Microsoft Exchange 2000 Server Adminstrator's Companion

[Previous] [Next]

The Active Directory Cleanup Wizard (Adclean.exe) is designed to merge duplicate accounts into one account when you migrate multiple directories or merge them with Active Directory. If you are migrating user accounts from more than one source, it is possible that you will encounter duplicate user accounts. This duplication can occur, for example, when you are merging multiple domains into Active Directory or when you are importing multiple user lists into Exchange 2000 Server. It can also occur if you need to install Exchange 2000 Server before you are able to upgrade your PDCs to Windows 2000. During the upgrade process, duplicate accounts will be created in Active Directory.

The Active Directory Cleanup Wizard will search Active Directory for duplicate Windows NT accounts that reference the same user. After finding the duplicates, it will offer suggestions for eliminating the duplicate accounts. Once you have made your selections, the wizard will merge the multiple accounts into one account, along with their attributes and properties.

The wizard looks for active accounts and disabled accounts that reference the same object. It also looks for active accounts and contacts that reference the same object. When looking for active and disabled accounts, the wizard searches for identical security identifiers (SIDs) on more than one object in the attributes msExchMasterAccountSid, objectSid, and SIDHistory. If it finds a match, the objects are merged.

How are two or more objects created with the same SID in Active Directory? Let's assume that you have created an ADC between your Windows NT 4 domain and Active Directory. On the Advanced tab of the ADC's property sheet, under When Replicating A Mailbox Whose Primary Windows Account Does Not Exist In The Domain, you have selected Create A Disabled Windows User Account. This means that when you synchronize a mailbox in Exchange Server 5.5 that doesn't have a primary Windows NT account in its domain, a disabled user account is created for it in Active Directory.

Even though it is a disabled account, Active Directory gives it a new SID. In addition, Active Directory writes this new SID into an attribute called msExchMailboxSecurityDescriptor, but it retains the old SID in the SID history attribute of the object. When the Windows NT 4 account is moved to Active Directory, the SID from that account already exists in Active Directory as part of the other object's SID history. Hence, it is necessary to merge these two accounts.

When matching an active user object and a contact object, the wizard compares the attributes cn and displayName. In addition, it compares the attributes mailNickname (Alias) and SamAccountName (Login ID) for possible duplications. If there is a duplication in either pairing, you will be given the option to merge the accounts. These types of duplications occur most often when you have an X.400 Connector to a foreign e-mail system.

With the Active Directory Cleanup Wizard, you can do the following:

Let's look at each of these options more closely.

Identify Duplicate Objects to Be Merged

You can instruct the wizard to search Active Directory for duplicate accounts. You can do this at one of three levels. First, you can have the wizard search the entire forest for duplicate accounts. If you don't want to search at the forest level, you can specify containers and subcontainers that you want the wizard to search. Figure 14-15 shows an example of this type of search.

Figure 14-15. Searching containers and subcontainers for duplicate accounts.

The container that you select will show up under Container. The check box to search all subcontainers is selected by default. If you do not want the wizard to search the subcontainers, you'll need to clear this box before starting your search.

If you know which accounts you want to merge in Active Directory, you can select them manually instead of having the wizard search Active Directory for them. If you plan to do this, the target object must already exist, because you'll be merging a source object with the target object. After the merge is complete, the source object will no longer exist. Figure 14-16 demonstrates this technique.

If one account is inactive and the target account is active, these accounts must belong to the same forest, and the domains must be in native mode. If the domains are not in native mode, when you attempt to select the second name for the merge process, regardless of whether it is the source or target account, you'll receive the error message shown in Figure 14-17.

Figure 14-16. Selecting merge accounts.

Figure 14-17. Error message: Source SID will be lost.

After you have chosen the two accounts to merge into one, you will be given the choice to either merge the accounts immediately or have them exported to a .CSV file from which you can import and merge them at a later date. Once the merge is complete, the log entries of the merge will be shown on the last screen of the wizard and will also be recorded in the Adclean.log file in your Exchsrvr\bin directory. Figure 14-18 shows what the log file looks like.

Figure 14-18. Adclean.log file report.

Another way to identify duplicate users is to create a list, using the wizard's export/import function. You can modify this list and then import it back into Active Directory.

A couple of restrictions apply to manual account merges. First, the target object must be an active user. If you select an inactive user as your target object, you will be reminded of this restriction and will be forced to choose an active user. An active user is one whose account is enabled.

Second, you cannot merge two users who are both mail enabled. This is because their mailboxes cannot be merged in Exchange 2000 Server. Hence, your source object must not be mail enabled in order for this process to work. And third, if both accounts are active, they must belong to the same domain. You cannot merge two active objects that are not in the same domain.

Review and Modify Merge Operations

Once you've identified the duplicate accounts, you should review and, if necessary, modify merge operations that the wizard is ready to perform. Perform this task before you begin merging accounts in Active Directory. Once the merge process is complete, you cannot undo the operation. Here are some guidelines to keep in mind:

Export and Import Lists of Accounts

You can export duplicate accounts to a .CSV file for review and modification before performing the merge process. You might want to do this if you suspect that your Active Directory contains a large number of duplicate accounts. Exporting to a .CSV file is handy in the following circumstances:

After you have exported the information to a .CSV file, you can make your adjustments and then use the file as a source for the merge process.

Use Command-Line Options to Run the Wizard

If you would rather start the merge from the command line than from the graphical interface, use Table 14-1 to help you.

Table 14-1. Command-line options for the Adclean command

Option Description Example
/? Displays the available MS-DOS command-line options.

Adclean /?

/S Searches for duplicate accounts and saves them as a list of merge operations in a .CSV file in your working directory.

Adclean /S

Searches your entire forest for duplicate accounts. The amount of time this takes depends on the size and number of duplicate accounts in Active Directory. To specify the containers that are searched, see the /C option.

/C Used with the /S option to specify the containers that you want to search for duplicate accounts. The result of this search is a Merge.csv file that contains a list of merge operations found when searching the containers designated in the Container.csv file you have created.

Adclean /S /C:D:\Exchsrvr/BIN/ <ContainerFileName.csv>

where D:\Exchsrvr/BIN/ <ContainerFileName.csv> is the location of the .CSV file that contains the locations of the directory containers you want to search. Before you can use the /C option, you must manually create a .CSV file in an application This Merge.csv file is saved in that supports the creation of this type of file your working directory. (such as Notepad). This file must have the word "containers" on the first line and must then list the paths of the containers you want to search on subsequent lines. In the previous example, the text in the <ContainerFileName.csv> file might be as follows:

Containers server1.east.airlines. international.com/Users

/M Performs the merge operations listed in the .CSV file in the working directory.

Adclean /M

A merge with only the /M option specified will merge only duplicate accounts from the .CSV file in the directory in which Adclean.exe is installed.

/O Used with the /M option to merge duplicate accounts based on a .CSV file that you specify.

Adclean /M O/:D:/Exchsrv/BIN/ <MergeFileName.csv>

where D:/Exchsrv/BIN/ <MergeFileName.csv> is the location of a file that contains the list of merge operations you want to perform.

Other Considerations

You should be aware of a couple of other considerations when using the Active Directory Cleanup Wizard. First, if the source object is mail enabled and the target object is not, the mail-enabled attributes will be transferred to the target object. Second, the SID and the SID history of the source user account is transferred to the SID history of the target user account. The SID of the target user account is retained as the object's primary SID. And finally, attributes are transferred in the following manner:

Категории