Article ID: 274173 - View products that this article applies to.
This article was previously published under Q274173
This article has been archived. It is offered "as is" and will no longer be updated.
This article explains how to install and use the NTDSNoMatch utility. It also describes the algorithm used by NTDSNoMatch.
NOTE: The NTDSNoMatch utility is also known as NTDSAtrb. NTDSAtrb is on the Exchange 2000 SP1 CD and on the SP2 CD in the Server\Support\Utils\I386 folder.
When you use the Active Directory Connector (ADC) to synchronize a Microsoft Exchange Server 5.5 organization with Active Directory, and you have multiple mailboxes with the same primary Microsoft Windows NT account, you can control how the ADC matches the mailboxes to Active Directory user accounts.
In Microsoft Exchange 2000 Server, unlike Exchange Server 5.5, a mailbox is an attribute of an object in Active Directory, not an object itself. Therefore, each user object in Active Directory can only be matched to one mailbox. For every mailbox that exists in the information store, a matching object must exist in Active Directory. This difference allows you to retain the permissions set directly on the mailbox object, such as delegate and additional mailbox owner permissions.
By default, the ADC creates disabled users in Active Directory if it cannot match a mailbox to a user. Additionally, a custom attribute can be set on the mailbox to force the ADC to create a new object instead of matching it to an existing user. To do this, set Custom Attribute 10 to NTDSNoMatch. When you set this attribute on resource-type mailboxes, ADC is able to match a mailbox that does not have the NTDSNoMatch option set to the correct user account.
The NTDSNoMatch utility can be used to help perform this task. It checks for mailboxes with a duplicate primary Windows NT account, and determines if the mailbox is the primary mailbox or a resource mailbox. Then, it creates a comma-separated value (.csv) file that you can import into the Exchange 5.5 directory. This file automatically sets Custom Attribute 10 to NTDSNoMatch for the resource mailboxes.
Installing NTDSNoMatchNTDSNoMatch can be installed on any Windows 2000 computer. It does not need to be installed on the Exchange 5.5 server. To install NTDSNoMatch, copy the following files list below locally and then run Setup executable:
Using NTDSNoMatchBefore running NTDSNoMatch, check to make sure you meet the following prerequisites:
Use the following syntax if the Exchange server is using a port different than 389:
ntdsatrb servername:port#NOTE: If the Windows 2000-based computer that you are running NTDSNoMatch on, is not in the same domain as the Exchange 5.5 server, you can use the RUNAS command to launch a NTDSNoMatch with the proper credentials. Here is an example assuming that the account you want to use is EXCHDOMAIN\Administrator to connect to a server named EXCHSERVER.
CSV files generatedThe output of NTDSNoMatch is a series of CSV files. A CSV file is created per site, which can be directly imported into Exchange 5.5 Administrator. Each CSV file is named based on the site name, i.e. Sitename.csv. In addition, a general NTDSNoMatch.CSV file is created for custom configurations. This file cannot be directly imported into Exchange 5.5, and requires manual editing. All CSV files will have an entry for every mailbox that has a duplicate Primary NT account. The mailboxes that were determined to be resource mailboxes will have Custom Attribute 10 set to "NTDSNoMatch". All CSV files are saved to the same directory as the NTDSNoMatch utility.
NOTE: It is strongly recommended that you examine the CSV files carefully before importing into Exchange 5.5 to ensure the correct mailboxes are listed. The CSV files can be modified as necessary before importing.
Following completion of the directory import into the Exchange 5.5 server and the initial replication cycle of the Active Directory Connector the Primary Windows NT Account in Exchange 5.5 Administrator Program will be changed to reflect ActiveDirectoryDomain\AliasName.
This is because when you set NTDSNoMatch on a mailbox, the ADC sets the "Associated External Account" right on SELF, which references back to the disabled user created by the ADC. When the ADC replicates from Windows back to Exchange, this updates the Primary Windows NT Account in 5.5 to point to the disabled AD user. This is by design.
In addition, in Active Directory the Original Windows NT4 account that had been associated with this Exchange 5.5 mailbox will be added as an account with permissions to the newly created Disabled User Account.
Description of the algorithm used by NTDSNoMatchNTDSNoMatch does a simple check to determine whether to stamp NTDSNoMatch into Custom Attribute 10 on a mailbox.
If the alias of the mailbox matches the Security Accounts Manager (SAM) account name, then the mailbox is considered to be the primary mailbox, and NTDSNoMatch is not stamped. If the alias does not match the SAM account name, then NTDSNoMatch is stamped on the mailbox.
For example, if you have three mailboxes, a primary mailbox and two resource mailboxes, and all three mailboxes have a primary Windows NT account of Exchdomain\MailboxOwner, the following table tells you if NTDSNoMatch is stamped on the mailbox:
Some Organizations do not have a standardized naming convention and the Mailbox Alias Name is not the same as the SAM Account Name. For example, some companies have a policy of having the Employee ID Number as the SAM Account name.
Collapse this tableExpand this table
In such cases, there may be three (or more) mailboxes, say MBX1, MBX2 and MBX3, which are all associated with the same SAM Account Name of, say, 0123456. MBX1 is the "real" mailbox and MBX2 and MBX3 are the resource mailboxes. When the NTDSAtrb program executes, it will stamp the NTDSNoMatch attribute for all three mailboxes. The Administrator must then check this file and determine which of these accounts really must have NTDSNoMatch stamped.
Note When there are hidden objects in the Exchange Server 5.5 Directory, the NTDSNoMatch utility does not identify these hidden objects and does not put them in an output file. To work around this issue, clear the Hide from address book check box for each hidden object in the Exchange Server 5.5 Directory before you run the NTDSNoMatch utility:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256862/ )How to correct mismatched accounts after Active Directory Connector replication in Exchange 2000 Server
Contact us for more help
Connect with Answer Desk for expert help.