Embed Size (px)
DESCRIPTION
ADD
Citation preview
This Content Component encountered an error
Exchange Server and Active Directory FAQs
From creating Exchange Server mailboxes and modifying SMTP addresses to bulk-importing data and configuring user permissions, this collection of frequently asked
questions will teach you how to manage and manipulate Active Directory for easier Exchange Server deployment and administration.
z 0
From creating Exchange Server mailboxes and modifying SMTP addresses to bulk-importing data and configuring user permissions, this collectionof frequently asked questions will teach you how to manage and manipulate Active Directory for easier Exchange Server deployment andadministration.
Sign in for existing members
By submitting you agree to receive email communications from TechTarget and its partners. Privacy Policy Terms of Use.
Continue Reading This ArticleEnjoy this article as well as all of our content, including E-Guides, news, tips and more.
email address
Continue Reading
1
2
f
9 SearchExchange g
Frequently Asked Questions:
EXCHANGE SERVER ANDACTIVE DIRECTORY
Exchange Server and Active Directory Administration Issues
2. How to set up the Exchange Server tabs in ADUC
3. How to query Active Directory for the altrecipient field
4. Configuring altrecipient in AD to forward email to aBlackBerry
5. Finding an object's email address in ADUC
6. Prevent users from accessing others' mailboxes withAD
7. Lost ability to create Exchange Server inboxes fromADUC
8. Bulk-import contact information to an Exchange Serverpublic folder
9. Viewing disabled mailboxes in Active Directory Usersand Computers
10. Modifying SMTP addresses for already existingmailboxes in AD
11. Disabling an old Exchange mailbox and creating a newone in ADUC
12. Forcing Microsoft Outlook options using ActiveDirectory Group Policy
13. Simultaneously add telephone numbers (or other
directory objects) to Active Directory
Exchange Server and Active Directory Deployment Issues
1. Demote Exchange Server from domain controller tomember server
2. Transferring the master role to another domain server
3. Migrating from Exchange 5.5 to Exchange 2000 usingADMT
4. Logging into Exchange Server with NT vs. AD accountsin mixed mode
5. Migrating Exchange 5.5 intact vs. installing on new ADforest
6. Synchronizing two Active Directory domains
How to set up the Exchange Server tabs in ADUC
From a Windows XP Professional PC, how do I get theExchange tabs in Active Directory Users and Computers foraccount administration? I know there is something from theExchange Server CD I need to install on the PC, but what? Arethere other dependencies?
This is a commonly asked question. You need to install theExchange management tools on your workstation from yourExchange Server CD. Then you need to launch MMC using theActive Directory Users and Computers (ADUC) shortcut inStart -> Programs -> Microsoft Exchange. Once in ADUC, youshould click Tools -> View Advanced in order to display all thetabs when administering mailboxes.
How to query Active Directory for the altrecipient field
I have an Active Directory with Microsoft Exchange mailservers. I need to search Active Directory to find out whocurrently has the altrecipient field filled out. Is there a way todo this without writing a script?
Since Exchange 2000 and Exchange 2003 rely on ActiveDirectory, technically what you're asking is how to query ActiveDirectory for the altrecipient field. The best non-script methodthat comes to my mind is to use the CSVDE tool. Have a lookat Microsoft's article entitled "Import or export directoryobjects using CSVDE" for more information on how to useCSVDE.
Configuring altrecipient in AD to forward email to a BlackBerry
I need to set up an alternate recipient address for a user toforward copies of e-mails to a BlackBerry. In Exchange 5.5, youcan set up a custom recipient that can then be used as analternate recipient. How can I do this in Exchange 2000/2003?
You can add this by going to File -> Manage object view -> AD
custom. Choose Active Directory user, and then New. TheAttribute Directory name is altRecipient, and in Display title youcan put something like Forwarding Address.
Finding an object's email address in ADUC
I want to add an e-mail address to an existing group. But ActiveDirectory Users and Computers (ADUC) says that the addressis already in use. I have searched ADUC for users' e-mailaddresses, and no user has the address. But, I can't searchgroups for an e-mail address. How can I find this elusiveaddress?
Here is a very easy way to do this:
1. Go to Active Directory Users and Computers
2. Right-click on your Domain.
3. Go to Find.
4. Change the Find dropdown to "Custom Search" (you couldalso change the "IN" dropdown to "Entire Directory," if youhave more than one domain).
5. Go to Advanced tab.
6. Type "(proxyAddresses=smtp:[email protected])".
This will give you the object -- of any type (user, group, contact,public folders, etc.) -- that has that e-mail address.
Prevent users from accessing others' mailboxes with AD
I am looking for a way to prevent Outlook 2000/2003 usersfrom having access to the Permissions tab in the mailboxfolders. I want to prevent users from assigning permissions toother users to have access to their mailboxes. I want to controlthis through Active Directory Users and Computers.
I think you might be able to do this is with a Group PolicyObject. Using the Office templates you can remove tabs fromOutlook and other Office applications. See Microsoft's Office2003 Service Pack 2 Administrative Template (ADM), OPAs,and Explain Text Update page for more information.
If not, you may be able to lock down the permissions using theinformation in the Microsoft Knowledge base article, How toset Exchange Server 2003 and Exchange 2000 Servermailbox rights on a mailbox that exists in the information store.
Lost ability to create Exchange Server inboxes from ADUC
I cannot create e-mail inboxes in Exchange from ActiveDirectory Users and Computers anymore. When I create a newuser with the wizard, everything finishes, but there are no e-mail addresses on the user properties e-mail tab, no entry inthe Global Address Book and the Exchange System Managerdoesn't show a new mailbox.
I can move the unseen mailbox from one server to another, andit magically appears. I can then move it back, but there are stillissues. The mailbox doesn't appear in the address book, orhave an e-mail address in the user properties, and the user
cannot attach to the server with Outlook 2003.
I think this started shortly after I added a second Exchangeserver. NetDiag and DCDiag show no problems, and theExchange Best Practices Analyzer doesn't show any hintseither.
It sounds to me as though the Recipient Update Service (RUS)is not working properly for mailboxes you create on theproblematic server. The RUS is responsible for stamping theSMTP proxy addresses on new object, along with otherExchange objects. It's also responsible for stamping theshowInAddressBook attribute, which is required to get themailbox to appear in the Global Address List (GAL) and permitlogon via MAPI (i.e., Outlook). Without knowing more aboutyour issues, I can't take you much further than this, but I'd havea good look at the RUS in troubleshooting your issue.
Bulk-import contact information to an Exchange Server publicfolder
I need a simple way to copy about 13,000 contacts to a publicfolder. I'm a network administrator for an insurance company.We have contact information for about 11,000 independentagents and 2,000 various other contacts.
We just implemented a 'fax from desktop' solution. The coolthing about it is that, if you have a contact and a number in the'Business Fax' field, all you have to do is find that contact, senda message and it goes out as a fax.
The problem is that I have to update this list about once a weekbecause information changes that often. Basically, I import anExcel spreadsheet into a contact list in a personal folder on mycomputer and then copy to the Exchange Server 2003 publicfolder. This takes forever and a day even when breaking it upinto 2,000 piece increments. It also eats about 60-70% of CPUduring the copying procedure.
Is there any easier/simpler way of doing this?
First of all, check whether the public folder that you'reimporting to is replicated to (or located on) a server that isclose to you. Secondly, you'll want to check the raw processingpower on the Exchange server hosting that public folder. It'squite likely that boosting server performance will speed upyour imports, if that's an option. Finally, you may want toconsider creating an address list in Active Directory containingthe contacts, instead of placing the contacts in a public folder.
You'll need to learn how to use a tool called LDIFDE for exportand import to Active Directory. This is described in Microsoft'sStep-by-Step guide to bulk import and export to ActiveDirectory.
If this meets all your requirements, then this will speed up theprocess dramatically. Since LDIFDE import files are a bitunwieldy to manipulate, you will want to search your favoriteInternet search engine for "convert ldif to csv free" to locatesome of the free tools available to facilitate making yourweekly changes using Excel. Obviously, test this in a lab first toensure this meets your performance needs.
Viewing disabled mailboxes in Active Directory Users andComputers
Is there any way to view the disabled mailboxes (closedmailboxes) under Active Directory (AD) users and computers?Also, can the Exchange administrator receive an e-mailnotification for the disabled (closed) mailboxes?
We should first review how this works. Each typical user of anExchange environment has an account that they use to logonto the network with (i.e., an account in Active Directory) anda mailbox within Exchange that is associated with that account.There are different ways to decommission a mailbox once auser has left the organization. I'll discuss two of these inanswering your question.
Option 1: Hard delete after x days –- in this approach, when auser leaves an organization, their account is typically disabled,blocking them from logging onto the network. The mailboxcontinues to be associated with this account, and can belogged onto using alternate credentials if someone else needsaccess to the mailbox. A mailbox with a disabled account willno longer receive messages. Typically in this scenario, themailbox and associated account are completely deleted after xdays. In many cases, decommissioned accounts are moved toa dedicated Organizational Unit (OU) reserved for this purpose.
Option 2: Re-assigning SMTP Address -– in this approach, thedeparted user's account is disabled, as above, but their SMTPaddress is removed from their original mailbox and moved toanother object such as a "catch-all" mailbox designated for allterminated employees, a manager's mailbox or similar.
So now to answer your questions. Viewing a list of all disabledmailboxes really depends on how you've decommissionedthem. If you simply want a list of all accounts that have beendisabled, these are visible within Active Directory Users and
Computers as users with a red x through them. If you're usingOption 1 and have moved decommissioned accounts to adedicated OU, then this is even simpler. Just point ActiveDirectory Users and Computers at the OU and you'll have yourlist. If you're using Option 2, then you could use View | ShowColumns within Active Directory Users and Computers to addthe "E-Mail Address" column. Sorting by users without an e-mail address will allow you to identify those who have beenterminated.
Finally, you asked about an administrator receiving e-mails forthe disabled mailboxes. I'm assuming you're asking whetheradministrators can receive messages designated for theterminated users, in which case Option 2 provides a solution.
Modifying SMTP addresses for already existing mailboxes inAD
Let's assume Exchange 2000 and Active Directory are ready. Iwant to make a domain and a user on the domain like this:[email protected]. Where can I put the domain name 'abc.com' onthe Exchange server? In the e-mail address of the recipient'smail property? How do I make the Exchange server support asecond domain?
These are great questions. I'll deal with them individually.
First of all, I believe you're asking how to set up the SMTPaddress of your e-mail accounts to be @abc.com.
There are multiple parts to this question. Setting the SMTPdomain to be @abc.com is pretty simple. Essentially, you needto launch Exchange System Manager, navigate to RecipientPolicies -> Default Policy -> Properties -> E-mail Addresses andset SMTP Address to @abc.com. All new mailboxes createdhenceforth will have an e-mail address in the [email protected].
If you have to change the SMTP addresses of mailboxes thatyou have already created (i.e., if you have a lot of existingmailboxes already created), you'll have to resort to eitherchanging them manually through Active Directory Users andComputers, or using the Ldifde tool to export all mailboxes,modify the SMTP address and re-import into Active Directory.(See Microsoft Knowledge Base article 313823.)
Secondly, supporting a second SMTP domain is as simple assetting some sort of unique identifier on all accounts that willsport the --> --> --> --> .com SMTP address and thenspecifying a second recipient policy based on this criteria.Depending on the business drivers behind your particularrequirements, you may decide to put all @123.com users in agiven Organizational Unit (OU) in Active Directory, or you maywish to include specific text in one attribute on all theseaccounts -- for example, Custom Attribute = "123 Company" orsimilar. Then you'll want to create the recipient policy [email protected]. You'll need to specify an LDAP query for thesecond recipient policy that only returns the mailboxes thatyou've created. Once again, you'll need to the RecipientPolicies node, then select the new Recipient Policy that you'vecreated for 123 Company, navigate to Properties -> E-mailAddresses, and set the SMTP Address to @123.com.
One final reminder: Any SMTP domains that you set up are onlyas good as the DNS MX records that you have defined withyour Internet Service Provider and Internet Domain Registrar.Obviously, you need a proper MX record set up for [email protected] and @123.com pointing to your SMTP gateway ifyour Exchange server is going to actually receive any Internettraffic destined for these domains!
Disabling an old Exchange mailbox and creating a new one inADUC
In Active Directory Users and Computers (ADUC), I copied adisabled user account (User A) to a new employee (User B)who was a replacement. User A had an Exchange 5.5 mailboxthat wasn't migrated to Exchange 2003. I was not aware ofthat until after I set up the account.
Now User B has no associated mailbox. I right-click the userand go to Exchange Tasks, looking for "Create Mailbox," but allI get is "Remove Exchange Attributes." How do I create amailbox for User B?
You should be able to simply right-click the mailbox and select"Remove Exchange Attributes." Once this is done, right-clickingshould permit you to use "Create Mailbox" to create a newmailbox for User B.
Forcing Microsoft Outlook options using Active DirectoryGroup Policy
Can you force Microsoft Outlook client options in an ExchangeServer environment? For example, we are a hospital and wantto add a specific signature line but do not want to allowemployees to change stationery and fonts. How can we dothis?
There are a number of Microsoft Outlook options that you canenforce using Active Directory Group Policy. To set this up,first download the Office Resource Kit. Locate the ADM files inthe Resource Kit folder and copy them into %windir%\inf. Thetemplate that will be of the most interest to you is Outlk11.adm.
Once you've done this, create a Group Policy Object (GPO).Call it Outlook Configuration, or anything with a convenientname. Edit your GPO and select the Administrative Templatesunder User Configuration. Right-click AdministrativeTemplates, select the Add/Remove Templates option, and thenbrowse to the Outlok11.adm file. After you've done this, you willhave a new node under User Configuration -> AdministrativeTemplates -> Microsoft Office Outlook 2003 with lots ofgoodies that you can configure and enforce for your users,including specification of stationary and fonts.
Unfortunately, adding standard signatures cannot beaccomplished through Group Policy. For that, you could createan Event Sink and add a disclaimer to simulate a signature, oryou could use third-party software.
Simultaneously add telephone numbers (or other directoryobjects) to Active Directory
When our Active Directory was created, they didn't put in thetelephone numbers. Is there any way to add the telephonenumbers for 500 people without having to go into ActiveDirectory and put in the numbers one by one? HumanResources sends out a telephone directory in Excel; can I usethat to my benefit?
You should have a look at LDIFDE. See Microsoft KnowledgeBase Article 237677: Using LDIFDE to import and exportdirectory objects to Active Directory for instructions on how tomake these changes. You'll need to be creative in Excel (orAccess) in order to match up the source data from HumanResources with Active Directory data using some uniqueprimary key.
Demote Exchange Server from domain controller to memberserver
My Exchange 2003 server is also a domain controller becauseit was the first domain controller in Active Directory. With otherdomain controller's now installed, we want to demoteExchange from being a domain controller to just a memberserver.
We have already moved the catalog server function to adifferent domain controller. Referencing a document inMicrosoft Knowledge Base, we think we just have to moveFlexible Single Master of Operations (FSMO) roles and runDCPROMO.
Yes, you need to move the FSMO roles to another domaincontroller and then DCPROMO the machine to demote it frombeing a domain controller to simply a member server. Youshould have no problems.
Transferring the master role to another domain server
How do you transfer the infrastructure master role from onedomain server to another?
1. Launch Active Directory Users and Computers (ADUC) andnavigate to the domain in the left hand pane.
2. Right click the domain and choose Operations Master.
3. Select the Infrastructure tab.
4. Now use the Change button at the bottom of the dialog toset a new Infrastructure Master Flexible Single MasterOperations (FSMO) role.
Migrating from Exchange 5.5 to Exchange 2000 using ADMT
I am migrating from Exchange 5.5 to Exchange 2000 within thesame domain. I have installed Windows 2000 and Exchange2000 on a new box. Do I have to establish a trust between NT4and Exchange 2000? How do I move the mailboxes fromExchange 5.5 to Exchange 2000?
Microsoft publishes many great overview articles onmigrations, more specifically, about the question you areasking. Since this is a general question, I would like to point youto this particular TechNet overview article from Microsoft: Howto migrate from Exchange 5.5 to Exchange 2003 using theActive Directory Migration Tool.
Logging into Exchange Server with NT vs. AD accounts inmixed mode
I'm planning an NT 4.0/Exchange 5.5 to Windows Server2003/Exchange 2003 upgrade. In a new, parallel Active
Directory deployment, I will use the Active Directory MigrationTool to migrate/copy user accounts to Active Directory. Then, Iwill use it again to modify the access control lists (ACLs) of theExchange 5.5 mailboxes, so that the new Active Directoryaccounts would become the new owners.
After I run that, can I still log in with the old NT accounts andaccess those mailboxes? Or can I only log in with the ActiveDirectory account from that point on?
It depends on the permissions that are modified during theACL update. If you leave the old NT account as the primary NTaccount of the Exchange 5.5 mailbox, then the new accountshould still have access to the resource via SIDHistory. But itwould require you to keep the legacy domain online indefinitely,and have a functioning trust in place.
You should determine how long you want to keep the legacydomain online, then re-ACL the primary NT accounts to thenew accounts. After that, you can have your users log into theActive Directory domain versus NT.
Migrating Exchange 5.5 intact vs. installing on new AD forest
A unit of the Army National Guard, which is now a temporaryActive Directory forest with Exchange 5.5, will be migrating toan Active Directory forest of the U.S. Army. We are required tomaintain Exchange 5.5. We have 150 users and a priv.edb of 5GB. Once migration is complete, we will become anorganizational unit.
Can we migrate Exchange 5.5 intact, or should we installExchange 5.5 on the new forest and use Exmerge to move themail? Some people think we can install Exchange 5.5 beforethe migration, and some think we should install after we aremembers of the Army forest.
What would you do?
As long as the Exchange 5.5 servers are built on machines thatare just member servers, and not servicing a backup domaincontroller role in the old NT domain, I would simply add themachines into the new AD domain. Then, change the Exchange5.5 service accounts and reassign all of the mailboxes inExchange 5.5 with a a new Active Directory primary NTaccount.
This way the original Exchange 5.5 servers will exist asmember servers in the new Active Directory domain; theservice account for Exchange is an Active Directory object;and, lastly, the accounts used to log into the mailbox are thenew Active Directory accounts.
This article might be helpful as well: How to change the serviceaccount password.
Synchronizing two Active Directory domains
We recently acquired a company and are in the process oftesting our network setup. Our forest master and Exchangeare on Domain A. Domain B is trying to access e-mail in DomainA. So there is a user account on Domain B and a user accountwith an Exchange mail store on Domain A. Right now, they areset up as a tree in our forest. I want to see if it is possible tosynchronize Domain A's Active Directory with Domain B'sActive Directory, so we don't have to change passwords in twodomains. How do we accomplish this?
If Domain A trusts Domain B, you should just be able to give allthe Domain B accounts rights to access the Domain Amailboxes. That way, you don't need to worry about thepasswords for Domain A accounts. In other words, the onlyaccounts you'd need to manage for the time being are DomainB accounts. To set this up:
1. Launch Active Directory Users and Computers (ADUC) ona machine with Exchange System Manager installed andconnected to Domain _.
2. View the properties of each mailbox and switch to theExchange Advanced tab. (If you don't see this tab in ADUC,see KB article 326894, How to Access the ExchangeAdvanced Tab in Active Directory Users and Computers).
3. Now select Mailbox Rights.
4. Make sure the Domain B account is added to the list ofsecurity principals having access (typically only "self") inorder to facilitate the two-domain coexistence scenario.
Essentially, you're asking how to simplify management of yourusers' identities across multiple accounts and passwords.Various solutions exist focused on identity management.Microsoft has a solution called Microsoft Identity IntegrationServer (MIIS) that permits exactly what you're asking, namelysynchronization of passwords across multiple domains as youdescribed.
More importantly, in your case, I believe you can use a freescaled down version of MIIS called the Identity IntegrationFeature Pack 1a for Microsoft Windows Server ActiveDirectory, which can synchronize passwords across ActiveDirectory, ADAM and Exchange Server environments. You'llalso want to install the update.
If you want a more sophisticated solution that will do all thisplus assist once you start migrating users from Domain B intoDomain A, I suggest looking at third-party migration solutions.
0 comments Oldest
Share your comment
Register or Login
Username / Password
Username
Password
z 5
Didn't find a solution to your AD problem?Pose a question to our Exchange Server and Active Directory
experts:
David Sengupta
Administration Expert
Ask David a Question
Bharat Suneja
Administration Expert
Ask Bharat a Question
Peter terSteeg
Deployment Expert
Ask Peter a Question
You can also browse ourExchange Server and Active Directory Reference Center.
This was first published in November 2006
Load More
Dig deeper on Microsoft Exchange Server and Active DirectorymALL
3
NEWS GET STARTED EVALUATE MANAGE PROBLEM SOLVE
Who, what, where? How the cloud complicates identity management7Proper care of your new ADFS server2Set up an ADFS server to manage Office 365 identities2Exchange Server 2007 Active Directory design considerations2
Ads by GoSave Ad Options
WINDOWS SERVER
5ENTERPRISE DESKTOP CLOUD COMPUTING SQL SERVER
SearchWindowsServer
Hidden vulnerabilities on your IIS 8 servers
IIS 8 isn't completely immune to security flaws. Here are some vulnerabilities you might be missing.
The significance of Windows Server in a changing IT landscape
Windows Server was once a dominant force in the IT landscape, but is now fighting for market share as more and more companies ...
All Rights Reserved,copyright 2000 - 2014, TechTarget
About Us Contact Us Privacy Policy Videos Photo Stories Guides
Advertisers Business Partners Media Kit Corporate Site Experts
Reprints Archive Site Map Events E-Products
Comment
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the
United States. Privacy
-ADS BY GOOGLE
$0.01 Web Hostinghostgator.com/1PennyScalable, Secure Web Hosting. Try Our Award-Winning Service Now!
