From creating Exchange Server mailboxes and modifying SMTP addresses to bulk-importing data and configuring user permissions, this collection of frequently asked questions will teach you how to manage and manipulate Active Directory for easier Exchange Server deployment and administration.
|Frequently Asked Questions:
EXCHANGE SERVER AND ACTIVE DIRECTORY
|Exchange Server and Active Directory Administration Issues|
|Exchange Server and Active Directory Deployment Issues|
From a Windows XP Professional PC, how do I get the Exchange tabs in Active Directory Users and Computers for account administration? I know there is something from the Exchange Server CD I need to install on the PC, but what? Are there other dependencies?
This is a commonly asked question. You need to install the Exchange management tools on your workstation from your Exchange Server CD. Then you need to launch MMC using the Active Directory Users and Computers (ADUC) shortcut in Start -> Programs -> Microsoft Exchange. Once in ADUC, you should click Tools -> View Advanced in order to display all the tabs when administering mailboxes.
I have an Active Directory with Microsoft Exchange mail servers. I need to search Active Directory to find out who currently has the altrecipient field filled out. Is there a way to do this without writing a script?
Since Exchange 2000 and Exchange 2003 rely on Active Directory, technically what you're asking is how to query Active Directory for the altrecipient field. The best non-script method that comes to my mind is to use the CSVDE tool. Have a look at Microsoft's article entitled "Import or export directory objects using CSVDE" for more information on how to use CSVDE.
I need to set up an alternate recipient address for a user to forward copies of e-mails to a BlackBerry. In Exchange 5.5, you can set up a custom recipient that can then be used as an alternate recipient. How can I do this in Exchange 2000/2003?
You can add this by going to File -> Manage object view -> AD custom. Choose Active Directory user, and then New. The Attribute Directory name is altRecipient, and in Display title you can put something like Forwarding Address.
I want to add an e-mail address to an existing group. But Active Directory Users and Computers (ADUC) says that the address is already in use. I have searched ADUC for users' e-mail addresses, and no user has the address. But, I can't search groups for an e-mail address. How can I find this elusive address?
Here is a very easy way to do this:
This will give you the object -- of any type (user, group, contact, public folders, etc.) -- that has that e-mail address.
I am looking for a way to prevent Outlook 2000/2003 users from having access to the Permissions tab in the mailbox folders. I want to prevent users from assigning permissions to other users to have access to their mailboxes. I want to control this through Active Directory Users and Computers.
I think you might be able to do this is with a Group Policy Object. Using the Office templates you can remove tabs from Outlook and other Office applications. See Microsoft's Office 2003 Service Pack 2 Administrative Template (ADM), OPAs, and Explain Text Update page for more information.
If not, you may be able to lock down the permissions using the information in the Microsoft Knowledge base article, How to set Exchange Server 2003 and Exchange 2000 Server mailbox rights on a mailbox that exists in the information store.
I cannot create e-mail inboxes in Exchange from Active Directory Users and Computers anymore. When I create a new user with the wizard, everything finishes, but there are no e-mail addresses on the user properties e-mail tab, no entry in the Global Address Book and the Exchange System Manager doesn't show a new mailbox.
I can move the unseen mailbox from one server to another, and it magically appears. I can then move it back, but there are still issues. The mailbox doesn't appear in the address book, or have an e-mail address in the user properties, and the user cannot attach to the server with Outlook 2003.
I think this started shortly after I added a second Exchange server. NetDiag and DCDiag show no problems, and the Exchange Best Practices Analyzer doesn't show any hints either.
It sounds to me as though the Recipient Update Service (RUS) is not working properly for mailboxes you create on the problematic server. The RUS is responsible for stamping the SMTP proxy addresses on new object, along with other Exchange objects. It's also responsible for stamping the showInAddressBook attribute, which is required to get the mailbox to appear in the Global Address List (GAL) and permit logon via MAPI (i.e., Outlook). Without knowing more about your issues, I can't take you much further than this, but I'd have a good look at the RUS in troubleshooting your issue.
I need a simple way to copy about 13,000 contacts to a public folder. I'm a network administrator for an insurance company. We have contact information for about 11,000 independent agents and 2,000 various other contacts.
We just implemented a 'fax from desktop' solution. The cool thing about it is that, if you have a contact and a number in the 'Business Fax' field, all you have to do is find that contact, send a message and it goes out as a fax.
The problem is that I have to update this list about once a week because information changes that often. Basically, I import an Excel spreadsheet into a contact list in a personal folder on my computer and then copy to the Exchange Server 2003 public folder. This takes forever and a day even when breaking it up into 2,000 piece increments. It also eats about 60-70% of CPU during the copying procedure.
Is there any easier/simpler way of doing this?
First of all, check whether the public folder that you're importing to is replicated to (or located on) a server that is close to you. Secondly, you'll want to check the raw processing power on the Exchange server hosting that public folder. It's quite likely that boosting server performance will speed up your imports, if that's an option. Finally, you may want to consider creating an address list in Active Directory containing the contacts, instead of placing the contacts in a public folder.
You'll need to learn how to use a tool called LDIFDE for export and import to Active Directory. This is described in Microsoft's Step-by-Step guide to bulk import and export to Active Directory.
If this meets all your requirements, then this will speed up the process dramatically. Since LDIFDE import files are a bit unwieldy to manipulate, you will want to search your favorite Internet search engine for "convert ldif to csv free" to locate some of the free tools available to facilitate making your weekly changes using Excel. Obviously, test this in a lab first to ensure this meets your performance needs.
Is there any way to view the disabled mailboxes (closed mailboxes) under Active Directory (AD) users and computers? Also, can the Exchange administrator receive an e-mail notification for the disabled (closed) mailboxes?
We should first review how this works. Each typical user of an Exchange environment has an account that they use to log onto the network with (i.e., an account in Active Directory) and a mailbox within Exchange that is associated with that account. There are different ways to decommission a mailbox once a user has left the organization. I'll discuss two of these in answering your question.
Option 1: Hard delete after x days –- in this approach, when a user leaves an organization, their account is typically disabled, blocking them from logging onto the network. The mailbox continues to be associated with this account, and can be logged onto using alternate credentials if someone else needs access to the mailbox. A mailbox with a disabled account will no longer receive messages. Typically in this scenario, the mailbox and associated account are completely deleted after x days. In many cases, decommissioned accounts are moved to a dedicated Organizational Unit (OU) reserved for this purpose.
Option 2: Re-assigning SMTP Address -– in this approach, the departed user's account is disabled, as above, but their SMTP address is removed from their original mailbox and moved to another object such as a "catch-all" mailbox designated for all terminated employees, a manager's mailbox or similar.
So now to answer your questions. Viewing a list of all disabled mailboxes really depends on how you've decommissioned them. If you simply want a list of all accounts that have been disabled, these are visible within Active Directory Users and Computers as users with a red x through them. If you're using Option 1 and have moved decommissioned accounts to a dedicated OU, then this is even simpler. Just point Active Directory Users and Computers at the OU and you'll have your list. If you're using Option 2, then you could use View | Show Columns within Active Directory Users and Computers to add the "E-Mail Address" column. Sorting by users without an e-mail address will allow you to identify those who have been terminated.
Finally, you asked about an administrator receiving e-mails for the disabled mailboxes. I'm assuming you're asking whether administrators can receive messages designated for the terminated users, in which case Option 2 provides a solution.
Let's assume Exchange 2000 and Active Directory are ready. I want to make a domain and a user on the domain like this: firstname.lastname@example.org. Where can I put the domain name 'abc.com' on the Exchange server? In the e-mail address of the recipient's mail property? How do I make the Exchange server support a second domain?
These are great questions. I'll deal with them individually.
First of all, I believe you're asking how to set up the SMTP address of your e-mail accounts to be @abc.com.
There are multiple parts to this question. Setting the SMTP domain to be @abc.com is pretty simple. Essentially, you need to launch Exchange System Manager, navigate to Recipient Policies -> Default Policy -> Properties -> E-mail Addresses and set SMTP Address to @abc.com. All new mailboxes created henceforth will have an e-mail address in the format email@example.com.
If you have to change the SMTP addresses of mailboxes that you have already created (i.e., if you have a lot of existing mailboxes already created), you'll have to resort to either changing them manually through Active Directory Users and Computers, or using the Ldifde tool to export all mailboxes, modify the SMTP address and re-import into Active Directory. (See Microsoft Knowledge Base article 313823.)
Secondly, supporting a second SMTP domain is as simple as setting some sort of unique identifier on all accounts that will sport the --> --> --> --> .com SMTP address and then specifying a second recipient policy based on this criteria. Depending on the business drivers behind your particular requirements, you may decide to put all @123.com users in a given Organizational Unit (OU) in Active Directory, or you may wish to include specific text in one attribute on all these accounts -- for example, Custom Attribute = "123 Company" or similar. Then you'll want to create the recipient policy for @123.com. You'll need to specify an LDAP query for the second recipient policy that only returns the mailboxes that you've created. Once again, you'll need to the Recipient Policies node, then select the new Recipient Policy that you've created for 123 Company, navigate to Properties -> E-mail Addresses, and set the SMTP Address to @123.com.
One final reminder: Any SMTP domains that you set up are only as good as the DNS MX records that you have defined with your Internet Service Provider and Internet Domain Registrar. Obviously, you need a proper MX record set up for both @abc.com and @123.com pointing to your SMTP gateway if your Exchange server is going to actually receive any Internet traffic destined for these domains!
In Active Directory Users and Computers (ADUC), I copied a disabled user account (User A) to a new employee (User B) who was a replacement. User A had an Exchange 5.5 mailbox that wasn't migrated to Exchange 2003. I was not aware of that until after I set up the account.
Now User B has no associated mailbox. I right-click the user and go to Exchange Tasks, looking for "Create Mailbox," but all I get is "Remove Exchange Attributes." How do I create a mailbox for User B?
You should be able to simply right-click the mailbox and select "Remove Exchange Attributes." Once this is done, right-clicking should permit you to use "Create Mailbox" to create a new mailbox for User B.
Can you force Microsoft Outlook client options in an Exchange Server environment? For example, we are a hospital and want to add a specific signature line but do not want to allow employees to change stationery and fonts. How can we do this?
There are a number of Microsoft Outlook options that you can enforce using Active Directory Group Policy. To set this up, first download the Office Resource Kit. Locate the ADM files in the Resource Kit folder and copy them into %windir%\inf. The template that will be of the most interest to you is Outlk11.adm.
Once you've done this, create a Group Policy Object (GPO). Call it Outlook Configuration, or anything with a convenient name. Edit your GPO and select the Administrative Templates under User Configuration. Right-click Administrative Templates, select the Add/Remove Templates option, and then browse to the Outlok11.adm file. After you've done this, you will have a new node under User Configuration -> Administrative Templates -> Microsoft Office Outlook 2003 with lots of goodies that you can configure and enforce for your users, including specification of stationary and fonts.
Unfortunately, adding standard signatures cannot be accomplished through Group Policy. For that, you could create an Event Sink and add a disclaimer to simulate a signature, or you could use third-party software.
When our Active Directory was created, they didn't put in the telephone numbers. Is there any way to add the telephone numbers for 500 people without having to go into Active Directory and put in the numbers one by one? Human Resources sends out a telephone directory in Excel; can I use that to my benefit?
You should have a look at LDIFDE. See Microsoft Knowledge Base Article 237677: Using LDIFDE to import and export directory objects to Active Directory for instructions on how to make these changes. You'll need to be creative in Excel (or Access) in order to match up the source data from Human Resources with Active Directory data using some unique primary key.
My Exchange 2003 server is also a domain controller because it was the first domain controller in Active Directory. With other domain controller's now installed, we want to demote Exchange from being a domain controller to just a member server.
We have already moved the catalog server function to a different domain controller. Referencing a document in Microsoft Knowledge Base, we think we just have to move Flexible Single Master of Operations (FSMO) roles and run DCPROMO.
Yes, you need to move the FSMO roles to another domain controller and then DCPROMO the machine to demote it from being a domain controller to simply a member server. You should have no problems.
How do you transfer the infrastructure master role from one domain server to another?
I am migrating from Exchange 5.5 to Exchange 2000 within the same domain. I have installed Windows 2000 and Exchange 2000 on a new box. Do I have to establish a trust between NT4 and Exchange 2000? How do I move the mailboxes from Exchange 5.5 to Exchange 2000?
Microsoft publishes many great overview articles on migrations, more specifically, about the question you are asking. Since this is a general question, I would like to point you to this particular TechNet overview article from Microsoft: How to migrate from Exchange 5.5 to Exchange 2003 using the Active Directory Migration Tool.
I'm planning an NT 4.0/Exchange 5.5 to Windows Server 2003/Exchange 2003 upgrade. In a new, parallel Active Directory deployment, I will use the Active Directory Migration Tool to migrate/copy user accounts to Active Directory. Then, I will use it again to modify the access control lists (ACLs) of the Exchange 5.5 mailboxes, so that the new Active Directory accounts would become the new owners.
After I run that, can I still log in with the old NT accounts and access those mailboxes? Or can I only log in with the Active Directory account from that point on?
It depends on the permissions that are modified during the ACL update. If you leave the old NT account as the primary NT account of the Exchange 5.5 mailbox, then the new account should still have access to the resource via SIDHistory. But it would require you to keep the legacy domain online indefinitely, and have a functioning trust in place.
You should determine how long you want to keep the legacy domain online, then re-ACL the primary NT accounts to the new accounts. After that, you can have your users log into the Active Directory domain versus NT.
A unit of the Army National Guard, which is now a temporary Active Directory forest with Exchange 5.5, will be migrating to an Active Directory forest of the U.S. Army. We are required to maintain Exchange 5.5. We have 150 users and a priv.edb of 5 GB. Once migration is complete, we will become an organizational unit.
Can we migrate Exchange 5.5 intact, or should we install Exchange 5.5 on the new forest and use Exmerge to move the mail? Some people think we can install Exchange 5.5 before the migration, and some think we should install after we are members of the Army forest.
What would you do?
As long as the Exchange 5.5 servers are built on machines that are just member servers, and not servicing a backup domain controller role in the old NT domain, I would simply add the machines into the new AD domain. Then, change the Exchange 5.5 service accounts and reassign all of the mailboxes in Exchange 5.5 with a a new Active Directory primary NT account.
This way the original Exchange 5.5 servers will exist as member servers in the new Active Directory domain; the service account for Exchange is an Active Directory object; and, lastly, the accounts used to log into the mailbox are the new Active Directory accounts.
This article might be helpful as well: How to change the service account password.
We recently acquired a company and are in the process of testing our network setup. Our forest master and Exchange are on Domain A. Domain B is trying to access e-mail in Domain A. So there is a user account on Domain B and a user account with an Exchange mail store on Domain A. Right now, they are set up as a tree in our forest. I want to see if it is possible to synchronize Domain A's Active Directory with Domain B's Active Directory, so we don't have to change passwords in two domains. How do we accomplish this?
If Domain A trusts Domain B, you should just be able to give all the Domain B accounts rights to access the Domain A mailboxes. That way, you don't need to worry about the passwords for Domain A accounts. In other words, the only accounts you'd need to manage for the time being are Domain B accounts. To set this up:
Essentially, you're asking how to simplify management of your users' identities across multiple accounts and passwords. Various solutions exist focused on identity management. Microsoft has a solution called Microsoft Identity Integration Server (MIIS) that permits exactly what you're asking, namely synchronization of passwords across multiple domains as you described.
More importantly, in your case, I believe you can use a free scaled down version of MIIS called the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory, which can synchronize passwords across Active Directory, ADAM and Exchange Server environments. You'll also want to install the update.
If you want a more sophisticated solution that will do all this plus assist once you start migrating users from Domain B into Domain A, I suggest looking at third-party migration solutions.