XADM: ADC Creates Duplicate Accounts in Exchange Server 5.5 and Active Directory (288578)


The information in this article applies to:

  • Microsoft Exchange 2000 Server SP1
  • Microsoft Exchange 2000 Server SP2
This article was previously published under Q288578

SYMPTOMS

The Active Directory Connector (ADC) creates disabled user accounts in Active Directory even though all Microsoft Exchange Server 5.5 mailboxes have been assigned a valid primary Windows NT account in the Windows 2000 forest. In some situations, the disabled accounts may have the same display name as other accounts in the Active Directory or they may have a "-1" appended to the account name. The ADC may also create custom recipients in the Exchange Server 5.5 directory whose display names or proxy addresses (or both) match an existing Exchange Server 5.5 mailbox. This behavior causes non-delivery reports (NDRs) to be generated if mail is delivered to the Exchange Server 5.5 mailboxes that have custom recipients with the same proxy addresses.

CAUSE

This behavior may occur if you manually type the Simple Mail Transfer Protocol (SMTP) e-mail address of the Active Directory user account before the recipient Connection Agreement is initially replicated. When the ADC replicates, it tries to match an existing Exchange Server 5.5 mailbox to its primary Windows NT account in Active Directory, and it tries make this Active Directory user account mail-enabled so that it is stamped with the same proxy addresses as the Exchange Server 5.5 mailbox. If the Active Directory user account already has an e-mail address assigned to it, the ADC assumes that this Active Directory user account is already mail-enabled and it assumes that one of the following conditions is true:
  • This user account has been matched to another object in the Exchange Server 5.5 directory.

    -or-
  • The Active Directory user account has an Exchange 2000 mailbox.
If an Active Directory user account is already mail-enabled or mailbox-enabled, the ADC cannot match an Exchange Server 5.5 mailbox to this account. Because the Exchange Server 5.5 mailbox must have a corresponding user account in the Active Directory domain, the ADC creates an additional user account (the default setting is a disabled user account) in Active Directory. The new account inherits the display name of the Exchange Server 5.5 mailbox. If the account is being created in the same Active Directory container where the primary Windows NT account for the Exchange Server 5.5 mailbox resides, the name for the new account that is created may have a "-1" appended to it. If the Connection Agreement is a two-way Connection Agreement, the ADC creates a custom recipient in the Exchange Server 5.5 directory whose proxy addresses matches that of the Exchange Server 5.5 mailbox. This behavior causes non-delivery reports to be generated if mail is delivered to the Exchange Server 5.5 mailboxes that now have custom recipients with the same proxy addresses.

Microsoft recommends that you do not manually add an e-mail address to an Active Directory user account that is not currently mail-enabled.

RESOLUTION

  1. Temporarily turn off the ADC by either stopping the service or setting the schedule of the recipient Connection Agreements to Never.
  2. Remove the ADC-Global-Names attribute from all Exchange Server 5.5 recipients including the custom recipients that were created by the ADC.

    To perform this step, you can either edit the recipients in raw mode or use the Directory Import/Export functionality.
  3. Delete the custom recipients that were inadvertently created by the ADC in the Exchange Server 5.5 directory.

    NOTE: You must remove the ADC-Global-Names attribute from the custom recipients before you delete these objects. Tombstones of these objects may cause problems if they still contain an ADC-Global-Names attribute.
  4. Mail-disable all of the affected Active Directory user accounts including the disabled accounts.

    To perform this step, you can use either the Killmail utility or the Exchange Tasks functionality.
  5. Delete the disabled user accounts that are created by the ADC.
  6. Verify that the previously affected accounts no longer have an e-mail address, turn on the ADC, and then force replication.

STATUS

This behavior is by design.

MORE INFORMATION

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

316280 XADM: A Description of the ADC Global Names Attribute

274480 XADM: Duplicate Object Created When Replicating Objects from Exchange Server 5.5 to Windows 2000 Active Directory

256862 XADM: How to Correct Mismatched Accounts After Active Directory Connector Replication

Modification Type:MajorLast Reviewed:9/11/2006
Keywords:kbprb KB288578
©2004 Microsoft Corporation. All rights reserved.