Synchronizing Active Directory with Exchange Server Directory Service |
The Active Directory Connector (ADC) and the Microsoft Management Console (MMC) are the software components in Windows 2000 Server that enable you to synchronize and manage communications between Active Directory and Exchange Server 5.5 directory service. Using the Lightweight Directory Access Protocol (LDAP), the ADC provides an automated way of keeping directory information between Active Directory and the Exchange Server directory service consistent. You use MMC and ADC-specific MMC snap-ins and extensions to configure ADC and to perform specific functions. Without the ADC, you would have to manually enter new data and updates in both directory services.
The key features and functionality of ADC are as follows:
With this feature, changes initiated on the Exchange Server directory are automatically communicated to Active Directory, and vice versa. This allows you to manage changes from either directory.
You can select specific Active Directory and Exchange Server attributes to be synchronized, while purposely excluding the synchronization of other attributes.
With regard to synchronizing with Exchange Server, Windows 2000 Server only updates changes on the object level. If, for example, you make changes to 20 user objects for 100,000 users, the system will only update those 20 user objects. This reduces duplication and transmission time as well as network traffic.
When synchronizing two objects, the ADC compares attribute values to determine which attributes should be synchronized. For example, if the phone number on an Exchange Server mailbox is modified, the ADC compares the attributes of the mailbox with the corresponding user object in the Active Directory and only synchronizes the modified attributes. In this case, just the phone number is synchronized.
Using the Active Directory Users and Computers MMC snap-in, you can manage Users, Contacts, and Groups.
For more information about the Microsoft Management Console and MMC snap-ins and extensions, see Windows 2000 Server Help.
Using ADC provides the following advantages:
Once you have upgraded a Windows NT Server 4.0 domain to Windows 2000 Server Active Directory, you can easily and automatically configure the ADC to populate a new Active Directory with Exchange Server 5.5 directory information, such as the mailbox user properties shown in Figure 20.2.
Figure 20.2 Single Source Administration
You can use the ADC to synchronize and manage the Exchange Server directory through Active Directory, enabling you to take advantage of the more granular delegation of administration that Windows 2000 Server offers. This means that, with Windows 2000 Server, you can set permissions at the attribute level rather than at the object level. This allows administrators to delegate tasks related to particular attributes to different users.
For example, users have permission to update their department cost center and also to view and update some home phone numbers. Using Exchange Server 5.5 they are able to view properties but cannot update them directly. With Windows 2000 Server, the directory administrator can delegate these tasks so that those users can update the Cost Center field and update the home phone numbers. You can delegate some tasks to authorized users, and restrict them from access to other areas of data, such as group memberships and security permissions. You can then use the ADC to update the Exchange Server directory with the results of these authorized administrative changes.
For more information about the various levels of administration and delegation capabilities in Active Directory, see "Designing the Active Directory Structure" in this book.
Through Exchange Server, you can populate Active Directory with user and group information from third-party e-mail directories. Exchange Server supports bidirectional directory synchronization with third-party e-mail directory services that contain directory synchronization agents. Figure 20.3 shows the interoperability between Exchange Server and third-party e-mail directory services.
Figure 20.3 Bidirectional Directory Synchronization with Third-Party E-mail Directory Services
The Active Directory Client enables end users, with Windows 2000 Server or Windows 9x clients that have the Active Directory Client installed, to easily find other users using the Find People option. Combining the capabilities of ADC with the Active Directory Client allows you to quickly deploy the Active Directory as a user directory, which is similar to the way you would use a telephone directory.
For more information about Active Directory Client, see "Preparing Your Network Infrastructure for Windows 2000" in this book.
Installing the ADC on a server simply adds a service within Windows 2000 Server and Active Directory. To establish a relationship between an existing Exchange Server site and Active Directory, you must configure a connection agreement. A connection agreement holds information such as the server names to contact for synchronization, object classes to synchronize, target containers, and the synchronization schedule. It is possible to define multiple connection agreements on a single ADC; each connection agreement could go from Active Directory to a single Exchange Server site, or to the same Exchange Server site.
Specifically, a connection agreement defines the following:
The ADC only performs directory synchronization between Exchange Server 5.5 Service Pack 1 (SP1) or higher and Windows 2000 Server. However, if you have an earlier version of Exchange Server with SP1 in an Exchange Server 5.5 site, that Exchange Server automatically synchronizes with the earlier version of Exchange Server. In this case, all directory information is the same throughout the Exchange Server site and the organization.
Although only one instance of the ADC service can be active on a single computer running Windows 2000 Server, multiple connection agreements can be established. You can configure each connection agreement to perform unique synchronization tasks. For example, one connection agreement can continuously update the Windows 2000 Server Active Directory, while another connection agreement can update the Windows 2000 Server contacts to the Exchange Server directory daily at a time you specify.