How to Verify EdgeSync Results for a Recipient
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use the Ldp.exe support tool to verify the EdgeSync synchronization results for a specific recipient. Ldp.exe is a Microsoft Windows Support Tools utility that you can use to perform Lightweight Directory Access Protocol (LDAP) searches of an LDAP directory, such as viewing directory data in the Active Directory Application Mode (ADAM) directory service. You can use Ldp.exe to retrieve information about a recipient from ADAM when an Edge Transport server is subscribed to an Active Directory site. A subscribed Edge Transport server receives information about recipients through the EdgeSync synchronization process. The Microsoft Exchange EdgeSync service runs on Hub Transport servers and replicates data from the Active Directory directory service to ADAM. The recipient data that is replicated includes the attributes that are used by the recipient lookup and safelist aggregation anti-spam features.
Important
Ldp.exe is intended to be used by experienced administrators to gain low-level access to a directory service. This tool should not be used to modify the data that is stored in ADAM.
Note
Microsoft Exchange Server 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.
Before You Begin
Use this procedure to verify that the correct attribute values for a specific recipient have been synchronized to ADAM. Inconsistencies between the attribute values that are stored in Active Directory and the attribute values that are stored in ADAM may be caused by Active Directory replication latency. To make sure that the ADAM instance on the Edge Transport server is current before you perform this procedure, do the following:
Use the Active Directory Replication Monitor tool to view the replication status of the domain controllers and global catalog servers that are located in the subscribed Active Directory site. If you have been granted the correct permissions, you can synchronize the directory partitions to bring the local directory servers up to date. For more information about the Active Directory Replication Monitor, see the Microsoft Windows Server 2003 Help.
Use the Test-EdgeSynchronization cmdlet in the Exchange Management Shell on a Hub Transport server in the subscribed site to determine whether the subscribed Edge Transport servers have a current synchronization status. You can use the Start-EdgeSynchronization cmdlet to start immediate synchronization and bring ADAM up to date.
Note
If you have installed Exchange 2007 SP1 on the Hub Transport server role, you can use the Test-EdgeSynchronization cmdlet with the VerifyRecipient parameter to verify the EdgeSync synchronization status for a single recipient. You specify the recipient by its proxy address. The results that are returned when you run the Test-EdgeSynchronization cmdlet indicate whether the recipient is synchronized.
Several steps are required to view the recipient data in ADAM for the following reasons:
Only a subset of recipient data is replicated from Active Directory to ADAM.
Some of the attributes are stored in hashed form. This includes e-mail addresses.
To verify the EdgeSync synchronization results for a recipient, follow these steps:
Determine the user name of the recipient for which you want to verify EdgeSync synchronization results.
Determine the GUID that is associated with the recipient in Active Directory. This GUID is represented as the recipient's canonical name (CN) in ADAM.
Determine the Active Directory value of the attributes that you want to verify for that recipient.
Use Ldp.exe on the Edge Transport server to retrieve information about that recipient from ADAM.
Use the Windows Calculator to translate the retrieved decimal attribute values to hexadecimal and determine the significant byte.
Compare the Active Directory attribute values and the ADAM attribute values, and verify that they match.
To perform the following procedures for a Microsoft Exchange Server 2007 organization, the account you use must be delegated the Exchange Recipient Administrator role.
To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Procedure
To use the Exchange Management Shell to determine Active Directory recipient attribute values
Open the Exchange Management Shell on a domain-joined computer that has the Exchange 2007 administrative tools installed.
Type the following command to determine the Active Directory GUID for a recipient that has the user name Susan:
Get-User -Identity Susan | ft Name, GUID
Type the following command to determine the value of all spam confidence level (SCL) attributes configured for a recipient that has the user name Susan:
Get-Mailbox -Identity Susan | ft SCL*
Note
This code provides an example of how to retrieve anti-spam attribute values for a recipient. You can use the Get-Mailbox cmdlet to view whatever attributes you want to verify.
To use Ldp.exe to determine ADAM recipient attribute values
Start Ldp.exe on the Edge Transport server. By default, this tool is located at <System drive>\WINDOWS\ADAM\ldp.exe.
Click Connection on the menu bar, and then click Connect…
In the Connect dialog box, type the name of the Edge Transport server in the Server field. In the Port field, type the ADAM LDAP port. By default, this port number is 50389. Do not select the Connectionless or SSL check boxes. Click OK.
Click Connection on the menu bar, and then click Bind.
If you are logged on as a local administrator, in the Bind dialog box, select Bind as currently logged on user. To enter administrator credentials, select Bind with credentials, and then enter a user name and password. Click OK.
Click View on the menu bar, and then click Tree.
In the Tree View dialog box, clear any entry in the BaseDN field. Click OK. You are now connected to the root of the ADAM directory.
Click Browse on the menu bar, and then click Search.
In the Search dialog box, use the drop-down box for the BaseDN field to select OU=MsExchangeGateway.
In the Filter field, enter search criteria that will find the recipient whose CN is equal to the GUID that you obtained from Active Directory. For example, if the GUID starts with 21664853, enter (cn=21664853*). Notice that you do not have to type the complete GUID. You can type the first several characters and then use the * wildcard character to search for all GUIDs that start with those characters.
Select Subtree as the Scope. Click Run. The search results appear in the right pane of Ldp.exe.
You can change the list of attributes that are included in the search results. To do this, click Browse on the menu bar, and then click Search. Enter the BaseDN, Filter, and Scope options as instructed in the previous steps. Click Options.
In the Attributes field, enter a list of attributes to display. Separate each attribute by using a semicolon. For example, to list the SCL delete threshold and the SCL reject threshold, enter the following text:
MsExchMessageHygieneSCLDeleteThreshold;MsExchMessageHygieneSCLRejectThreshold
Click OK, and then click Run in the Search dialog box. The search results appear in the right pane of Ldp.exe. Attributes that have a null value do not appear.
To use the Windows Calculator to translate Ldp.exe search results
The attribute values that are returned when you use Ldp.exe to search ADAM must be translated from the decimal value that appears to hexadecimal, and then the significant byte must be isolated to verify that the value matches the attribute value in Active Directory. For example, the value returned for the SCL delete threshold may appears as follows:
msExchMessageHygieneSCLDeleteThreshold:-2147483643
To translate this value, click Start, select Programs, select Accessories, and then click Calculator.
Click View on the menu bar, and then click Scientific.
Enter the decimal value, and then select Hex. The number 2147483643 now appears as 7FFFFFFB.
Click And, click F, and then click =. The number 7FFFFFFB now appears as 5.
Verify that the resulting attribute value that is stored in ADAM matches the value assigned to that attribute for this recipient in Active Directory.
Exchange 2007 SP1 Procedure
This section contains the Exchange 2007 SP1-specific Exchange Management Shell procedure. To run the Test-EdgeSynchronization cmdlet, you must log on to a computer that has the Hub Transport server role installed and that is located in the Active Directory site to which the Edge Transport server is subscribed. The account you use must be delegated the following:
- Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
To use the Exchange Management Shell to verify the synchronization status of a single recipient in Exchange 2007 SP1
Run the following command:
Test-EdgeSynchronization -VerifyRecipient kate@contoso.com
For More Information
For more information, see the following topics: