matching object is not found in Active Directory for a mailbox in Exchange Server 5.5. These are listed on the Advanced tab in the properties of the connection agreement, as follows:

  • Create a Windows Contact   This is not recommended because a Contact object has no security context.

  • Create a new Windows user account   This is not recommended because the new account that is created will have a new SID and, therefore, the SID history of the Microsoft Windows NT® Server 4.0 user account will not be carried over to this new account during migration (because the SIDs are different).

  • Create a disabled Windows user account   This is recommended because it allows the Windows NT Server 4.0 user to coexist (with correct access to resources) until the full migration is complete.

To correct this warning

  1. Configure the Active Directory Recipient Connection Agreement to create mailbox-enabled disabled Windows user accounts.

  2. Use the Active Directory Migration Tool, which migrates Windows NT Server 4.0 user accounts to Active Directory and creates enabled Windows accounts. These enabled Windows accounts will have the same SID as the disabled Windows accounts created by ADC.

  3. Use the Active Directory Cleanup Wizard (ADClean), which merges the information from the Active Directory Migration Tool-created account into the ADC-created account.

For more information about Active Directory Connector recipient connection agreements, see the following Microsoft Knowledge Base articles: