This article explains how to install and use the NTDSNoMatch utility. It also describes the algorithm used by NTDSNoMatch.
NOTE: The NTDSNoMatch utility is also known as NTDSAtrb. NTDSAtrb is on the Exchange 2000 SP1 CD and on the SP2 CD in the Server\Support\Utils\I386 folder.
When you use the Active Directory Connector (ADC) to synchronize a Microsoft Exchange Server 5.5 organization with Active Directory, and you have multiple mailboxes with the same primary Microsoft Windows NT account, you can control how the ADC matches the mailboxes to Active Directory user accounts.
In Microsoft Exchange 2000 Server, unlike Exchange Server 5.5, a mailbox is an attribute of an object in Active Directory, not an object itself. Therefore, each user object in Active Directory can only be matched to one mailbox. For every mailbox that exists in the information store, a matching object must exist in Active Directory. This difference allows you to retain the permissions set directly on the mailbox object, such as delegate and additional mailbox owner permissions.
By default, the ADC creates disabled users in Active Directory if it cannot match a mailbox to a user. Additionally, a custom attribute can be set on the mailbox to force the ADC to create a new object instead of matching it to an existing user. To do this, set Custom Attribute 10
. When you set this attribute on resource-type mailboxes, ADC is able to match a mailbox that does not have the NTDSNoMatch
option set to the correct user account.
The NTDSNoMatch utility can be used to help perform this task. It checks for mailboxes with a duplicate primary Windows NT account, and determines if the mailbox is the primary mailbox or a resource mailbox. Then, it creates a comma-separated value (.csv) file that you can import into the Exchange 5.5 directory. This file automatically sets Custom Attribute 10
for the resource mailboxes.
NTDSNoMatch can be installed on any Windows 2000 computer. It does not need to be installed on the Exchange 5.5 server. To install NTDSNoMatch, copy the following files list below locally and then run Setup executable:
The default install location of NTDSNoMatch is c:\Program Files\NTDSNTDSAtrib. You can specify the install location during setup.
Before running NTDSNoMatch, check to make sure you meet the followingprerequisites:
- NTDSNoMatch must be run from a Windows 2000-based computer. The program will not run from Windows 9x or Windows NT 4.0.
- Ensure the account you are using has permissions to read the Exchange 5.5 directory.
Usage: ntdsatrb servername
is the name of an Exchange 5.5 server in your organization.
Use the following syntax if the Exchange server is using a port different than 389:
: If the Windows 2000-based computer that you are running NTDSNoMatch on, is not in the same domain as the Exchange 5.5 server, you can use the RUNAS command to launch a NTDSNoMatch with the proper credentials. Here is an example assuming that the account you want to use is EXCHDOMAIN\Administrator to connect to a server named EXCHSERVER.
- From a command prompt, navigate to the directory that containsNtdsatrb.exe
- type the following: runas /user:EXCHDOMAIN\Administrator "ntdsatrb EXCHSERVER"
- Enter the password when prompted and press ENTER
- You should see Attempting to start ""ntdsatrb EXCHSERVER" as user "EXCHDOMAIN\Administrator"...
: If Windows Installer dialog box opens, you can safely click Cancel
to continue operation.
CSV files generated
The output of NTDSNoMatch is a series of CSV files. A CSV file is created per site, which can be directly imported into Exchange 5.5 Administrator. Each CSV file is named based on the site name, i.e. Sitename.csv. In addition, a general NTDSNoMatch.CSV file is created for custom configurations. This file cannot be directly imported into Exchange 5.5, and requires manual editing. All CSV files will have an entry for every mailbox that has a duplicate Primary NT account. The mailboxes that were determined to be resource mailboxes will have Custom Attribute 10 set to "NTDSNoMatch". All CSV files are saved to the same directory as the NTDSNoMatch utility.NOTE
: It is strongly recommended that you examine the CSV files carefully before importing into Exchange 5.5 to ensure the correct mailboxes are listed. The CSV files can be modified as necessary before importing.
Following completion of the directory import into the Exchange 5.5 server and the initial replication cycle of the Active Directory Connector the Primary Windows NT Account in Exchange 5.5 Administrator Program will be changed to reflect ActiveDirectoryDomain\AliasName.
This is because when you set NTDSNoMatch on a mailbox, the ADC sets the "Associated External Account" right on SELF, which references back to the disabled user created by the ADC. When the ADC replicates from Windows back to Exchange, this updates the Primary Windows NT Account in 5.5 to point to the disabled AD user. This is by design.
In addition, in Active Directory the Original Windows NT4 account that had been associated with this Exchange 5.5 mailbox will be added as an account with permissions to the newly created Disabled User Account.
Description of the algorithm used by NTDSNoMatch
NTDSNoMatch does a simple check to determine whether to stamp NTDSNoMatch into Custom Attribute 10
on a mailbox.
If the alias of the mailbox matches the Security Accounts Manager (SAM) account name, then the mailbox is considered to be the primary mailbox, and NTDSNoMatch is not stamped. If the alias does not match the SAM account name, then NTDSNoMatch is stamped on the mailbox.
For example, if you have three mailboxes, a primary mailbox and two resource mailboxes, and all three mailboxes have a primary Windows NT account of Exchdomain\MailboxOwner, the following table tells you if NTDSNoMatch is stamped on the mailbox:
|Mailbox Alias||SAM account name||Will NTDSNoMatch be stamped?|
Some Organizations do not have a standardized naming convention and the Mailbox Alias Name is not the same as the SAM Account Name. For example, some companies have a policy of having the Employee ID Number as the SAM Account name.
In such cases, there may be three (or more) mailboxes, say MBX1, MBX2 and MBX3, which are all associated with the same SAM Account Name of, say, 0123456. MBX1 is the "real" mailbox and MBX2 and MBX3 are the resource mailboxes. When the NTDSAtrb program executes, it will stamp the NTDSNoMatch attribute for all three mailboxes. The Administrator must then check this file and determine which of these accounts really must have NTDSNoMatch stamped.Note
When there are hidden objects in the Exchange Server 5.5 Directory, the NTDSNoMatch utility does not identify these hidden objects and does not put them in an output file. To work around this issue, clear the Hide from address book
check box for each hidden object in the Exchange Server 5.5 Directory before you run the NTDSNoMatch utility:
- In Exchange Administrator, click the Recipients container.
- On the View menu, click Hidden Recipients.
- Click an object, click Properties on the File menu, click the Advanced tab, and then click to clear the Hide from address book check box.
- Repeat step 3 for each hidden object.
If the ADC has already replicated and created disabled accounts in Active Directory, then the NTDSNoMatch utility can still be used to determine which mailboxes have duplicate primary Windows NT accounts, but you need to do additional cleanup work to ensure all mailboxes are matched properly.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How to correct mismatched accounts after Active Directory Connector replication in Exchange 2000 Server