Troubleshoot Directory Synchronization
Topic Last Modified: 2006-09-14
Exchange System Manager is a helpful tool for troubleshooting directory synchronization problems. You can use this tool to trigger manual synchronization cycles and full reloads, which is a recommended first action if you discover that address information in Active Directory® directory service or the Domino directory is incomplete. Triggering a synchronization cycle is also a good idea after you apply a configuration change to determine whether you successfully solved the problem.
To communicate with Lotus Domino, the LSDXA process starts the Lotus Notes DX Agent (DXANOTES), which is implemented in a dynamic-link library (DLL) named Dxanotes.dll. This file resides in the \Program Files\Exchsrvr\Bin directory. The DXANOTES process parses the Dxanotes.txt file, processes the addresses, and places them in the target directory on the Lotus Domino server. To communicate with Lotus Domino, DXANOTES uses the Lotus Notes client API.
DXANOTES also performs the directory synchronization from Lotus Domino to Active Directory. The process uses the Lotus Notes client API to read the Lotus Domino directory and writes the recipient information into the Dxamex.txt file in the \Program Files\Exchsrvr\Conndata\Temp directory.
|If you want to examine the processing performed by DXANOTES, click the Diagnostics Logging tab for your bridgehead server, and then select the LME-NOTES service. From the list of categories, select Notes Directory Synchronization and then set the logging level to Maximum. Remember to set the logging level back to the default setting of None after you complete a directory synchronization cycle.|
Directory synchronization issues can be classified as follows:
The messaging connector is unable to read or write recipient information in Active Directory When you configure directory synchronization with Lotus Domino, you must specify export and import containers for the recipient objects. The messaging connector requires the following access permissions:
Import Container The computer account of the Exchange server that is running the messaging connector must be granted the Create All Child Objects and Delete All Child Objects permissions to create, modify, or delete recipients in this container. The computer account also requires the special permissions List Contents, Read All Properties, and Write All Properties.
Export Containers The computer account of the Exchange server that is running the connector must be granted the Read permission to read the recipient objects in the selected container. The computer account also requires the special permissions List Contents, Read All Properties, and Read Permissions.
Note: When you configure Import and Export containers in Exchange System Manager, you will be prompted to assign the computer account the required permissions automatically. To verify how permissions are assigned, start Active Directory Users and Computers, right-click the target container, select Properties, and then click the Security tab. Click Advanced, and then double-click the computer account (for example, SERVER01$ (CONTOSO\SERVER01$)).
The messaging connector is unable to communicate with the Domino messaging system to export or import recipient information Directory synchronization requires a functioning connector configuration. In addition, you must ensure that the connector has the permissions required to access and update directory information in the Lotus Domino directory. You must grant the Notes user ID that Connector for Lotus Notes uses to communicate with Lotus Domino Editor access to the Lotus Domino directories that you want to synchronize.
The LSDXA process is responsible for handling the actual directory synchronization processes. Lsdxa.exe resides in the \Program Files\Exchsrvr\Bin directory and is started automatically when you start the Exchange Connector for Lotus Notes.
|You can use Task Manager to verify that Lsdxa.exe is running on your bridgehead server. When the connector service is started, Lsdxa.exe is listed on the Processes tab.|
The LSDXA process is responsible for parsing the Exchconn.ini file and loading the appropriate subprocesses into memory to communicate with Active Directory and the non-Exchange directory. To communicate with Active Directory, Lsdxa.exe starts the Microsoft Exchange Server DX Agent (DXAMEX), which is implemented in a dynamic-link library (DLL) called Dxamex.dll.
DXAMEX communicates with Active Directory through Active Directory Service Interfaces (ADSI). DXAMEX extracts the recipient information from the export containers that you specified in the connector configuration and places the data, in the form of a temporary file in message interchange format (MIF), into the \Program Files\Exchsrvr\Conndata\Temp directory. In the other direction, the DXAMEX process seeks an MIF file named Dxamex.txt, which it processes to place recipient information into the import container that you specified in the connector configuration.
|If you want to examine the communication between the DXAMEX process and Active Directory, click the Diagnostics Logging tab for your bridgehead server, and then select the MSExchangeADDXA service. From the list of categories, select LDAP Operations and then set the logging level to Maximum. Remember to set the logging level back to the default setting of None after you complete a directory synchronization cycle. Otherwise, you might quickly fill the application event log with a very large number of entries.|
Regardless of the technology that you use to synchronize directory information, there are some common issues that you might encounter during directory coexistence, including the following:
Group and distribution list memberships need to be updated manually If you choose to synchronize groups and distribution lists, users can send e-mail to the groups/distribution lists in either messaging system. However, group and distribution list membership is not synchronized. Domino groups appear as mail-enabled contacts in Active Directory as documented above. As you move Notes users mail databases to Exchange Server 2003, group members' Person documents are deleted from the Domino messaging system because they now reside in the new Exchange Server 2003 organization. These users typically lose their group membership in the Domino messaging system when their Person document is deleted, so that mail sent to the distribution list will not be delivered to all intended recipients.
One way to handle this issue is to implement a manual or automated means for updating the Domino groups to ensure that the membership lists are accurate. When all users are migrated to Exchange Server 2003, you can re-create the groups in the form of mail-enabled distribution groups in Active Directory.
A better way to handle the issue is to create mail-enabled distribution groups in Active Directory before you migrate any mail databases to Exchange Server 2003. Mail-enabled distribution groups in Active Directory can contain both Exchange Server 2003 mailboxes and mail-enabled contacts for recipients who are still in the Domino messaging system.
If you create mail-enabled contacts through directory synchronization, the Exchange Migration Wizard for Lotus Notes replaces these contacts with mailbox-enabled user accounts during migration. If you specify the organizational unit of the contacts as the target container for the new user accounts, the Migration Wizard updates group memberships automatically.
Notes clients use local address information If a Notes user’s Personal Address Book contains entries for users in the local Domino domain, the messages might not be delivered when users are migrated to Exchange because the local address information doesn't properly address the mail to the recipient's Exchange mailbox.
When a user is migrated to Exchange Server 2003, the Domino Directory is updated through directory synchronization. The local address book does not receive any changes, so any message that the user addresses that are resolved by the Personal Address Book will be routed to the recipient's Notes e-mail address. Notes users must either update or delete entries for users in the local Domino domain from their Personal Address Book, so that mail routes properly during the coexistence phase. Users should be notified prior to the beginning of the coexistence and migration phases, so that they can remove these entries and avoid this problem.