General Information
The Active Directory Connector (ADC) uses the ADC Global Names mechanism to keep track of which objects in Microsoft Exchange Server 5.5 are matched to which objects in Active Directory, and the converse. The ADC marks objects with ADC Global Names so that when the ADC wants to replicate changes from a source object to its target object, the ADC can quickly determine which object in the target directory to replicate to, without having to use the object matching rules to find the object.
The
ADC Global Names attribute has multiple values and contains a unique name for the object in each directory. For the Exchange Server 5.5 directory, this unique name is the distinguished name of the object combined with the object's
objectclass attribute. For Active Directory, the
objectGUID attribute of the object is used. The
ADC Global Names attribute also contains a value that uniquely identifies the Exchange organization or Active Directory Forest that the object came from.
The Lightweight Directory Access Protocol (LDAP) attribute that is used in the Exchange Server 5.5 directory and Active Directory is the
msExchADCGlobalNames attribute. If you use the Exchange Administrator program in Raw mode (
Admin.exe /r) to view the Exchange Server 5.5 directory, the attribute is displayed as
ADC-Global-Names.
The Format of the "msExchADCGlobalNames" Attribute
The format of a single Global Name entry is:
[DirectoryType]:[DirectoryName][8_hexadecimal_characters_of_flags][16_hexadecimal_characters_of_time_stamp]
Exchange Server 5.5 Global Name Value
The following table contains an Exchange Server 5.5 global name value.
DirectoryType | EX5 |
DirectoryName | DN:objectclass |
NOTE: Each
objectclass attribute is separated with a dollar sign ($) and is sorted alphabetically.
Exchange Server 5.5 Forest Value
The following table contains an Exchange Server 5.5 forest value.
DirectoryType | forest |
DirectoryName | The distinguished name of the Exchange organization |
NOTE: The case of the DirectoryType for the Exchange forest is lowercase.
Active Directory Global Name Value
The following table contains an Active Directory global name value.
DirectoryType | NT5 |
DirectoryName | The objectGUID attribute |
NOTE: The
objectGUID attribute is in hexadecimal form, not string form. A string-form globally unique identifier (GUID) is in the form "67452301-ab89-efcd-0123-456789abcdef12" and a hexadecimal GUID is in the form "0123456789abcdef0123456789ab".
Active Directory Forest Value
The following table contains an Active Directory forest value.
DirectoryType | FOREST |
DirectoryName | The objectGUID attribute of the Configuration container of the Active Directory forest in hexadecimal form |
NOTE: The case of DirectoryType for the Active Directory forest is all uppercase.
Flags
The following table contains the only flag that is defined.
0x0001 | Even though this object is not deleted, the object that is documented in the global name was deleted. |
Time Stamp
The time stamp is written when the global name value is created, but the time stamp is not currently used for anything. If you create your own global name, Microsoft recommends that you set the time stamp to all zeros (0). This makes it easy to identify whether a global name was stamped by the ADC or was created manually.
When the "ADC Global Names" Value Is Set on an Object
The
msExchADCGlobalNames attribute is set on the target object after the ADC matches to that object. The value that is set is the global name of the source object and also the source
forest value. The source object is the object that the ADC is replicating to the target object. If the Connection Agreement is two-way, when the object back-replicates to the original directory, the following things occur:
- The msExchADCGlobalNames values that were on the original target object are copied.
-and-
- The global name and forest value of the original target is added because it is now the source of replication.
Consider the following scenario:
In this scenario, during initial replication:
- The ADC finds the MB1 mailbox as a source object that needs to be replicated.
- The ADC determines whether or not the mailbox already has an msExchADCGlobalNames value. Because this is initial replication, the mailbox does not.
- The ADC uses the object matching rules, and then queries Active Directory for a user account with an objectSID attribute that matches the security identifier (SID) in the Assoc-NT-Account attribute.
- The DOMAIN\User1 account is identified as the target object of the object matching.
- The ADC replicates all of the attributes from the Exchange Server mailbox to the Active Directory user, based on the ADC schema maps.
- The ADC sets Forest and EX5 values in the msExchADCGlobalNames value of the Active Directory user. The msExchADCGlobalNames value on the Active Directory user is now similar to:
forest:o=Org000000009999999999999999
EX5:cn=MB1,cn=Recipients,ou=Site,o=Org:organizationalperson$person$top000000009999999999999999
At this point, the Exchange Server 5.5 mailbox does not yet have a
msExchADCGlobalNames value.
When the ADC completes replication from Exchange to Active Directory, the ADC starts to replicate from Active Directory to Exchange:
- The ADC finds the User1 object as a source object that needs to be replicated.
- The ADC checks determines whether or not the Active Directory user object already has an msExchADCGlobalNames value.
- Because the Active Directory User object now has an msExchADCGlobalNames value with EX5 and forest values, the ADC does not have to use the object matching rules. This is because the ADC can uniquely identify the target object.
- The ADC locates the Exchange Server 5.5 mailbox, and then replicates any changes from the Active Directory user back to the Exchange Server 5.5 mailbox, based on the ADC schema maps.
- The ADC copies the existing EX5 and forest values to the msExchADCGlobalNames value. The ADC also adds NT5 and FOREST values. The msExchADCGlobalNames value on the Exchange Server 5.5 mailbox is now similar to:
forest:o=Org000000009999999999999999
EX5:cn=MB1,cn=Recipients,ou=Site,o=Org:organizationalperson$person$top000000009999999999999999
NT5:0123456789abcdef0123456789ab000000009999999999999999
FOREST:aaaaaaaabbbbccccdddddddddddd000000009999999999999999
The Active Directory user still has only the
EX5 and
forest values, until the Exchange Server 5.5 mailbox is replicated from Exchange to Active Directory again. After the mailbox replicates to Active Directory again, the
NT5 and
FOREST values are copied from the Exchange Server 5.5 mailbox to the Active Directory user. Both objects then have all four values:
EX5,
forest,
NT5, and
FOREST.
Using ADC Global Names to Find the Replication Partner of an Object
After an object is stamped with the global name of its replication partner from the source directory, you can easily use the
EX5 or
NT5 value of that object to find the matching object.
For the
EX5 value, use the distinguished name value that is listed. For example, if the global name is
EX5:cn=MB1,cn=Recipients,ou=Site,o=Org:organizationalperson$person$top000000009999999999999999
search the Exchange Server 5.5 directory for the following distinguished name:
cn=MB1,cn=Recipients,ou=Site,o=Org
For
NT5 values, use the
objectGUID attribute in an LDAP search filter to find the object in Active Directory. Because the
objectGUID attribute is a hexadecimal value, you must add slashes after each byte to search. For example, if the global name is
NT5:0123456789abcdef0123456789ab000000009999999999999999
search Active Director and use the following LDAP filter:
(objectGUID=\01\23\45\67\89\ab\cd\ef\01\23\45\67\89\ab)
You can also convert the hexadecimal GUID to a string GUID, and then use the following special LDAP base distinguished name syntax:
<GUID=stringGUID>
For example, you can search Active Directory with the following base distinguished name:
<GUID=67452301-ab89-efcd-0123-456789abcdef12>