XADM: A Description of the "ADC Global Names" Attribute (316280)

MORE INFORMATION

General Information

The Active Directory Connector (ADC) uses the ADC Global Names mechanism to keep track of which objects in Microsoft Exchange Server 5.5 are matched to which objects in Active Directory, and the converse. The ADC marks objects with ADC Global Names so that when the ADC wants to replicate changes from a source object to its target object, the ADC can quickly determine which object in the target directory to replicate to, without having to use the object matching rules to find the object.

The ADC Global Names attribute has multiple values and contains a unique name for the object in each directory. For the Exchange Server 5.5 directory, this unique name is the distinguished name of the object combined with the object's objectclass attribute. For Active Directory, the objectGUID attribute of the object is used. The ADC Global Names attribute also contains a value that uniquely identifies the Exchange organization or Active Directory Forest that the object came from.

The Lightweight Directory Access Protocol (LDAP) attribute that is used in the Exchange Server 5.5 directory and Active Directory is the msExchADCGlobalNames attribute. If you use the Exchange Administrator program in Raw mode (Admin.exe /r) to view the Exchange Server 5.5 directory, the attribute is displayed as ADC-Global-Names.

The Format of the "msExchADCGlobalNames" Attribute

The format of a single Global Name entry is:

Exchange Server 5.5 Global Name Value

The following table contains an Exchange Server 5.5 global name value.

DirectoryType	EX5
DirectoryName	DN:objectclass

NOTE: Each objectclass attribute is separated with a dollar sign ($) and is sorted alphabetically.

Exchange Server 5.5 Forest Value

The following table contains an Exchange Server 5.5 forest value.

DirectoryType	forest
DirectoryName	The distinguished name of the Exchange organization

NOTE: The case of the DirectoryType for the Exchange forest is lowercase.

Active Directory Global Name Value

The following table contains an Active Directory global name value.

DirectoryType	NT5
DirectoryName	The objectGUID attribute

NOTE: The objectGUID attribute is in hexadecimal form, not string form. A string-form globally unique identifier (GUID) is in the form "67452301-ab89-efcd-0123-456789abcdef12" and a hexadecimal GUID is in the form "0123456789abcdef0123456789ab".

Active Directory Forest Value

The following table contains an Active Directory forest value.

DirectoryType	FOREST
DirectoryName	The objectGUID attribute of the Configuration container of the Active Directory forest in hexadecimal form

NOTE: The case of DirectoryType for the Active Directory forest is all uppercase.

Flags

The following table contains the only flag that is defined.

0x0001

Even though this object is not deleted, the object that is documented in the global name was deleted.

Time Stamp

The time stamp is written when the global name value is created, but the time stamp is not currently used for anything. If you create your own global name, Microsoft recommends that you set the time stamp to all zeros (0). This makes it easy to identify whether a global name was stamped by the ADC or was created manually.

When the "ADC Global Names" Value Is Set on an Object

The msExchADCGlobalNames attribute is set on the target object after the ADC matches to that object. The value that is set is the global name of the source object and also the source forest value. The source object is the object that the ADC is replicating to the target object. If the Connection Agreement is two-way, when the object back-replicates to the original directory, the following things occur:

• The msExchADCGlobalNames values that were on the original target object are copied. -and-
  
  
• The global name and forest value of the original target is added because it is now the source of replication.

Consider the following scenario:

• An Exchange Server 5.5 mailbox exists with a distinguished name of:

  cn=MB1,cn=Recipients,ou=Site,o=Org

• The primary Microsoft Windows NT account (Assoc-NT-Account) of the mailbox is DOMAIN\User1.
• A Microsoft Windows 2000 user account that is named User1 exists in the Users container.
• The objectGUID attribute of User1 is 0123456789abcdef0123456789ab.
• The objectGUID attribute of the Configuration container of the forest is aaaaaaaabbbbccccdddddddddddd.
• The time stamp value is set to 9999999999999999 for clarity.
• A two-way Connection Agreement is set up to export the Recipients container from Exchange Server 5.5 and the Users container from Active Directory.

In this scenario, during initial replication:

• The ADC finds the MB1 mailbox as a source object that needs to be replicated.
• The ADC determines whether or not the mailbox already has an msExchADCGlobalNames value. Because this is initial replication, the mailbox does not.
• The ADC uses the object matching rules, and then queries Active Directory for a user account with an objectSID attribute that matches the security identifier (SID) in the Assoc-NT-Account attribute.
• The DOMAIN\User1 account is identified as the target object of the object matching.
• The ADC replicates all of the attributes from the Exchange Server mailbox to the Active Directory user, based on the ADC schema maps.
• The ADC sets Forest and EX5 values in the msExchADCGlobalNames value of the Active Directory user. The msExchADCGlobalNames value on the Active Directory user is now similar to:

  forest:o=Org000000009999999999999999
  EX5:cn=MB1,cn=Recipients,ou=Site,o=Org:organizationalperson$person$top000000009999999999999999
  						

At this point, the Exchange Server 5.5 mailbox does not yet have a msExchADCGlobalNames value.

When the ADC completes replication from Exchange to Active Directory, the ADC starts to replicate from Active Directory to Exchange:

• The ADC finds the User1 object as a source object that needs to be replicated.
• The ADC checks determines whether or not the Active Directory user object already has an msExchADCGlobalNames value.
• Because the Active Directory User object now has an msExchADCGlobalNames value with EX5 and forest values, the ADC does not have to use the object matching rules. This is because the ADC can uniquely identify the target object.
• The ADC locates the Exchange Server 5.5 mailbox, and then replicates any changes from the Active Directory user back to the Exchange Server 5.5 mailbox, based on the ADC schema maps.
• The ADC copies the existing EX5 and forest values to the msExchADCGlobalNames value. The ADC also adds NT5 and FOREST values. The msExchADCGlobalNames value on the Exchange Server 5.5 mailbox is now similar to:

  forest:o=Org000000009999999999999999
  EX5:cn=MB1,cn=Recipients,ou=Site,o=Org:organizationalperson$person$top000000009999999999999999
  NT5:0123456789abcdef0123456789ab000000009999999999999999
  FOREST:aaaaaaaabbbbccccdddddddddddd000000009999999999999999
  						

The Active Directory user still has only the EX5 and forest values, until the Exchange Server 5.5 mailbox is replicated from Exchange to Active Directory again. After the mailbox replicates to Active Directory again, the NT5 and FOREST values are copied from the Exchange Server 5.5 mailbox to the Active Directory user. Both objects then have all four values: EX5, forest, NT5, and FOREST.

Using ADC Global Names to Find the Replication Partner of an Object

After an object is stamped with the global name of its replication partner from the source directory, you can easily use the EX5 or NT5 value of that object to find the matching object.

For the EX5 value, use the distinguished name value that is listed. For example, if the global name is search the Exchange Server 5.5 directory for the following distinguished name: For NT5 values, use the objectGUID attribute in an LDAP search filter to find the object in Active Directory. Because the objectGUID attribute is a hexadecimal value, you must add slashes after each byte to search. For example, if the global name is search Active Director and use the following LDAP filter: You can also convert the hexadecimal GUID to a string GUID, and then use the following special LDAP base distinguished name syntax: For example, you can search Active Directory with the following base distinguished name: