Exchange Server 5.5 users cannot see recipients from a pure Exchange 2000 administrative group or pure Exchange 2003 administrative group in the Global Address List

After you install a new Exchange 2000 or Exchange 2003 computer in a pure administrative group, Exchange Server 5.5 users cannot see recipients from the pure Exchange 2000 administrative group or pure Exchange 2003 administrative group in the Global Address List.

Note A pure Exchange 2000 administrative group or pure Exchange 2003 administrative group, the equivalent of an Exchange Server 5.5 site, is defined as an administrative group that does not contain an instance of the Site Replication Service (SRS).

This issue occurs if a recipient Connection Agreement does not exist for the pure administrative group. If the recipient Connection Agreement does not exist, recipients from a pure Exchange 2000 administrative group or pure Exchange 2003 administrative group are not replicated to the Exchange Server 5.5 directory. Each administrative group or Exchange site must have at least one recipient Connection Agreement configured so that its recipient information can be shared between the Exchange Server 5.5 directory and the Active Directory directory service by using the Active Directory Connector (ADC).

To resolve this issue, you must create a new recipient Connection Agreement for the pure administrative group. This can be a difficult task in larger Exchange environments that contain multiple sites or administrative groups.

• If you are using the Exchange 2000 version of the ADC, you must manually create recipient Connection Agreements for each of your administrative groups by using the Active Directory Connector Manager tool.
• For Exchange 2003 deployments, you can use the ADC Tools to evaluate your Exchange environment and to automatically create and configure recipient Connection Agreements and public folder Connection Agreements for each of your sites.

All Connection Agreements must be configured with the following information:

• Authentication and server information. This includes the Lightweight Directory Access Protocol (LDAP) port.
• Replication direction and schedule.
• LDAP search scope.

The LDAP search scope is significant because it is used to determine whether a recipient object should be replicated to the target directory as either a new object, a modified object, or a deleted object. Within the configuration options of a recipient Connection Agreement, there are two tabs that you can use to control the LDAP search scope. On the From Windows tab, you can define multiple Microsoft Windows organizational units that will be searched for new or modified objects. Similarly, on the From Exchange tab, you can add multiple Exchange recipient containers that will be searched for new or modified objects.

You must also populate both tabs with a default destination. The default destination is an organizational unit or a recipient container that is used to hold new objects that are created by the ADC when the LDAP search scope cannot find a corresponding object in the target directory. For administrative groups or sites that contain an instance of the SRS, populate the default destination on the From Windows tab of the recipient Connection Agreement with the distinguished name of the mixed site. For example, the default destination should be similar to the following: When you create new users who have Exchange 2000 or Exchange 2003 mailboxes in the mixed site, the ADC creates placeholder entries in the target Exchange directory. This process keeps the Global Address List synchronized between the Exchange directory and Active Directory.

Pure Exchange administrative groups do not have an SRS. Therefore, another SRS in the organization must serve as a writable endpoint for recipient data for the pure administrative group. A background process named the Site Knowledge Consistency Checker (SKCC) automatically determines which SRS in the organization should be responsible for this role. After an appropriate SRS has been automatically chosen as a writable endpoint for recipient data, the distinguished name of the pure administrative group is added to the From Windows tab of the associated configuration Connection Agreement.

Note In organizations that contain several remote sites that are running instances of the SRS, you can control the SKCC arbitration process. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: To replicate the recipients from a pure Exchange 2000 administrative group or pure Exchange 2003 administrative group to the Exchange Server 5.5 directory, you must create a new recipient Connection Agreement that will replicate recipient data between Active Directory and the SRS that has assumed the naming context ownership role for the pure administrative group. The recipient Connection Agreement creates new placeholder objects in the SRS that owns the naming context for the pure administrative group. After the new placeholder objects are created, the Exchange directory replication process replicates the new recipient placeholder objects to all Exchange Server 5.5 computers in the organization.

To create the new recipient Connection Agreement, use one of the following methods.

Method 1: Create the recipient Connection Agreement by using the Exchange 2003 ADC Tools

Note You can use method 1 only if you are running the Exchange 2003 version of the Active Directory Connector (ADC).

Exchange 2003 includes a new feature named the ADC Tools. These tools can help you correctly deploy the ADC in your environment. ADC Tools has built-in logic that quickly determines the correct number of Connection Agreements that are required for your organization and then creates them with the appropriate Lightweight Directory Access Protocol (LDAP) search scopes.

Note For more information about ADC Tools, start the Active Directory Connector Services tool, right-click ADC Tools, and then click Help.

If you are running Exchange 2003, you should run the Connection Agreement Wizard from ADC Tools after you deploy your first Exchange 2003 computer in a new administrative group. The Connection Agreement Wizard does the following:

1. Detects the new administrative group
2. Identifies the Site Replication Service (SRS) that has assumed the naming context ownership role for the pure administrative group
3. Creates a new recipient Connection Agreement by using the correct LDAP search scope for recipient objects

To have the ADC Tools automatically create Connection Agreements for your environment, run the Connection Agreement Wizard from the Active Directory Connector Services snap-in. To do this, follow these steps:

1. Start the Active Directory Connector Services tool. To do this, click Start, point to All Programs, point to Microsoft Exchange, and then click Active Directory Connector.
2. In the left pane, click ADC Tools.
   
   There are four steps listed in the right pane.
3. Under Step 4: Connection Agreement Wizard, click Run.
   
   Note If this option is unavailable and appears dimmed, you must run steps 1 through 3 in ADC Tools to collect information about your Exchange sites and administrative groups.
4. On the Welcome to Connection Agreement Wizard page, click Next.
5. The Connection Agreement Wizard queries Active Directory for any existing recipient Connection Agreements or public folder Connection Agreements. Any existing Connection Agreements are displayed in the dialog box. You are prompted either to replace the Connection Agreements with Connection Agreements that are generated by the Connection Agreement Wizard or to keep your current Connection Agreements and exit the wizard. To replace the Connection Agreements, click Yes, continue this wizard, and then click Next.
6. In the Staging Area page, you are prompted to specify a staging area where new objects will be created. Click Browse, locate and then click a Windows organizational unit that will act as the default Windows destination, click OK, and then click Next.
7. If you have pure Exchange Server 5.5 sites in your environment, the Connection Agreement Wizard displays Connection Agreements for these Exchange Server 5.5 sites based on the data that is collected about your Exchange infrastructure. By default, these Connection Agreements will be configured as bidirectional, or two-way, for replication. Unless you specifically need one-way Connection Agreements, you should keep each recommended Connection Agreement as bidirectional. Click Next.
8. On the Site Credentials page, the wizard prompts you for authentication information for each Exchange site. Click a listed site, and then click Set Credentials.
9. In the Connect as box, click Browse, locate and then click the Exchange service account for the site, and then click OK.
10. In the Password box, type the Exchange service account password.
11. Either click the Specify a server option to choose a specific Exchange Server 5.5 computer and port to bind to, or click the Automatically discover a server option for sites that contain multiple Exchange Server 5.5 computers.
12. Click OK.
13. Repeat steps 8 through 12 for each listed site.
14. Verify that the credentials information for all listed Exchange sites is correct. To do this, make sure that the Password State column indicates a status of Validated. If all sites indicate a password state of Validated, click Next to continue.
    
    Note If a site has a password state of Logon Failure, click the site, and then click Set Credentials again to reenter the credentials information.
15. On the Domain Credentials page, click a domain that has Exchange recipients, and then click Set Credentials.
16. In the Set Credentials dialog box, click Browse, locate and then click an account that is a member of the Domain Admins group for the listed domain, and then click OK.
    
    Note If you use an account that has insufficient permissions, this may produce inconsistent results.
17. Type the account password in the Password box, and then click OK.
18. Repeat steps 15 through 17 for any other domains that have Exchange recipients.
19. Make sure that the credentials information for all listed domains is correct. To do this, make sure that the Password State column indicates a status of Validated. If all domains have a password state of Validated, click Next to continue.
    
    Note If a domain has a password state of Logon Failure, click the domain, and then click Set Credentials again to reenter the credentials information.
20. The Connection Agreement Selection page displays a list of recommended Connection Agreements for your environment. By default, all the Connection Agreements are selected. If you do not want to create a specific Connection Agreement, click to clear the check box next to that Connection Agreement. After you have decided which Connection Agreements that you want to create, click Next.
    
    Note Do not click to clear the check box next to the recipient Connection Agreement for the pure Exchange 2000 administrative group or pure Exchange 2003 administrative group.
21. On the Summary page, review the summary of actions that will be performed by the Connection Agreement Wizard. Click Back if you want to make any configuration modifications. To create the recommended Connection Agreements, click Next.
22. After the Connection Agreements have been created, click Finish to quit the wizard.

Recipient objects from the pure administrative group start to appear over time in the Exchange Server 5.5 Global Address List after the newly created Connection Agreement has been replicated. In larger environments, the Exchange directory replication schedule may significantly affect this process.

Method 2: Manually create the recipient Connection Agreement

You can use this method if you are running the Exchange 2000 version of the Active Directory Connector (ADC) or if you want to manually create the recipient Connection Agreement for the pure administrative group by using the Exchange 2003 version of the ADC.

Step 1: Determine which SRS has assumed the naming context ownership role for the pure administrative group

The Site Replication Service (SRS) is an Exchange 2000 or Exchange 2003 service that mimics the Exchange Server 5.5 directory. When you install the first Exchange 2000 or Exchange 2003 computer in a pure Exchange Server 5.5 site, the installation process enables the SRS on the Exchange 2000 or Exchange 2003 computer. An associated configuration Connection Agreement is also created to manage the replication behavior of the new SRS.

In mixed-mode organizations, the SRS is required because Exchange Server 5.5 directory information can be replicated only between Exchange Server 5.5 computers and not with Windows domain controller servers. Exchange Server 5.5 computers can replicate both recipient and configuration information with an SRS because the SRS mimics an Exchange Server 5.5 directory service. After an SRS is enabled, it learns of the Exchange Server 5.5 site configuration through intra-site directory replication. The ADC then uses the configuration Connection Agreement to replicate the configuration information into Active Directory. Additionally, the configuration Connection Agreement replicates Exchange 2000 or Exchange 2003 configuration data into the Exchange directory.

The SRS can also act as an Exchange directory endpoint of a recipient Connection Agreement. When you modify recipient data in the Exchange directory, the SRS learns of those changes through directory replication. The recipient Connection Agreement then replicates the changes to Active Directory.

If you are running the Exchange 2000 version of the ADC, or if you want to manually create the recipient Connection Agreement for the pure administrative group by using the Exchange 2003 version of the ADC, you must first determine which SRS has assumed the naming context ownership role for the pure Exchange 2000 administrative group or pure Exchange 2003 administrative group. To do this, follow these steps:

1. Start the Active Directory Connector Manager tool. To do this, click Start, point to All Programs, point to Microsoft Exchange, and then click Active Directory Connector.
   
   Note If you are running the Exchange 2003 version of the ADC, this tool is named the Active Directory Connector Services tool.
2. If you are running the Exchange 2003 version of the ADC, click Active Directory Connector (ServerName) in the left pane.
3. In the right pane, right-click a configuration Connection Agreement, and then click Properties.
4. Click the From Windows tab.
5. In the Windows Organizational Units box, search for the distinguished name of the pure administrative group. The distinguished name of the administrative group will appear in a format that is similar to the following:
   CN=PureAdministrativeGroupName,CN=Administrative Groups,CN=ExchangeOrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,dc=com
6. Repeat steps 3 through 5 until you find the configuration Connection Agreement that has the distinguished name entry for the pure administrative group.
7. After you have found the entry for the pure administrative group, click the Connections tab of the configuration Connection Agreement.
8. Note the information that is in the Exchange Server information area. Include the server name, the port number, and the service account authentication information.

Step 2: Create and configure a new recipient Connection Agreement for the pure administrative group

To create and configure a new recipient Connection Agreement for the pure administrative group, follow these steps on the computer that is running the ADC:

1. Start the Active Directory Connector Manager tool.
   
   Note If you are running the Exchange 2003 version of the ADC, this tool is named the Active Directory Connector Services tool.
2. In the left pane, right-click Active Directory Connector (ServerName), point to New, and then click Recipient Connection Agreement.
3. On the General tab, do the following:
   1. Type the name of the recipient Connection Agreement in the Name box.
   2. Under Replication Direction, click Two-way.
   3. When you receive the following message, click OK:
      The Connection Agreement must now write to the Exchange directory. Ensure that the account specified in the Exchange Server Information on the Connections property sheet has write permissions to the Exchange directory.
   4. In the Select a server to run the Connection Agreement list, click the server that you want to use.
      
      Note You must select a server that has ADC installed. If there is only one server that is running the ADC, there is only one server available.
4. Click the Connections tab.
5. Under Windows Server information, verify the following:
   1. The Server box contains the name of your Microsoft Windows 2000 Server-based or Microsoft Windows Server 2003-based global catalog server.
   2. The Authentication box is set to Windows Challenge/Response if you are using the Exchange 2000 version of the ADC or to Kerberos if you are using the Exchange 2003 version of the ADC.
   3. Under Connect as, click Modify.
   4. Click Browse, locate and then click an administrative account that has write permissions to Active Directory, and then click OK.
   5. Type the account password in the Password box, and then click OK.
6. Under Exchange Server information, use the information that you noted in step 8 of the "Step 1: Determine which SRS has assumed the naming context ownership role for the pure administrative group" section to complete the following:
   1. In the Server box, type the name of your Exchange 2000 or Exchange 2003 computer that is running the SRS that has assumed the naming context ownership role for the pure administrative group.
   2. Make sure that the Lightweight Directory Access Protocol (LDAP) port in the Port box is correct. By default, the LDAP interface for SRS uses port 379.
      
      Note This LDAP port value may be different if the computer that is running the SRS is an Exchange 2003 computer. An Exchange 2003 SRS server reads the site LDAP configuration object. If the site LDAP configuration object is set to port 389, the SRS server will still use port 379. (Port 389 is the default LDAP port in Exchange Server 5.5.) If the port value is not set to 389, the SRS server uses the specified LDAP value. For example, if the site LDAP configuration object is set to port 360, the Exchange 2003 SRS server will use port 360. Note that if you change the site default LDAP port, the Site Knowledge Consistency Checker (SKCC) updates the configuration Connection Agreement that points to the Exchange 2003 SRS server that has the new port number. By default, the SKCC runs five minutes after the SRS starts and then one time every three hours after that. It is also triggered by changes that are made under the Exchange organization object.
   3. Make sure that the Authentication box is set to Windows Challenge/Response.
   4. Under Connect as, click Modify.
   5. Click Browse, locate and then click the service account that you noted in step 8 of the "Step 1: Determine which SRS has assumed the naming context ownership role for the pure administrative group" section, and then click OK.
   6. Type the account password in the Password box, and then click OK.
7. Click the Schedule tab, and then click Always to set the replication time to always.
   
   Note The ADC automatically replicates all the objects during the first replication cycle. Therefore, if you click to select the Replicate the entire directory the next time the agreement is run check box, you do not affect the first replication cycle.
8. Click the From Exchange tab.
9. Under Exchange recipients containers, click Add.
10. Under your Exchange organization name, click the name of the mixed site that contains the SRS that has assumed the naming context ownership role for the pure administrative group, and then click OK.
11. Click Add again, click the name of the pure administrative group, and then click OK.
    
    You should now see two entries that are similar to the following in the Exchange recipient containers box:
    ou=MixedSiteName,o=ExchangeOrganizationName
    ou=PureAdministrativeGroupName,o=ExchangeOrganizationName
12. Under Default destination, click Modify.
13. Locate and then click the organizational unit in Active Directory that will be used to create new disabled user objects if the ADC cannot locate the Active Directory user account of the mailbox owner, and then click OK.
    
    Note This behavior is frequently encountered in mixed or pure Exchange Server 5.5 sites. However, it rarely occurs in pure administrative groups where mailboxes exist only on Exchange 2000 or Exchange 2003 computers.
14. Click the From Windows tab.
15. Under Windows Organizational Units, click Add.
16. Locate and then click the organizational unit that contains the recipients from your pure Exchange 2000 administrative group or pure Exchange 2003 administrative group, and then click OK.
    
    Note If your recipients are dispersed among several organizational units, you can add each organizational unit individually, or you can add the parent container. If you add the parent container, the ADC replicates all recipient objects in each child subcontainer to the target directory. For additional information about how the ADC replicates containers, click the following article number to view the article in the Microsoft Knowledge Base:
    253826 How the Active Directory Connector replicates subcontainers
17. Under Default destination, click Modify.
18. Click the name of the mixed site that contains the SRS that has assumed the naming context owner role for the pure administrative group, and then click OK.
19. Click to select the Create objects in location specified by Exchange 5.5 DN check box.
20. Click OK.
21. You are now finished configuring the recipient Connection Agreement. To force replication, right-click the two-way agreement, and then click Replicate Now.
    
    The recipient objects for the pure administrative group replicates into the SRS that is specified on the Connections tab of the recipient Connection Agreement. However, instead of objects being created in the Recipients container of the mixed site, a new Recipients container is created for the pure administrative group. By default, pure administrative groups are not created with a legacy Recipients container object. The ADC then uses the legacyExchangeDN value of each recipient object from the pure administrative group to create a placeholder object in the new Recipients container in the directory of the SRS that has assumed the naming context ownership role for the pure administrative group. The default legacyExchangeDN value for mailboxes created on Exchange 2000 or Exchange 2003 computers uses the following format:
    cn=UserName,cn=Recipients,ou=PureAdministrativeGroup,o=ExchangeOrganizationName
22. To initiate intra-site directory replication, follow these steps on the Exchange Server 5.5 computer in the mixed site where the SRS that has assumed the naming context ownership role for the pure administrative group resides.
    
    Note Alternatively, you may choose to wait up to 15 minutes for intra-site directory replication to automatically occur between the SRS and your Exchange Server 5.5 computer.
    1. Start the Exchange Administrator program. To do this, click Start, point to All Programs, point to Microsoft Exchange, and then click Microsoft Exchange Administrator.
    2. Expand the mixed-site name, expand Configuration, expand Servers, and then click the Exchange Server 5.5 computer name.
    3. In the right pane, click Directory Service.
    4. On the File menu, click Properties.
    5. On the General tab, click Update Now.
    6. Make sure that Update only new and modified items is selected, and then click OK.
       
       This will initiate intra-site directory replication.
    7. Click OK to exit the Directory Service Properties dialog box.

After Exchange Server 5.5 directory replication occurs, the Exchange 2000 or Exchange 2003 recipient objects from the pure administrative group will appear in the Global Address List for your Exchange Server 5.5 users.

You cannot use the Exchange Administrator program to view Exchange recipient objects if you are connected to the Exchange 2000 or Exchange 2003 computer that is running the SRS. This is by design. To view recipient objects within an SRS, you can use any LDAP browser, such as the Active Directory Administration Tool (Ldp.exe). This tool is included with the Windows Support Tools package that is located on the Windows 2000 Server CD or the Windows Server 2003 CD.

To view Exchange recipient objects within the SRS database, follow these steps:

1. Install the Windows Support Tools from the Windows 2000 Server CD or the Windows Server 2003 CD. To do this, follow these steps:
   • On a Windows 2000 Server-based computer, double-click the Setup.exe file in the Support\Tools folder on the Windows 2000 Server CD.
   • On a Windows Server 2003-based computer, double-click the Suptools.msi file in the Support\Tools folder on the Windows Server 2003 Server CD.
2. Start the Active Directory Administration Tool. To do this, click Start, click Run, type ldp.exe, and then click OK.
3. On the Connection menu, click Connect.
4. In the Server box, type the name of the Exchange 2000 or Exchange 2003 computer that is running the SRS that has assumed naming context ownership role for your pure administrative group.
5. In the Port box, type the LDAP port that is used by the SRS. Typically, this is port 379.
   
   Note Do not click to select the Connectionless check box.
6. Click OK.
   
   The Active Directory Administration Tool makes an LDAP connection to the SRS. You will see the connection response from the SRS in the right pane of the Active Directory Administration Tool. The response should be similar to the following:

      ld = ldap_open("SRSServer", 379);
      Established connection to SRSServer.
      Retrieving base DSA information...

   Note In this example, "SRSServer" is the name of the SRS server.
   
   If you cannot connect to the SRS by using the Active Directory Administration Tool, verify that you typed the correct server name and port number in the Connection dialog box. If you still cannot connect to the SRS, verify on the SRS server that the Microsoft Exchange Site Replication Service state shows a status of Started in the Services snap-in.
   
   Note To start the Services snap-in, click Start, click Run, type services.msc, and then click OK.
7. On the Connection menu, click Bind.
8. In the User box, type the name of the Exchange service account from the mixed site where the SRS resides. For example, if the Exchange service account is named ExchServiceAcct, type exchserviceacct.
9. Type the password for the Exchange service account in the Password box.
10. Click to select the check box next to Domain, and then type the domain name in the Domain box. You can specify the domain name in network basic input/output system (NetBIOS) format or in fully qualified domain name (FQDN) format. For example, for a sample domain such as Contoso.com, you can type contoso, or you can type contoso.com.
11. Click OK.
    
    The connection dialog will be similar to the following:

    res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
    	{NtAuthIdentity: User='exchserviceacct'; Pwd= <unavailable>; domain = 'contoso'.}
    Authenticated as dn:'exchserviceacct'.

12. On the View menu, click Tree.
13. Leave the BaseDN box empty. Click OK.
    
    The root of your Exchange organization appears in the left pane in the format o=ExchangeOrganizationName.
14. Expand the Exchange organization object.
    
    You should now see all your Exchange sites and administrative groups.
15. Double-click the pure administrative group where your Exchange 2000 or Exchange 2003 recipients reside.
    
    Note The pure administrative group appears in the left pane in the format ou=PureAdministrativeGroupName,o=ExchangeOrganizationName.
16. Under the pure administrative group object, the Recipients container that was created by the ADC appears in the format cn=Recipients,ou=PureAdministrativeGroupName,o=ExchangeOrganizationName. Double-click the new Recipients container.
    
    A list of the Exchange 2000 or Exchange 2003 recipients from the pure administrative group appears. If you do not see the expected recipient objects, verify that the recipient Connection Agreement for your pure administrative group is configured with the appropriate LDAP search scope. Additionally, verify that the Exchange service account that is specified in the recipient Connection Agreement has sufficient permissions to write to the SRS directory in the mixed site where the SRS that has assumed the naming context ownership role for the pure administrative group resides.

For additional information about Connection Agreements, click the following article numbers to view the articles in the Microsoft Knowledge Base: For more information about the Active Directory Connector, see the Understanding and Deploying Exchange 2000 Active Directory Connector book. To download the book, visit the following Microsoft Web site: