How to correct mismatched accounts after Active Directory Connector replication in Exchange 2000 Server (256862)



The information in this article applies to:

  • Microsoft Exchange 2000 Server

This article was previously published under Q256862

SYMPTOMS

There are situations where multiple mailboxes have the same primary Microsoft Windows NT account. When the Active Directory Connector (ADC) replicates the mailboxes, the first one it matches to becomes the mailbox that is synchronized with the Active Directory object. The other mailboxes will still have the same primary Windows NT account, but the ADC will either create a Contact, Enabled User, or Disabled User, depending on how the Connection Agreement is configured. If you do not configure the mailboxes prior to replication to specify which mailbox to match, the ADC may match up the User account to a mailbox different from the one you expected.

Warning Having mismatched accounts means that distribution groups in Active Directory and the stores in Exchange 2000 will use the wrong object SIDs for permissions to handle these accounts. Correcting mismatched accounts according to the procedure covered in this article could lead to lost memberships or permissions. It is strongly recommended to reset memberships and permissions for the affected accounts.

RESOLUTION

You can clean up the User account and mailboxes to allow you to specify which mailbox you want matched to the User account after the ADC has already run. To do so:
  1. Stop the ADC, or set the replication schedule of the Connection Agreement that affects these users to Never.
  2. Use the "Remove Exchange Attributes" option in Active Directory Users and Computers to remove the Exchange attributes from the Windows Active Directory account.

  3. Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

    Use LDP or ADSI Edit to delete the values from the msExchADCGlobalNames attribute on the affected User account.
  4. WARNING: If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.

    Use the Exchange Server 5.5 Administrator program in raw mode to remove all the values for the ADC-Global-Names attribute for each of the mailboxes matched to the User account.

    You can remove the ADC-Global-Names attribute on individual objects in mass by performing a directory export, adding a ~del to the ADC-Global-Names column, and then performing a directory import. You can also remove it by writing a Microsoft Visual Basic script (using ADSI Edit), attaching it to the container in which the object resides, and then issuing a delete for ADC-Global-Names. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    152854 Using bulk import to remove data

  5. For each mailbox that you do NOT want matched to the user account, add NTDSNoMatch to custom attribute 10 on the mailbox.
  6. Allow time for replication in the Exchange Server 5.5 directory and in Active Directory.
  7. Restart the ADC or set the Connection Agreement schedule to allow the ADC to replicate.

MORE INFORMATION

In the following scenario, you have three Exchange Server 5.5 mailboxes, Mailbox1, Mailbox2, and Mailbox3, and an Active Directory user, User1, that is associated to all three mailboxes. To synchronize User1 with Mailbox3 and force contacts to be created for the other mailboxes, do the following:
  1. On custom attribute 10 for both Mailbox1 and Mailbox2, type NTDS Contact. This forces contacts to be created for the first two mailboxes, and Mailbox3 will be linked to User1.
  2. Additionally, if you want to force the mailboxes that are not supposed to match up to be created as a disabled user account, add NTDSNoMatch to custom attribute 10.
NOTE: This does not affect User1's ability to log on to any of the mailboxes.

Modification Type:MajorLast Reviewed:9/11/2006
Keywords:kbprb KB256862