New directory-service administration techniques
Exchange Server's messaging directory service has undergone quite a change since the introduction of Exchange 2000 Server. With that release, directory-service responsibilities moved from the Exchange Server 5.5 Directory Service (DS) to Windows 2000's Active Directory (AD). This change complicated a common Exchange administrative task: bulk manipulation of directory objects and attributes.
Exchange 5.5 provides the Microsoft Exchange Administrator Directory Export and Directory Import options (which you can also run from the command line as admin /e and admin /i) to accomplish this task, but these options no longer exist in Exchange 2000. You can continue to use that method as long as your Exchange organization operates in a mixed-mode environment (i.e., you still operate at least one Exchange 5.5 server); the Active Directory Connector (ADC) will synchronize changes between the DS and AD. (However, if you use Exchange Administrator to manipulate objects that belong to Exchange 2000, you must understand the attribute mappings that the ADC uses to synchronize the DS and AD—otherwise, you might overwrite necessary attributes or corrupt a mailbox object. Consequently, you should use Exchange Administrator to manipulate only those objects that are homed in the DS. For information about ADC synchronization, see Kieran McCorry, "How to Customize DS-to-AD Attribute Synchronization," March 2001, InstantDoc ID 19712.) When you introduce Exchange 2000 into your environment, you need a new method for managing bulk directory-export and directory-import of Exchange 2000 objects. Doing so will help you ensure that your organization's Microsoft Outlook Global Address List (GAL)—users' predominant view of AD—always contains up-to-date information and that AD contains the attribute objects you need to meet your Exchange organization's needs.
In Exchange 5.5, changes you make to the DS affect only Exchange objects. But in Exchange 2000, changes you make to AD are more far-reaching and can affect not only Exchange but also your network's basic Windows infrastructure. How can you safely and effectively apply bulk attribute-manipulation methods in AD? The Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, VBScript, and three Lightweight Directory Access Protocol (LDAP) 3.0compliant utilities—Ldp, Ldifde, and Csvde—can help you get the job done.
Before You Begin
This discussion assumes that you're familiar with Win2K, AD, and Exchange 2000 and that you have the required system privileges to access AD objects. By default, the Win2K Domain Admins built-in group has full control over every object in a domain; the Enterprise Admins built-in group has full control over every object in a forest. Users in the Account Operators, Administrators, or Domain Admins groups have full control over user objects and can read and modify all attributes, including mailbox location and other Exchange-related information. When you run Forestprep before installing the first Exchange 2000 server in your environment, Exchange 2000 Setup assigns Exchange Full Administrative account permissions to one account (either one you choose or the one you use to run Forestprep). This account then has authority to install Exchange 2000 throughout the forest and to run the Exchange Administration Delegation Wizard, which configures Exchange-specific roles for administrators across the forest. (For an in-depth discussion of Exchange roles and permissions, see the white paper "Microsoft Exchange 2000 Internals: Permissions Guide" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/deploy/depovg/exchperm.asp.)
You must log on as an Administrator in the Exchange Administrator role for all procedures; otherwise, you might not be able to perform the necessary export or import operations. Carry out the procedures in a test AD environment, and apply the methods I discuss to your production environment only after you've mastered the procedures.
To begin, open the Active Directory Users and Computers snap-in on your test system. Create a sample organizational unit (OU) and give it an appropriate name (e.g., MSX-Testing). Right-click the OU object, then choose New, User from the context menu to create a new user object named AD-Test User; create an Exchange mailbox for the user. Open the new user object's Properties dialog box, and confirm that values exist for First Name, Last Name, and Title. You'll use this user account to explore the various approaches to bulk directory-manipulation methods. The following examples use the sample company name XYZ Company, with the Fully Qualified Domain Name (FQDN) xyz.com, the domain xyz, and the domain controller (DC) xyzDC. As you carry out your tests, replace the sample names with names specific to your test installation.
Using Ldp to View Attributes
Ldp is an LDAP client utility that comes with the Win2K Support Tools, which you can install with the Win2K CD-ROM's \support\tools\setup.exe program. The tool lets you view all the attributes of an AD object (similar to using Exchange Administrator's /r option to view the Exchange 5.5 DS in raw mode). The Support Tools also include the similar ADSI Edit tool. You can use either Ldp or ADSI Edit to modify and view AD. These utilities differ in the level of granularity available through each tool's UI. ADSI Edit uses a more developed UI that uses an MMC snap-in similar to Active Directory Users and Computers. You can access objects through context menus and select attributes from a drop-down box to view them one by one. Ldp's UI displays objects in the left-hand pane and attributes in the right-hand pane. When you select an object in the left-hand pane, all available attributes and values for that object appear in the right-hand pane. Therefore, Ldp provides a way to view all object attributes quickly and efficiently. (For a further comparison of Ldp and ADSI Edit, see Tony Redmond, "Introducing the ADSI Edit Utility," July 2000, InstantDoc ID 8901.)
You can use Ldp to view AD on a regular DC or on a Global Catalog (GC) server. A DC contains a read/write copy of all AD objects and attributes for the domain; a GC contains a read-only replica of every object in every domain in the forest but contains only a select set of attributes for each object. I suggest you stage your test environment so that you can view and validate AD data from both a DC and a GC. Before proceeding, read the Microsoft article "XADM: Browsing and Querying Using the LDP Utility" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q255602) for detailed instructions about using Ldp.
Select Windows 2000 Support Tools, Tools, Active Directory Administration Tool to open the Ldp utility. From the menu bar, select Connection, Connect to open the Connect dialog box, which Figure 1, page 12, shows. In the Server text box, enter the name of the DC (i.e., xyzDC) that owns the OU you created ; in the Port text box, enter 389 to connect to AD. Click OK and note the output that appears in the tool's right-hand pane. Note the value of the defaultNamingContext attribute, which appears near the top of the output. This value is equivalent to your FQDN. You'll need to remember this value and syntax. For the sample company, this value is
defaultNamingContext: DC=xyz,DC=com;