DOCUMENT:Q272023 23-OCT-2000 [winnt] TITLE :MMS 2.2 Release Notes: Known Issues Section PRODUCT :Microsoft Windows NT PROD/VER::2.2 OPER/SYS: KEYWORDS:kbreadme ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Metadirectory Services, version 2.2 ------------------------------------------------------------------------------- SUMMARY ======= This article contains a copy of the "Known Issues" section from the Microsoft Metadirectory Services (MMS) 2.2 Release Notes. MORE INFORMATION ================ Known Issues ------------ 1. Installer Incorrectly Reports Free Space if Greater than 4 GB When you install or upgrade to MMS version 2.2, MMS incorrectly reports free space if a disk is greater than 4 gigabytes (GB). Ignore the value that is reported, but ensure that you have sufficient disk space to install the product. We recommend-at a minimum-500 MB of available disk space. 2. Lotus Notes Client Supported At the present time, Lotus Notes 4.x and 5.01 clients are supported by MMS version 2.2. Lotus Notes 5.02 and 5.03 clients are incompatible. Install the 5.01 or earlier clients on your MMS Server. 3. Active Directory Management Agent Limitations The Active Directory management agent has certain limitations. Specifically, the Active Directory management agent does not support the following operations: - Schema synchronization between Active Directory forests. - Creation of security groups in Active Directory or synchronization of security groups between forests. The Active Directory management agent creates security and distribution groups in one forest as universal distribution groups in other forests. - Synchronization of Windows built-in groups. - Active Directory namespace reshaping such as occurs with domain migrations. - Renaming of an entry in the connector space or in Active Directory when the metaverse entry is changed. - Moving or renaming of users, contacts, organizational units, and groups within Active Directory. - Distributed management of distribution groups in different forests such that members of a group can be created in any forest. - Centralized policy management. - Microsoft Exchange version 5.5 to Exchange 2000 interforest migrations. - Password synchronization. - Cryptographic credential management, such as with e-commerce applications that need to publish and synchronize certificates and related credentials and attributes between forests to external systems and directories. Some certificate information (specifically, userCertificate and userSMIMECertificate attributes) can be synchronized. Certificate revocation lists and other cryptographic attributes are not synchronized however. - Management of Windows 2000 system objects. The management of Windows 2000 computer, printer, and shared folder objects in domains of a forest, and the management of system containers (for example, users, system, foreign security principals, lost and found, computers, built-in groups, and certification authorities) is not supported. - Synchronization of security principals that contain /\() in their name will fail. Template modification will be required to work around this limitation. Erratta The Active Directory Management Agent Administration Manual suggests that encryption is available using the Active Directory management agent. Kerberos sign and seal has been disabled for this release, however, credentials remain protected. Passwords are safely exchanged with Active Directory, but the session is not encrypted (as suggested in the Active Directory Management Agent Administration Manual). 4. Together Administration Management Agent Limitations - TAMA does not propagate metaverse renames to connected directories. As a result, you need to manually rename accounts in Active Directory instead of expecting TAMA and the Active Directory to propagate renames. - In MMS version 2.2, TAMA always counts levels from the metaverse boundary node. The metaverse boundary node defines how much of the metaverse tree structure you might want to reproduce in the connector space. Everything below this node is eligible. While you can restrict the number of eligible parent entries that are actually reproduced, it is not recommended that you do this. Specifically, you should always click All Parents in Maximum Number of Levels. - 19086 : DS_RC_PARENT_NOT_EXIST Error. When you use TAMA, you might get this and parents are missing in connector space. To correct this error, reconfigure your TAMA resource and select a metaverse boundary node that prunes undesired top-level parent objects. 5. Active Directory Management Agent Requires Reconfiguration to perform Microsoft Exchange 2000 Interorganization Synchronization in Conjunction with the Exchange X.400 Connector By default, the Active Directory management agent sets the target address of contacts in the following order: - Use the targetAddress attribute of the metaverse (that is, if it exists). - Use the metaverse (SMTP) mail attribute (that is, if it exists) and set the target address attribute for the contact in Active Directory using the following: SMTP:$mv.mail - Use the metaverse (X.400) textEncodedOrAddress attribute (that is, if it exists) and set the target address attribute for the contact in Active Directory using the following: X.400:$mv.textEncodedOrAddress This causes a problem when you address mail to a contact when the Exchange X.400 connector is being used. If a contact has a proxy address that is of the same type as the native address type for a particular gateway, Exchange swaps the address of the mail with the native address type for that gateway before sending it over. (An exception occurs when a user or contact does not have a proxy address that fits the gateway. In that case Exchange encapsulates the recipient's current address inside the address type defined for a gateway.) However, when trying to send mail over an X.400 gateway, Exchange uses the X.400 proxy address defined on the SMTP contact (even if their target address is SMTP) because Exchange transports are only capable of sending mail using their native address conventions. To correct this problem, do the following: - If you only use X.400 to interconnect your Exchange organizations or to communicate with third party X.400 messaging systems, set the target address with X.400:$mv.textEncodedOrAddress and disable the setting of the mail attribute as the target address. You can do this by editing the following management agent templates: CD Accounts from Connectors (that is, crt.st) and Secondary Attribute Flow (that is, secndflow.st). To do this, comment out the lines identified by #! to not set a SMTP target address on contacts. For example: if $exists ("$mv.targetAddress") = TRUE then $cd.targetAddress = $mv.targetAddress else #! if $exists ("$mv.mail") = TRUE #! then #! $cd.targetAddress = (SMTP:$mv.mail) #! else if $exists ("$mv.textEncodedOrAddress") = TRUE then $cd.targetAddress = (X.400:$mv.textEncodedOrAddress) endif #! endif endif - If you plan to use a combination of SMTP and X.400 connectors to interconnect your Exchange organizations or to communicate with third party X.400 or SMTP messaging systems, do one of the following: 1. Only set one of the mail (SMTP) or textEncodedOrAddress (X.400) in your source management agent; you may have to customize the default attribute flow of source Active Directory management agents to do this. If this is performed, the Active Directory management agent constructs the proper attribute for you automatically. 2. Write a custom attribute flow script that sets the targetAddress attribute of metaverse object based on the system that originated the object. Remember to use one of the following prefix with targetAddress: - SMTP:-for SMTP recipients - X.400:-for X.400 recipients - NOTES:-for Lotus Notes recipients You do not have to modify the Active Directory management agent CD Accounts from Connectors (that is, crt.st) and Secondary Attribute Flow (that is, secndflow.st) templates. These templates appear as follows: if $exists ("$mv.targetAddress") = TRUE then $cd.targetAddress = $mv.targetAddress else if $exists ("$mv.mail") = TRUE then $cd.targetAddress = (SMTP:$mv.mail) else if $exists ("$mv.textEncodedOrAddress") = TRUE then $cd.targetAddress = (X.400:$mv.textEncodedOrAddress) endif endif endif For more information please consult Microsoft Exchange 2000 documentation. 6. Miscellaneous Microsoft Exchange 2000 Issues - Groups with attribute msExchHideFromAddressLists = True will not synchronize. - Changing group membership from Hidden to Unhidden when the target object already exists generates an error. To allow the group to be created, you need to delete the contact that represents the hidden group from all other forests before MMS can create the group and its membership. - Groups with Hidden membership (that is, nested local groups) synchronize as contacts to the target forest. If this contact is added to a group in the target forest this membership will not synchronize back to the source forest because local groups cannot be a member of other groups. An Unwilling to perform update error appears in Active Directory when you try to do this. 7. MMS Server Installer Does Not Modify the MMS Active Compass HTML Definition Page The MMS Server installer does not automatically update the MMS Active Compass HTML definition page on installation if you select an LDAP port that is different than 389. The same holds true if you change the port number on which you connect to MMS Server. To set the correct port, edit the \zoomserv\data\http\activec.htm file on MMS Server and modify the DMServerPort parameter with the appropriate port number by replacing the default value of 389. 8. Enabling SSL to Set Passwords Using the Active Directory Management Agent To set passwords in MMS version 2.2, Secure Socket Layer (SSL) must be enabled. To enable SSL: 1. Install the Windows 2000 High Encryption Pack (that is, Encpack.exe) on the MMS Server that hosts the Active Directory management agent and on any Windows 2000 domain controllers with which the Active Directory management agent communicates. Encpack.exe installs 128-bit encryption software. For more information about where you can get obtain the Windows 2000 High Encryption Pack, see http://www.microsoft.com/WINDOWS2000/downloads/recommended/encryption/default.asp 2. Configure one of the Windows 2000 domain controllers that has 128-bit encryption software installed as the enterprise certification authority. All MMS clients and servers must obtain their certificates from this computer. For information on how to configure a computer as the enterprise certification authority, see Windows 2000 Help. 3. Create a server certificate on each applicable Windows 2000 domain controller. Use the Microsoft Management Console (MMC) Certificates snap-in to create a certificate (for information about how to create server certificates, see Windows 2000 Help). In the Certificate Request wizard, type the full Domain Name System (DNS) name of the domain controller for the certificate name. You must also type the e-mail name. In Intended Purpose, enter Server Authentication Certificate. In Key Options, under CSP, enter Microsoft RSA Schannel Cryptographic Provider. Select the Use local Machine store check box. For all other fields, accept the defaults. 4. Install the certification authority (CA) certificate on each MMS Server that communicates with Windows 2000 domain controllers and has server certificates installed. For information about how to install CA certificates, see Windows 2000 Help. Note: By default, the CA certificate is not installed in the Trusted Root Certificates container for the local computer, but it needs to be on the local computer. If it is not, the MMS Server cannot be able to obtain access to it when it runs as a server. Make sure you install the CA certificate in this container. Additional query words: ====================================================================== Keywords : kbreadme Technology : kbMMSSearch kbMMS220 Version : :2.2 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.