Generating Active Directory Accounts from an Exchange Database

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/generating-active-directory-accounts-exchange-database-part1.html

PART-1

Introduction

What can you do with a single mailbox database? In a disaster scenario where we have lost our single Domain Controller and we do not have any backup, an Exchange Server mailbox database can be useful to save some time during the rebuild process. The mailboxes have some information about the associated user account and we can use this information to create new users and connecting them to the mailboxes.
However, it will not save the administrator in this kind of disaster to join all workstations/servers into the new domain, recreate the permissions and etc...
This article can be useful also when you want to create a lab environment using Virtual Server or any kind of virtualization software and we don’t want to restore the production DC’s system state in the lab.
Scenario…

We are going to use the same scenario for both articles, the difference between them is the process involved of generating the Active Directory users account from a mailbox database.
Our scenario will be a company with a single Active Directory and one Exchange Server (Figure 01). In this first article this will be an Exchange Server 2007 and in the second it will be an Exchange Server 2003. The only Active Directory server has crashed and we do not have any Active Directory or a System State backup available.

Figure 01: We have a single domain controller without backup and a disaster occurs
To generate the Active Directory users’ accounts the mailbox database must be in a clean shutdown state, as shown in Figure 02.

Figure 02: Running eseutil /mh <database> against the database to validate the state of this database
We can summarize the steps needed to build this new environment as follows:

1. Create the Active Directory Domain.
2. Create the Exchange Server infrastructure.
3. Mount the old database.
4. Create a list of disconnected mailboxes on an LDF file.
5. Use this newly created LDF file to create Active Directory accounts.
6. Match the new users created with the disconnected mailboxes.

Creating the environment from scratch

We have to create the environment even though the crash was only in the Active Directory server. This is because all Exchange Server information stored in the Active Directory does not exist any more. We have to do these steps:

1. Build a new server and install Active Directory.
2. Create the backup agenda for this server because we don’t want to do this entire job again.
3. Install a new server for Exchange Server 2007 and install it (preparing Forest and Active Directory), you can use the following article to help in this process, Installing Exchange 2007 (Part 1).

Mounting the old database and looking at the disconnected mailboxes

Now that we have a brand new environment with Active Directory and Exchange Server installed from scratch, let’s mount the database from the old environment to bring up the users’ data. To accomplish this task:

1. Open the Exchange Management Console.
2. Expand Server Configuration.
3. Click on Mailbox, and in the Result Pane, click on the current server.
4. Click on the database called Mailbox Database, and then click on Properties in the Toolbox Actions.
5. Remember the Database path for the next step, and check the option This database can be overwritten by a restore. Click OK. (Figure 03)

Figure 03: The default mailbox database will be overwritten by the production database from the old environment
Now, let’s go to the path where the current database is located and we will remove the current database file (mailbox database.edb). Then, we will copy our old database on to the same path and we will rename it “Mailbox database.edb”. After that we can go back to the Exchange Management Console, click on the dismounted database and click on Mount Database in Toolbox Actions.
Listing the disconnected mailboxes and generating the Active Directory Users

We have just brought the old database into the new Exchange Server and all the users’ data are in this mounted database. Let’s look at the Disconnected the Mailbox Databases, but right before that we should force a scan in the Active Directory for the disconnected mailboxes. We can do that using the cmdlet Clean-MailboxDatabase –Identity <database>, as shown in Figure 04.

Figure 04: Listing the Mailbox databases and running the clean-mailboxdatabase cmdlet
To see the disconnected mailboxes, we can open the Exchange Management Console, expand Recipient Configuration, and then click on Disconnected Mailbox item, as shown in Figure 05.

Figure 05: All disconnected mailboxes
The next step is to use a script that will gather the information from the disconnected mailboxes and create an LDF file that will be used to create the Active Directory users accounts. This script can be found in the Exchange Server 2007 help file or at this address. Let us copy the content of that script and save the file as CreateLdifFromDisconnectedMailboxes.ps1 under Scripts folders, as shown in Figure 06.

Figure 06: Saving the script to be used through Exchange Management Shell
Using that script we are able to create an LDF file from the disconnected mailbox information. The only parameter that we have to specify in the script is which OU (Organizational Unit) will be used to create the new users (Figure 07). The script syntax is shown below:
.\CreateLdifFromDisconnectedMailboxes.ps1 –ContainerDN “<LDAP path of the OU that will receive the new accounts>”

Figure 07: Running the script to create a LDF file, the ouput file can be found at c:\ldifout.ldf
The result will be an LDF file that contains information on how to create the users. This information came from the disconnected mailboxes (Figure 08).

Figure 08: LDF file content that will be used by ldifde tool
Time to create the users using the current LDF file! To do that we will use ldifde tool (Figure 09) with the following syntax:
Ldifde –I –f <full-path-of-the-LDF-file>

Figure 09: Creating the Active Directory users
We can go to Active Directory Users and Computers and validate if we have got new users in the OU that we designated in the script CreateLdifFromDisconnectedMailboxes.ps1 . (Figure 10)

Figure 10: The newly created users
Our next step will be matching and joining the recently created users with the disconnected mailboxes (Figure 11). We will accomplish this task using the following cmdlet:
Get-MailboxStatistics | where { $_.DisconnectDate –ne $null } | Connect-Mailbox –Database “<database-name>”
We can accept each mailbox connection answering Y or we can type in A to say Yes to all connections.

Figure 11: Connecting the new users with the disconnected mailboxes
Now, all disconnected mailboxes are connected with the new users. We can see all mailboxes in the Exchange Management Console, as shown in Figure 12.

Figure 12: The new users
Okay, now we have a brand new environment with new accounts generated from the disconnected mailboxes. The next job on the list would be joining all workstations in the new domain, setting up permissions on file servers and, etc…
Conclusion

In this first article we saw how to create new Active Directory users from an Exchange Server 2007 database. This article may come in handy when we do not have any Active Directory backup or DC’s System State and any other Domain Controller. The process described in this article will save some time when creating the new users and connecting them to the old content.

---

موضوعات مشابه:

• تنظیمات active Directory هنگام نصب exchange 2007 sp3
• Active Directory &exchange 2010
• Active Directory Database Mounting Tool
• Exchange, Active Directory, and WINS
• active directory and join to exchange

---

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2003/high-availability-recovery/generating-active-directory-accounts-part2.html

PART-2

Unfortunately in Exchange Server 2000/2003 we do not have Windows PowerShell in the picture to export and match users and disconnected mailboxes, however we are able to do the same tasks using a tool called the Mailbox Reconnect tool (mbconn.exe). We can donwload this tool from the Microsoft FTP site.
This tool will create in its first instance a list of all disconnected mailboxes to an LDF file, then we will create the users using ldifde and we will run the tool again to match and join the new accounts with the disconnected mailboxes.
The scenario and prerequisites are the same as the first article.
Creating the new infrastructure.

We do not have a System State of the DCs, so we need to create a brand new environment from scratch, following these general steps:

1. Install Windows Server on a server and update it.
2. Create the Forest and Domain using dcpromo.
3. Prepare Forest and Domain to Exchange Server 2003.
4. Install Exchange Server 2000/2003 using the same Organization Name.
5. Appy at least all service packs that the old environment had installed.

Mounting the old database in the brand new environment

First of all, let’s mount the old database in the new environment. Follow these steps:

1. Open the Exchange System Manager.
2. Expand Administrative Groups.
3. Expand Servers.
4. Expand <Storage Group>.
5. Right-Click on the database and click on Properties.
6. Check the option This database can be overwritten by a restore and note the Exchange database and Exchange streaming database files (Figure 01).

Figure 1: The current database path and configuring it to be overwritten

1. Right Click on the database and then click on Dismount.
2. Now let’s go to the path that we noted in step 6.
3. Remove the original priv1.edb and priv1.stm files and paste the database files from the old environment. If necessary, rename the new files to match with priv1.edb and priv1.stm.
   Note: Due to the architecture of Exchange Server 2007 we need only the .EDB file, for Exchange 2000/2003 we need both the .EDB and .STM files.
4. Right-click on the database, and click on Mount.

To see the disconnected mailboxes in the database, we should run a cleanup task, as follows:

1. Expand the Mailbox Store database.
2. Right-click on Mailboxes, and then click on Run cleanup agent.
3. Click on Mailboxes and see a figure similar to Figure 02 with a list of all mailboxes; they will appear as disconnected.

Figure 2: The mailboxes from the old Exchange Server
Now, we can use the Mailbox Connector Tool (mbconn.exe). To run the tool just double click on the mbconn.exe and follow these steps:

1. On the first screen that comes up, click on Next.
2. Exchange Server. We have to fill in the Exchange Server name and Domain Controller name, and then click on Next.
3. Select Databases. All the mounted databases will be listed, click on our recently restored database, and click on Finish, as shown in Figure 03.

Figure 3: Selecting the current database(s), on which the tool will be looking for disconnected mailboxes
We will be able to see all disconnected mailboxes in the Mailbox Reconnect tool, as shown in Figure 04.

Figure 4: All disconnected mailboxes in the mailbox Reconnect Tool
Let us export the disconnected users to an LDF file. To do that click on Actions and then click on Export Users, as shown in Figure 05.

Figure 5: Exporting the disconnected users to an LDF file
We have to define the Container where the exported users will be created in the Active Directory and we have to also configure the destination file (c:\import.ldf), as shown in Figure 06. After that click on Generate.

Figure 6: Configuring container and filename to be used in the export process
Before importing the LDF file into the Active Directory, we must change the Default Domain Policy Group Policy to accept blank passwords (Figure 07). To do that we can follow these steps:

1. Open Active Directory Users and Computers.
2. Right Click on domain name and click on Properties.
3. Click on the Group Policy tab, and then click on Default Domain Policy and the Edit button.
4. Expand Windows Settings, Security Settings, Account Policies.
5. Click on Password Policy.
6. We have to change these values:
   - Password must meet complexity requirements: must be Disabled.- Minimum password length: must be 0 (zero).

Figure 7: Modifying the Default Domain Policy to accept blank passwords

1. Go to the command prompt in a DC and run gpupdate /force to apply the changes that we have made in the Domain Policy.
2. Check the Event Logs to validate if the policy was applied successfully.

Okay, we have made some progress in the new environment, such as: mounted the old database in the brand new environment, listed and exported all disconnected mailboxes to an LDF file and we also changed the Default Domain Policy to accept blank passwords.
Now we have to create the user from the LDF file, however we have to clean up that file first. We must remove entries (users) that we already have and the old Exchange accounts need to be removed, such as System Mailbox, SMTP, etc. The Import.ldf file can be seen in Figure 08.
Note:
To remove an user/entry from the LDF file we have to remove the set of attributes as shown in Figure 08. For example we have to remove the lines dn, changetype, useraccountcontrol, msExchUserAccountControl, displayName, ObjectClass and SamAccountName for each user that we remove.

Figure 8: The file created by Mailbox Connector Tool
After cleaning up the file we are able to create the users using the LDF file as source (Figure 09). We can go to the Command Prompt and run ldifde using the syntax below:
Ldifde –I –f <file.ldf>

Figure 9: Creating the users to match with the disconnected mailboxes with the ldifde tool
Just to make sure, we can go to Active Directory Users and Computers and see if all users were created as expected, as shown in Figure 10.

Figure 10: Users created from the exported list of disconnected mailboxes
Let us go back to the Mailbox Reconnect tool to match the new users with the disconnected mailboxes. Click on View and Preview All. At this point all disconnected mailboxes should match with the users that we have just created (Figure 11). We should validate if the association makes sense using the second column called User as well.

Figure 11: Matching the newly created accounts with the disconnected mailboxes
To reconnect the mailboxes with the newly created accounts, click on Actions and then Apply, as shown in Figure 12. A message box will come up, click on Yes.

Figure 12: Reconnecting the disconnected mailboxes with the new Active Directory Accounts
Now, all users from the other domain can log on to the domain using their username and access the same Exchange information that they had before the Domain Controller failure.
Conclusion

In this article we have seen how to generate accounts using an Exchange 2000/2003 Mailbox database and the Mailbox Reconnect tool.