ADC Role Confusion

A customer of mine hosts mailboxes for several smaller departments, acting somewhat like an application service provider for email. They have an Active Directory domain, which they control, but have delegated control of user and computer objects back to their departmental customers through OUs. The ADC has been installed and is operating, but they've come across a problem recently where new mailboxes aren't being matched to user accounts. Here's the scenario.

1. OU Administrator "Ollie" creates a new user in his OU.
2. Exchane Admin "Elizabeth" creates the mailbox for that user.
3. Active Directory Connector then syncs the two objects, based on SID. 

Sometimes, however, the mailbox gets created first. Here's what happens:

1. Elizabeth creates the mailbox.
2. ADC finds no matching user in AD and creates a mailbox-enabled, disabled user.
3. Ollie creates the new user in his OU.
4. Elizabeth places the OU new user as primary NT account holder in Exchange 5.5 and deletes the disabled user from AD.
5. No match is found when the ADC runs.

In this particular scenario, the mailbox doesn't go away because the ADC has been configured to NOT replicate deletions. So the problem isn't necessarily discovered right away (until ADC Tools are run again). Basically what has happed is that the mailbox in 5.5 is linked to a user in AD that no longer exists. Since the ADC is prohibited from replicating the deletion, it throws an error. To fix this, we need to follow the rules outlined at https://support.microsoft.com/?id=256862. 

The proper way to ensure that this doesn't happen again is to create the user first in Active Directory (but do not mail-enable the account), create the mailbox in Exchange 5.5, and then assign the Primary NT account at mailbox creation time. That will ensure proper replication. If we weren't dealing with a federation, we could just create the mailbox in ADU&C at the time we create the user account, but that is not allowed in federations. 

Lesson to be learned: if you still haven't married your AD and Exchange personnel, and are working in the interim ADC period between 5.5 and the first 2003 server, you will need to harden your processes to ensure that multiple people can work in a coordinated fashion to accomplish what the software would assume is all being done by one individual.