Downloads
49022.zip

In "Get Inside Active Directory Connector Synchronization," February 2006, InstantDoc ID 48589, I outline some of the mechanisms the Active Directory Connector (ADC) uses to synchronize hidden objects, distribution lists (DLs) with hidden membership, and connection agreement (CA) authentication and credential handling. Once you understand the ADC's internal operation and how it processes objects during synchronization, you can fine-tune the ADC to improve synchronization in your environment.

Determining Which Objects to Synchronize
The ADC uses update sequence numbers (USNs) to control synchronization between the Exchange Server 5.5 Directory Service (DS) and Active Directory (AD), much like Exchange 5.5 uses USNs to control intrasite and intersite replication. Each CA uses the value of two attributes—msExch-Server1HighestUSN and msExch-Server2HighestUSN—to control synchronization from AD to the DS and from the DS to AD, respectively. These attributes are properties of the CA.

To get an idea of how these attributes work, let's consider DS-to-AD synchronization, which uses the msExchServer2HighestUSN attribute. During the initial DS-to-AD synchronization, the ADC sets the CA's ms-ExchServer2HighestUSN attribute value to the value of the highest USN encountered and synchronized on any object in the source DS. (A new CA's msExchServer2HighestUSN attribute is set to 0.) During each subsequent synchronization, the ADC obtains the CA's msExchServer2HighestUSN attribute value (which was set during the previous synchronization cycle), then searches the DS for objects that have a USN-Changed attribute value that's higher than the current msExchServer2HighestUSN value. Thus the ADC selects for synchronization all objects that have changed since the previous synchronization. After synchronizing these objects, the ADC writes the highest encountered USN-Changed value to the CA's msExch-Server2HighestUSN attribute. This value then becomes the high-water mark for the next synchronization cycle. When you make a change to objects in a directory, the ADC replicates the change.

To prevent the ADC from resynchronizing objects that were previously synchronized to the DS from AD, the ADC also looks at changed objects' Replication-Signature and Object-Version attributes. Each CA has a signature that the ADC defines during CA configuration. As the ADC synchronizes AD objects to the DS, it writes the CA's signature into the newly created DS object's Replication-Signature attribute. The ADC also sets or modifies DS objects' Object-Version attribute. This attribute is set to 1 when an object is first created and incremented by 1 during each modification. The Object-Version attribute's value then writes to the Replicated-Object-Version attribute during modification. Therefore, an object's Object-Version and Replicated-Object-Version attributes' values will be identical just after AD-to-DS replication. When an object's Replication-Signature value matches the CA's signature and its Object-Version value is equal to or less than the Replicated-Object-Version value, the ADC excludes the object from the DS-to-AD synchronization.

The synchronization process from AD to the DS is similar (with the exception that AD-to-DS synchronization uses the msExchServer1-HighestUSN attribute instead of the msExchServer2HighestUSN attribute) because AD objects use USN values to perform intrasite and intersite AD synchronization. AD-to-DS synchronization is slightly more complicated than DS-to-AD synchronization because AD uses attribute-based replication instead of object-based replication. Therefore, in addition to using USN values, the ADC uses the sum of each AD object's attribute versions during AD-to-DS synchronization.

ADC Block Searching
During an initial synchronization between AD and the DS, the ADC might select many thousands of objects for synchronization, depending on the number of objects defined in the source DSs. For example, in a large AD implementation with 100,000 defined objects, all 100,000 objects must be synchronized during the initial synchronization or a complete resynchronization. If an external factor such as a network-link failure or remote-system power failure interrupts the synchronization process, synchronization must restart from the beginning.

To prevent unnecessary data resynchronization, the ADC processes objects in groups of 10,000. The ADC searches the DS to determine the value of the highest USN-Changed attribute associated with an object. The first synchronization attempt processes only objects whose USN-Changed attribute has a value between the current value of msExchServer1HighestUSN and msExchServer1HighestUSN+10000 (or the highest determined USN-Changed value). After the changed objects in this range are processed and committed to the DS, msExch-Server1HighestUSN is incremented by 10,000. If the msExchServer1HighestUSN attribute's new value is less than the highest determined USN-Changed value, the ADC processes the next batch of AD objects. This procedure continues until all eligible objects are processed and the highest USN-Changed value writes to the msExchServer1HighestUSN attribute. If a failure occurs during synchronization, only a batch of 10,000 objects must reprocess.

Committing ADC Changes to AD
The ADC caches significant amounts of information to improve performance. For example, the ADC caches msExch-Server1HighestUSN and msExch-Server2HighestUSN, writing them directly to AD only occasionally. Updates to these attributes after a synchronization cycle or search block (as I describe in the previous section) apply only to the memory-resident versions.

In general, the msExchServer1-HighestUSN and msExchServer2-HighestUSN values write to AD every 24 hours. For new CAs, updates to these attributes commit to AD every 30 minutes. (A new CA is a CA that's executing its first synchronization cycle, which typically takes an extended period of time, depending on factors such as network bandwidth and DS and AD system performance.) New CAs' msExchServer1HighestUSN and msExchServer2HighestUSN attributes commit frequently because of the large amount of data that typically synchronizes soon after a CA's initial configuration. If a system failure occurs on the ADC server, the maximum amount of resynchronization work that results is limited to 30 minutes. Immediate updates to AD occur when the ADC service is stopped, at the end of a CA's first synchronization cycle, and when a CA moves from one ADC server to another.

A CA's vector attributes are also important to AD synchronization. The msExchServer2HighestUSNVector attribute isn't used, but the ADC populates and uses the msExchServer1-HighestUSNVector attribute. The msExchServer1HighestUSNVector attribute is multivalued and relevant only on Windows Server 2003 or Windows 2000 Server systems. This attribute has the highest committed USN for any domain controllers (DCs) contacted during a CA's lifetime. For example, if you configure a CA to synchronize from a DC named CTZDC01, then modify the configuration so that synchronization occurs from a DC named CTZDC02, you'll see two values for the msExchServer1Highest-USNVector attribute: one relating to the highest committed USN on CTZDC01 and the other for the highest committed USN on CTZDC02. The ADC stores this information so that no objects are missed when a CA rehomes to another ADC.

ADC Scheduling and Polling Intervals
The ADC uses a polling-based mechanism to request changes from the DS and AD. Each request for changes and any subsequent replication activity represent a synchronization cycle. In a two-way CA, the ADC typically first checks for changes in the DS, then in the AD. You can edit the CA's properties to change this default. As Figure 1 shows, you can configure replication to occur never, always, or at selected times. The ADC's Schedule tab resembles the Exchange 5.5 directory replication connector (DRC) Schedule tab. However, selecting Always for ADC replication configures the ADC to attempt synchronization every 5 minutes. (Selecting Always for DRC replication configures replication to occur every 15 minutes.)

When you configure replication to occur at selected times, you can specify 1-hour or 15-minute increments. The ADC begins polling at each time you select on the schedule grid. However, a cycle doesn't necessarily last for 1 hour or for 15 minutes; cycles run until they finish. If synchronization finishes in less than the specified time (i.e., 1 hour or 15 minutes), the ADC waits until the next selected time on the schedule to start another synchronization cycle.

You can fine-tune synchronization behavior. When the ADC is processing a large number of object modifications, a synchronization cycle might last many hours. You can set the default number of seconds to wait between synchronization cycles to force interruptions to such a cycle. Edit the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSADC\Parameters registry subkey. Add an entry with the name Synch Sleep Delay, type REG_DWORD, and set the entry's data value to the number of seconds to wait between cycles.

This action causes the ADC to pause synchronization after the defined number of seconds, wait the same defined number of seconds, then restart synchronization. You can further customize this behavior to extend the amount of time for which the ADC synchronizes objects without interruption. Set the HKEY_LOCAL _MACHINE\SYSTEM\CurrentControl Set\Services\MSADC\Parameters registry subkey's Max Continuous Sync data value of type REG_DWORD to the number of seconds for synchronization to run without interruption.

The ADC uses LDAP to access the DS and AD. In addition, as the ADC determines whether to synchronize objects, it executes an LDAP search based on the container and organizational unit (OU) information you specified on the CA. LDAP operations are costly in terms of resource overhead, and they impose a significant load on the CPU of the systems on which searches are executed. Executing frequent LDAP searches reduces performance on the Exchange 5.5 servers and AD servers that host CA endpoints.

If you want synchronization to occur frequently, you need dedicated systems to host CA endpoints. For example, you might employ a dedicated (i.e., hosting no mailboxes) Exchange 5.5 server in every site in which CAs terminate. You can use an existing server, such as a site bridgehead or connector server. You also need a dedicated AD server. Although you need multiple dedicated Exchange 5.5 servers, you need to use only one dedicated AD server; AD information is readable and writeable anywhere in the forest, whereas the DS containers are read-only outside their home site.

CA scheduling is important. Configure CA synchronization to occur after you move or update objects in AD and the DS. For example, if you migrate users from Exchange 5.5 to Exchange Server 2003 overnight, use the Selected times synchronization option to run the CA immediately afterward. For typical user account migration, select Always on the synchronization schedule.

Ordinarily, a full replication occurs only the first time the ADC activates a CA. Selecting the Replicate the entire directory the next time the agreement is run check box forces the ADC to check all directory objects for consistency and replace objects if it detects discrepancies between the directories. Consistent objects aren't replicated. Regularly running complete replications causes no adverse effects, other than potentially increasing time and bandwidth consumption.

To force a full replication from the DS to AD, set msExchServer2Highest-USN to 0; to force a full replication from AD to the DS, set msExchServer-1HighestUSN to 0. Setting msExch-DoFullReplication to TRUE forces a full replication in both directions.

LDAP Paged Results
You can specify the size of a page that the ADC expects to receive as the result of an LDAP search. Set the Windows Server entries per page value for AD and Exchange Server entries per page value for the DS to reflect the desired page size. These settings are part of the CA's properties. You need to configure both settings on a two-way CA; only the appropriate setting is available for a one-way CA.

Paging groups together objects that are being synchronized, to improve performance. Large page sizes have more entries per page and therefore result in fewer requests to AD and the DS. However, large pages require more memory.

The default page-size setting for the ADC is 20 entries per page. You must configure the corresponding AD and DS to return pages with a compatible number of entries to the ADC's setting. If you use the ADC's default setting of 20 entries per page, AD and the DS can return pages with more than 20 entries; however, configuring AD and the DS to return pages with fewer than 20 entries results in replication errors.

The Exchange 5.5 LDAP service's default configuration is to return 100 entries per page. To modify this setting, change the Maximum number of search results returned value on the LDAP Properties dialog box's Search tab, as Figure 2 shows.

By default, Win2K AD servers return 1000 entries in an LDAP page; Windows 2003 AD servers return 1500 entries. You can use the Ntdsutil utility to modify the AD LDAP page size. Run the utility and enter the commands that Listing 1 shows. (For more information about Ntdsutil, see the Windows IT Pro article "Using Ntdsutil to Defrag AD," June 2003, Instant-Doc ID 38945.) This script updates the lDAPAdminLimits attribute on AD's default query policy. You can use ADSI Edit to see the lDAPAdminLimits attribute's value (under Configuration Naming Context/Services/WindowsNT/Directory Service/Query-Policies), as Figure 3 shows.

In most cases, the default LDAP page settings are sufficient and you don't need to modify them. If you decide to make changes, consult Microsoft Product Support Services (PSS) or other experts. Without modifying the source directory systems, you can configure the ADC to process 100 entries from the Exchange 5.5 LDAP service and 1000 entries from AD to gain a small performance improvement. But even this change is valuable only if you expect significant data volumes during synchronization.

Fine-Tune at Will
The ADC provides solid functionality to help Exchange 5.5 environments work seamlessly with Exchange 2003 environments. The ADC's default configuration is adequate for most situations, but you can fine-tune the ADC to improve synchronization in your environment.

Kieran McCorry (kieran.mccorry@ hp.com), based in Ireland, is a principal consultant in HP's Advanced Technology Group and a Microsoft Exchange MVP. His most recent book is Microsoft Exchange Server 2003 Deployment and Migration (Digital Press).