Synchronizing Active Directory with Exchange Server Directory Service |
You need to determine from which directory service you want to administer objects. As mentioned earlier in this chapter, you can use ADC to administer objects from Active Directory, Exchange Server, or from both directory services.
It is important to note that the ADC handles the synchronization of deleted objects between the two directories differently than other revised objects. By default, the ADC does not synchronize the deletion of any object from the source directory to the target directory. Instead, the ADC writes an import file to a disk containing the item to be deleted. An administrator can review the deleted objects in this import file, and as appropriate, choose to import the file, thereby deleting the set of target objects. If you choose to directly synchronize object deletions between the two directories, you can do so by selecting this option on the Deletion tab in Properties of the connection agreement property pages. You can also control how the ADC handles each direction of a bidirectional connection agreement.
If you decide to manage objects from Active Directory, you will need to deploy each connection agreement so that it can write to the Exchange Server directory. For every Exchange Server site for which you will administer the recipients from the Active Directory, you need to create a connection agreement from a server in that site to the appropriate Windows 2000 Server domain. An example of where this administration model might be appropriate is in an organization that administers employee information in Active Directory or in another directory system that synchronizes with the Active Directory. You can use the ADC to update the Exchange Server directory with changes to the employee information.
If you continue to manage objects from the Exchange Administrator, you should configure your connection agreements as "unidirectional" in order to populate and update Active Directory. It is possible to deploy a single, one-way connection agreement to only one Exchange Server site and synchronize the entire Exchange Server directory with Active Directory using that single connection agreement. This eliminates the need to create and manage multiple connection agreements between every Exchange site. As long as the connection agreement is configured to pull from Exchange into Active Directory, you will be able to select any Exchange Server site as a source container.
By selecting all sites as source containers, you can synchronize the entire set of recipients in the Exchange Server directory. This administration model is a good way to begin your ADC deployment. This model pushes the established Exchange Server directory data into Active Directory without impacting a production Exchange Server system. Once you have adequately populated the Active Directory and understand how the ADC operates in a production environment, you can revise your connection agreement configurations to be bidirectional or to pull from Active Directory into Exchange.
Note
If you have chosen multiple downstream Exchange Server sites to be the source of a one-way connection agreement, and you decide to make the connection agreement bidirectional, you must remove containers from all non-local sites for this connection agreement. In order to modify objects in any given Exchange Server site, you must create a separate connection agreement to any Exchange Server 5.5 in that site.
If you administer data from both Active Directory and the Exchange Server 5.5 directory, then you must create a bidirectional connection agreement between the set of sites and domains that you are synchronizing. Be sure to read the section "Setting Up Connection Agreements" later in this chapter for information describing where to place connection agreements. You may need a more complex connection agreement topology when choosing to administer objects from both directories.
Use this administration model if there is some data that you administer from Exchange Server and other data which you administer from Active Directory. If the same object is modified in both directories, the most recent modification prevails. However, it may take two synchronization cycles for this object to synchronize, depending upon whether the object was modified before or during the first synchronization cycle of the ADC.