Discussion:
LegacyExchangeDN is wrong for a user
(too old to reply)
mmac
2004-05-16 18:00:23 UTC
Permalink
The attribute "LegacyExchangeDN" is wrong for a user. it is shown as
"Ztest" I'm not sure how it got that way and it doesn't seem ot affect him
but I would like to clean that up.
Can I just go into ADSIedit and put his mailbox name in there or is
there another method I should use?
We were ex5.5/ ex2k and now we are ex2k only, the old 5.5 machine has
finally been removed. if that matters.
tia
Dave Howe [MSFT]
2004-05-17 11:44:04 UTC
Permalink
Post by mmac
The attribute "LegacyExchangeDN" is wrong for a user. it is shown as
"Ztest" I'm not sure how it got that way and it doesn't seem ot affect him
but I would like to clean that up.
Can I just go into ADSIedit and put his mailbox name in there or is
there another method I should use?
We were ex5.5/ ex2k and now we are ex2k only, the old 5.5 machine has
finally been removed. if that matters.
tia
This can happen in Exchange 5.5 when you have a Windows user who is
specified in Primary Windows NT Account on more than one mailbox (John
Doe and Ztest). When the ADC replicates to Active Directory, if the
mailbox data for Ztest replicates first, the ADC will match to John
Doe's Active Directory account. Why? Because the ADC searches and
links on objectSID as one of it's object matching rules (Primary
Windows NT Account (SID of John Doe) == objectSID (SID of John Doe)).

Next, John Doe's mailbox will replicate to Active Directory. Since we
will fail searching for any matches (based on objectSID, NTDSContact,
NTDSNoMatch, and SIDhistory), we will create a disabled AD account
with mail attributes linking back to John Doe's mailbox.

This happens all the time with resource mailboxes.

296260 XGEN: How to Configure a Two-Way Recipient Connection Agreement
http://support.microsoft.com/?id=296260

274173 XADM: Documentation for the NTDSNoMatch Utility
http://support.microsoft.com/?id=274173

This may not be the case with you, so to verify, you may want to take
an LDP dump of the AD account following these steps:

1) Install the Windows 2000 Support Tools on any Windows 2000 server.
The setup.exe file can be found within the support folder on the
Windows 2000 CD.
2) Click Start > Programs > Windows 2000 Support Tools > Tools >
Active Directory Administration Tool
3) After LDP is loaded, click Connection > Connect and enter the name
of one of your domain controllers and port 389. Leave the
Connectionless checkbox empty. Click OK.
4) Next, click Connection > Bind, then enter the credentials for
either a domain admin or enterprise admin account, leave the domain
box checkmarked, then click OK.
5) Click View > Tree and leave the Base DN blank empty. Click OK.
6) You should now see the Active Directory container hierarchy in the
left window pane. Drill down to the Users container (or
Organizational Unit) that holds the account that you wish to dump.
7) Locate the user object, highlight it, then click Connection > New.
This will clear the contents of the right window pane.
8) Double-click on the account you wish to dump.
9) Click Connection > Save As and enter a file name for your dump
file.

Now, open this file and search for an attribute called
msExchADCGlobalNames. There should be four values listed for it,
provided you have a two-way Recipient CA in place. Look at the EX5
value, which should show you the Recipient that this AD account is
linked to in format /o=Organization/ou=Site/cn=Recipients/cn=User. If
the EX5 value shows Ztest, then you have a cross-linked account.

Please let me know. The cleanup of this is a little tricky if not
done correctly, so I'd rather wait to see if you have a cross-linked
account before explaining it here.

Thanks!

---

Dave Howe
Microsoft PSS

This posting is provided "AS IS" with no warranties, and confers no rights.
mmac
2004-05-17 14:53:28 UTC
Permalink
Thank you for the detail! I will do this tonight and report back.
Post by Dave Howe [MSFT]
Post by mmac
The attribute "LegacyExchangeDN" is wrong for a user. it is shown as
"Ztest" I'm not sure how it got that way and it doesn't seem ot affect him
but I would like to clean that up.
Can I just go into ADSIedit and put his mailbox name in there or is
there another method I should use?
We were ex5.5/ ex2k and now we are ex2k only, the old 5.5 machine has
finally been removed. if that matters.
tia
This can happen in Exchange 5.5 when you have a Windows user who is
specified in Primary Windows NT Account on more than one mailbox (John
Doe and Ztest). When the ADC replicates to Active Directory, if the
mailbox data for Ztest replicates first, the ADC will match to John
Doe's Active Directory account. Why? Because the ADC searches and
links on objectSID as one of it's object matching rules (Primary
Windows NT Account (SID of John Doe) == objectSID (SID of John Doe)).
Next, John Doe's mailbox will replicate to Active Directory. Since we
will fail searching for any matches (based on objectSID, NTDSContact,
NTDSNoMatch, and SIDhistory), we will create a disabled AD account
with mail attributes linking back to John Doe's mailbox.
This happens all the time with resource mailboxes.
296260 XGEN: How to Configure a Two-Way Recipient Connection Agreement
http://support.microsoft.com/?id=296260
274173 XADM: Documentation for the NTDSNoMatch Utility
http://support.microsoft.com/?id=274173
This may not be the case with you, so to verify, you may want to take
1) Install the Windows 2000 Support Tools on any Windows 2000 server.
The setup.exe file can be found within the support folder on the
Windows 2000 CD.
2) Click Start > Programs > Windows 2000 Support Tools > Tools >
Active Directory Administration Tool
3) After LDP is loaded, click Connection > Connect and enter the name
of one of your domain controllers and port 389. Leave the
Connectionless checkbox empty. Click OK.
4) Next, click Connection > Bind, then enter the credentials for
either a domain admin or enterprise admin account, leave the domain
box checkmarked, then click OK.
5) Click View > Tree and leave the Base DN blank empty. Click OK.
6) You should now see the Active Directory container hierarchy in the
left window pane. Drill down to the Users container (or
Organizational Unit) that holds the account that you wish to dump.
7) Locate the user object, highlight it, then click Connection > New.
This will clear the contents of the right window pane.
8) Double-click on the account you wish to dump.
9) Click Connection > Save As and enter a file name for your dump
file.
Now, open this file and search for an attribute called
msExchADCGlobalNames. There should be four values listed for it,
provided you have a two-way Recipient CA in place. Look at the EX5
value, which should show you the Recipient that this AD account is
linked to in format /o=Organization/ou=Site/cn=Recipients/cn=User. If
the EX5 value shows Ztest, then you have a cross-linked account.
Please let me know. The cleanup of this is a little tricky if not
done correctly, so I'd rather wait to see if you have a cross-linked
account before explaining it here.
Thanks!
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights.
mmac
2004-05-18 04:30:18 UTC
Permalink
You are right on target, the EX5 Value is Ztest (geez you folks are smart!)
what now?

As a side question, can you give me an example of why someone would want to
deal with this nightmare by having more than one mailbox?
I have several that I use but they are all different accounts that I just
have rights to. and I have several addresses in my properties tab. All that
suits me fine, why could I possibly want more than one?
Post by Dave Howe [MSFT]
Post by mmac
The attribute "LegacyExchangeDN" is wrong for a user. it is shown as
"Ztest" I'm not sure how it got that way and it doesn't seem ot affect him
but I would like to clean that up.
Can I just go into ADSIedit and put his mailbox name in there or is
there another method I should use?
We were ex5.5/ ex2k and now we are ex2k only, the old 5.5 machine has
finally been removed. if that matters.
tia
This can happen in Exchange 5.5 when you have a Windows user who is
specified in Primary Windows NT Account on more than one mailbox (John
Doe and Ztest). When the ADC replicates to Active Directory, if the
mailbox data for Ztest replicates first, the ADC will match to John
Doe's Active Directory account. Why? Because the ADC searches and
links on objectSID as one of it's object matching rules (Primary
Windows NT Account (SID of John Doe) == objectSID (SID of John Doe)).
Next, John Doe's mailbox will replicate to Active Directory. Since we
will fail searching for any matches (based on objectSID, NTDSContact,
NTDSNoMatch, and SIDhistory), we will create a disabled AD account
with mail attributes linking back to John Doe's mailbox.
This happens all the time with resource mailboxes.
296260 XGEN: How to Configure a Two-Way Recipient Connection Agreement
http://support.microsoft.com/?id=296260
274173 XADM: Documentation for the NTDSNoMatch Utility
http://support.microsoft.com/?id=274173
This may not be the case with you, so to verify, you may want to take
1) Install the Windows 2000 Support Tools on any Windows 2000 server.
The setup.exe file can be found within the support folder on the
Windows 2000 CD.
2) Click Start > Programs > Windows 2000 Support Tools > Tools >
Active Directory Administration Tool
3) After LDP is loaded, click Connection > Connect and enter the name
of one of your domain controllers and port 389. Leave the
Connectionless checkbox empty. Click OK.
4) Next, click Connection > Bind, then enter the credentials for
either a domain admin or enterprise admin account, leave the domain
box checkmarked, then click OK.
5) Click View > Tree and leave the Base DN blank empty. Click OK.
6) You should now see the Active Directory container hierarchy in the
left window pane. Drill down to the Users container (or
Organizational Unit) that holds the account that you wish to dump.
7) Locate the user object, highlight it, then click Connection > New.
This will clear the contents of the right window pane.
8) Double-click on the account you wish to dump.
9) Click Connection > Save As and enter a file name for your dump
file.
Now, open this file and search for an attribute called
msExchADCGlobalNames. There should be four values listed for it,
provided you have a two-way Recipient CA in place. Look at the EX5
value, which should show you the Recipient that this AD account is
linked to in format /o=Organization/ou=Site/cn=Recipients/cn=User. If
the EX5 value shows Ztest, then you have a cross-linked account.
Please let me know. The cleanup of this is a little tricky if not
done correctly, so I'd rather wait to see if you have a cross-linked
account before explaining it here.
Thanks!
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights.
Dave Howe [MSFT]
2004-05-20 14:48:16 UTC
Permalink
Post by mmac
You are right on target, the EX5 Value is Ztest (geez you folks are smart!)
what now?
As a side question, can you give me an example of why someone would want to
deal with this nightmare by having more than one mailbox?
I have several that I use but they are all different accounts that I just
have rights to. and I have several addresses in my properties tab. All that
suits me fine, why could I possibly want more than one?
Sorry about the delay in getting back to you. I'm glad you were able
to better isolate how this happened within your environment.

The cleanup for a crosslinked account is relatively easy for a single
user, but in some instances where you have dozens or hundreds of
these, it can be one of your worst nightmares. And, if the cleanup is
not done correctly, you may end up with mail loss.

IMPORTANT - An Exchange 5.5 object that has been replicated to Active
Directory via a two-way Recipient CA will have a total of 4
msExchADCGlobalNames/ADC-Global-Names values stamped on it. These
values establish a link between the AD user account and the Exchange
5.5 mailbox, and any changes on either side will replicate to the
other.

This is how PSS would advise you to clean up a cross-linked account
should you call in on a support incident for this issue:

1) Perform an Exchange 5.5 backup or use ExMerge to access the two
crosslinked mailboxes and export the contents to PST files. Consider
this "ulcer insurance" ... ;)

2) The next thing you need to do is set the replication Schedule for
the Recipient CA that replicated this information into Active
Directory to NEVER. If you can't figure out which one you need to
temporarily disable, simply stop all instances of the Microsoft Active
Directory Connector service.

3) Next, find the two accounts that are cross-linked in Active
Directory Users and Computers from the Exchange server or from any
server that has the Exchange System Manager installed. Once you
locate them, right click on them, choose Exchange tasks, and choose
Remove Exchange Attributes.

WARNING - If you have not disabled the Recipient CA responsible for
replicating these objects, the Exchange 5.5 mailbox will effectively
be deleted after the next ADC replication cycle. Why? Because when
you Remove Exchange Attributes, you are basically breaking the "link"
between the AD object and the Exchange 5.5 mailbox. We do NOT want
this to replicate back to the Exchange 5.5 side right away and delete
the mailbox.

4) Open the Exchange 5.5 admin program in raw mode and connect to the
Exchange 5.5 server specified under the Connections tab of the
responsible Recipient CA. You can do this by typing admin.exe /r from
the Exchsrvr\BIN folder. Once the Admin program is loaded, locate the
two mailboxes that have been crosslinked, select one of the accounts
and click File > Raw Properties. This will load up an interface that
shows the individual attributes of the mailbox object. Scroll up and
you should see ADC-Global-Names, which should be populated with 4
values. Remove these values for each affected account.

This effectively breaks the link between the AD account and the
Exchange 5.5 mailboxes.

5) Now, on the Resource Mailbox (I'm assuming is Ztest), open the
properties (not Raw Properties), click on the Custom Attributes tab,
and populate Custom Attribute 10 with the value NTDSNoMatch. What
this will do is prevent Ztest from ever linking to the wrong account
once we enable ADC replication again. Click Apply/OK.

6) If you notice a duplicate account was created in AD, you may want
to go ahead and remove the duplicate. You can check that by using the
LDP dump taken earlier and look at the When Created date which should
read YearMonthDay format... 040520. The one created recently will
most likely be the duplicate AD account. You can also look at the
logons value to see if the AD account has ever been logged into
before.

7) Verify that you have completed Steps 1 - 7 successfully, then start
up the ADC service again or set the Recipient CA replication Schedule
back to Always.

- Ztest should create a new disabled account and link to it.
- Your user should link to correct AD account based on
(objectSID==Primary Windows NT Account).

... if all goes well. :)

Let me see... articles... here's a few:

256862 XADM: How to Correct Mismatched Accounts After Active Directory
http://support.microsoft.com/?id=256862

316886 HOW TO: Migrate from Exchange Server 5.5 to Exchange 2000
Server
http://support.microsoft.com/?id=316886

274173 XADM: Documentation for the NTDSNoMatch Utility
http://support.microsoft.com/?id=274173

Please let me know how this turns out. If you need additional
assistance with this, just ping me by email (***@microsoft.com).

Have a good day!

---

Dave Howe
Microsoft PSS

This posting is provided "AS IS" with no warranties, and confers no rights.
mmac
2004-05-20 19:05:28 UTC
Permalink
Thanks, I will try this Monday night, but there are two large holes in the
solution.
Ex5.5 is shut down and removed
There is no longer an ADC
does that make this easier or harder?
Post by Dave Howe [MSFT]
Post by mmac
You are right on target, the EX5 Value is Ztest (geez you folks are smart!)
what now?
As a side question, can you give me an example of why someone would want to
deal with this nightmare by having more than one mailbox?
I have several that I use but they are all different accounts that I just
have rights to. and I have several addresses in my properties tab. All that
suits me fine, why could I possibly want more than one?
Sorry about the delay in getting back to you. I'm glad you were able
to better isolate how this happened within your environment.
The cleanup for a crosslinked account is relatively easy for a single
user, but in some instances where you have dozens or hundreds of
these, it can be one of your worst nightmares. And, if the cleanup is
not done correctly, you may end up with mail loss.
IMPORTANT - An Exchange 5.5 object that has been replicated to Active
Directory via a two-way Recipient CA will have a total of 4
msExchADCGlobalNames/ADC-Global-Names values stamped on it. These
values establish a link between the AD user account and the Exchange
5.5 mailbox, and any changes on either side will replicate to the
other.
This is how PSS would advise you to clean up a cross-linked account
1) Perform an Exchange 5.5 backup or use ExMerge to access the two
crosslinked mailboxes and export the contents to PST files. Consider
this "ulcer insurance" ... ;)
2) The next thing you need to do is set the replication Schedule for
the Recipient CA that replicated this information into Active
Directory to NEVER. If you can't figure out which one you need to
temporarily disable, simply stop all instances of the Microsoft Active
Directory Connector service.
3) Next, find the two accounts that are cross-linked in Active
Directory Users and Computers from the Exchange server or from any
server that has the Exchange System Manager installed. Once you
locate them, right click on them, choose Exchange tasks, and choose
Remove Exchange Attributes.
WARNING - If you have not disabled the Recipient CA responsible for
replicating these objects, the Exchange 5.5 mailbox will effectively
be deleted after the next ADC replication cycle. Why? Because when
you Remove Exchange Attributes, you are basically breaking the "link"
between the AD object and the Exchange 5.5 mailbox. We do NOT want
this to replicate back to the Exchange 5.5 side right away and delete
the mailbox.
4) Open the Exchange 5.5 admin program in raw mode and connect to the
Exchange 5.5 server specified under the Connections tab of the
responsible Recipient CA. You can do this by typing admin.exe /r from
the Exchsrvr\BIN folder. Once the Admin program is loaded, locate the
two mailboxes that have been crosslinked, select one of the accounts
and click File > Raw Properties. This will load up an interface that
shows the individual attributes of the mailbox object. Scroll up and
you should see ADC-Global-Names, which should be populated with 4
values. Remove these values for each affected account.
This effectively breaks the link between the AD account and the
Exchange 5.5 mailboxes.
5) Now, on the Resource Mailbox (I'm assuming is Ztest), open the
properties (not Raw Properties), click on the Custom Attributes tab,
and populate Custom Attribute 10 with the value NTDSNoMatch. What
this will do is prevent Ztest from ever linking to the wrong account
once we enable ADC replication again. Click Apply/OK.
6) If you notice a duplicate account was created in AD, you may want
to go ahead and remove the duplicate. You can check that by using the
LDP dump taken earlier and look at the When Created date which should
read YearMonthDay format... 040520. The one created recently will
most likely be the duplicate AD account. You can also look at the
logons value to see if the AD account has ever been logged into
before.
7) Verify that you have completed Steps 1 - 7 successfully, then start
up the ADC service again or set the Recipient CA replication Schedule
back to Always.
- Ztest should create a new disabled account and link to it.
- Your user should link to correct AD account based on
(objectSID==Primary Windows NT Account).
... if all goes well. :)
256862 XADM: How to Correct Mismatched Accounts After Active Directory
http://support.microsoft.com/?id=256862
316886 HOW TO: Migrate from Exchange Server 5.5 to Exchange 2000
Server
http://support.microsoft.com/?id=316886
274173 XADM: Documentation for the NTDSNoMatch Utility
http://support.microsoft.com/?id=274173
Please let me know how this turns out. If you need additional
Have a good day!
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights.
Dave Howe [MSFT]
2004-05-20 20:52:57 UTC
Permalink
Post by mmac
Thanks, I will try this Monday night, but there are two large holes in the
solution.
Ex5.5 is shut down and removed
There is no longer an ADC
does that make this easier or harder?
Doh. I didn't realize that.

Well, if this is the ONLY server in your environment, no big deal.
Just choose Remove Exchange Attributes on the two accounts as
mentioned previously. Then using Exchange System Manager, navigate
down to the Mailbox Store > Mailboxes, right click on Mailboxes, and
choose Run Cleanup Agent. Next, right click on the mailbox (which
should now have a Red X), and choose Reconnect. Navigate to the
correct AD account and voila, it should be fixed (note: you may get
an error about replication, just ignore it). Do the same for the
other mailbox.

---

Dave Howe
Microsoft PSS

This posting is provided "AS IS" with no warranties, and confers no rights.
mmac
2004-05-20 23:04:35 UTC
Permalink
well, that DOES make it easier! :)
thanks. Will do that instead.
Post by Dave Howe [MSFT]
Post by mmac
Thanks, I will try this Monday night, but there are two large holes in the
solution.
Ex5.5 is shut down and removed
There is no longer an ADC
does that make this easier or harder?
Doh. I didn't realize that.
Well, if this is the ONLY server in your environment, no big deal.
Just choose Remove Exchange Attributes on the two accounts as
mentioned previously. Then using Exchange System Manager, navigate
down to the Mailbox Store > Mailboxes, right click on Mailboxes, and
choose Run Cleanup Agent. Next, right click on the mailbox (which
should now have a Red X), and choose Reconnect. Navigate to the
correct AD account and voila, it should be fixed (note: you may get
an error about replication, just ignore it). Do the same for the
other mailbox.
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights.
mmac
2004-05-20 23:06:02 UTC
Permalink
well, that DOES make it easier!
thanks.
Post by Dave Howe [MSFT]
Post by mmac
Thanks, I will try this Monday night, but there are two large holes in the
solution.
Ex5.5 is shut down and removed
There is no longer an ADC
does that make this easier or harder?
Doh. I didn't realize that.
Well, if this is the ONLY server in your environment, no big deal.
Just choose Remove Exchange Attributes on the two accounts as
mentioned previously. Then using Exchange System Manager, navigate
down to the Mailbox Store > Mailboxes, right click on Mailboxes, and
choose Run Cleanup Agent. Next, right click on the mailbox (which
should now have a Red X), and choose Reconnect. Navigate to the
correct AD account and voila, it should be fixed (note: you may get
an error about replication, just ignore it). Do the same for the
other mailbox.
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...