Topic Last Modified: 2005-11-17
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value for the msExchServer1AlwaysCreateAs attribute of each connection agreement object. If the Exchange Server Analyzer determines that the msExchServer1AlwaysCreateAs attribute is not set to 1, a warning is displayed.
The msExchServer1AlwaysCreateAs attribute determines how X.500 objects are synchronized with Active Directory. A value of 0 indicates the connection agreement has been configured to create Microsoft Windows® contacts. A value of 1 for this attribute indicates that the connection agreement has been configured to create disabled Windows user accounts in Active Directory. A value of 2 indicates the connection agreement has been configured to create new Windows user accounts.
The Exchange Server Analyzer issues a warning because in a situation where Exchange Server 5.5 must coexist with Active Directory and a full migration to Exchange Server 2003 is planned, it is important to have Active Directory Connector (ADC) create disabled Windows user accounts. These disabled Windows user accounts are "mailbox-enabled" meaning they are logically attached to a mailbox that exists on the Exchange Server 5.5 computer. Having disabled Windows user accounts created is necessary for the user object that represents this disabled Windows account, to eventually have access to public folders and other secured objects in Active Directory.
In the ADC user interface, there are three options for creating new objects when a matching object is not found in Active Directory for a mailbox in Exchange Server 5.5. These are listed on the Advanced tab in the properties of the connection agreement, as follows:
- Create a Windows Contact This is not
recommended because a Contact object has no security
context.
- Create a new Windows user account This
is not recommended because the new account that is created will
have a new SID and, therefore, the SID history of the Microsoft
Windows NT® Server 4.0 user account will not be carried
over to this new account during migration (because the SIDs are
different).
- Create a disabled Windows user
account This is recommended because it allows
the Windows NT Server 4.0 user to coexist (with correct
access to resources) until the full migration is complete.
To correct this
warning
-
Configure the Active Directory Recipient Connection Agreement to create mailbox-enabled disabled Windows user accounts.
-
Use the Active Directory Migration Tool, which migrates Windows NT Server 4.0 user accounts to Active Directory and creates enabled Windows accounts. These enabled Windows accounts will have the same SID as the disabled Windows accounts created by ADC.
-
Use the Active Directory Cleanup Wizard (ADClean), which merges the information from the Active Directory Migration Tool-created account into the ADC-created account.
For more information about Active Directory Connector recipient connection agreements, see the following Microsoft Knowledge Base articles:
- 823601, "Active Directory Connector Requirements and
Implications Throughout an Organization" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823601)
- 303180, "Active Directory Connector Requirements for Mixed
Administrative Groups" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=303180)
- 296260, "XGEN: How to Configure a Two-Way Recipient Connection
Agreement for Exchange 5.5 Users" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=296260)
- For more information about the Active Directory Cleanup Wizard,
see the following Knowledge Base article:
- 270652, "Possible Uses of the Active Directory Account Cleanup
Wizard" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=270652)
- For more information about the Active Directory Migration Tool,
see the following Knowledge Base article:
- 260871, "How To Set Up ADMT for Windows NT 4.0 to
Windows 2000 Migration" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=260871)