How does ADC and the Update ADC Accounts Wizard work? (NETIQKB6409)

  • 7706409
  • 02-Feb-2007
  • 21-Sep-2007

Resolution

goal
How does ADC and the Update ADC Accounts Wizard work?

fix

When an intra-org (same Exchange organization) connection agreement is made using Microsoft's Active Directory Connector (ADC), ADC migrates all of the mailbox attributes to an account in the predetermined AD target OU. If the account does not exist, a disabled account will be created. With the creation of this account, an attribute will also be migrated and added to each account, called the MsExchMasterAccountSID. This attribute is the SID of the NT primary account that is associated with the source mailbox. This works similar to SID History. In order for the DMA Update ADC Account Wizard to work successfully, the account must have a valid MsExchMasterAccountSID. The ADSI Edit tool installed with the Windows 2000 Support Tools can be used to view the MsExchMasterAccountSID. During an inter-org (different Exchange organization) migration, ADC does not populate the MsExchMasterAccountSID attribute.

To translate security and/or update group membership for accounts using DMA, an accurate mapping must exist in the internal DMA database (protar.mdb) to show which source account is equal to which target account. This could be done using the normal Migrate Users Wizard but since ADC typically creates a different naming format on the target domain, the two accounts would not conflict to merge and create a correct mapping. This would result in an additional account being created using the source domain account information unless database modeling is used to change the account name to the target account's format to force a conflict. ADC uses the source mailbox alias as the target samAccountName (preWindows2000 logon), and the Exchange display name as the target CN/Display Name). DMA uses the source samAccountName as the target samAccountName (pre-Windows2000 logon) and either the samAccountName or NT Full Name to populate the CN/Display Name, depending on whether or not database modeling is enabled. An easier and more efficient alternative would be to use the Update Active Directory Connector Accounts Wizard.

Follow the steps below to use the Update Active Directory Connector Accounts Wizard. The Update ADC Accounts Wizard is dependent on ADC migrating the necessary information correctly.

  1. The first set of information the wizard asks for is the target domain. DMA will gather all of the accounts that contain the MsExchMasterAccountSID attribute associated with them from the target domain specified.
  2. When the account gathering is complete, DMA will do a SID lookup to resolve the source accounts. This is where it is important that the target domain have the same trust in place as the domain the source Exchange Server resides in. Having no trusts or an unverified trust will prevent the tool from correctly resolving the SID and the account will not be available to select. This could also result in a substantial performance hit when trying to run this portion of the wizard.
  3. Once a SID is properly resolved it will be added to the ADC Mappings table and will be indicated in the ADCCollection log.
  4. The wizard, based on the domain where the accounts reside from ADCMappings table, will ask which source domain you would like to work with in creating mappings for accounts. Only one can be selected.
  5. From here on you will select the account(s) and the options with this account and DMA will create a mapping in the protar.mdb between the source account and the ADC created target account to allow security translation in addition to updating passwords, group membership, and SID History.


note

Please contact Technical Support to create a 'Support Request' for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.



Additional Information

Formerly known as NETIQKB6409