If you do any work with migration/coexistence from 5.5 to 2000/2003 you may have noticed that when configuring a recipient connection agreement in the Active Directory Connector (ADC) console that on the From Windows tab there are two somewhat mysterious checkboxes at the bottom of the tab.
For security reasons the ADC does not (by default) replicate any objects from AD that have a deny ACE (access control entry) simply because Exchange 5.5 can’t understand deny ACEs. This can in certain scenarios keep objects from replicating to the Exchange directory. Setting “Replicate secured Active Directory objects to the Exchange Directory” permits objects that are created in AD that have a Deny permission to be replicated to the Exchange 5.5 directory.
See 827619 A Connection Agreement does not replicate data from Exchange 2000 Server.
If you enable Create objects in location specified by Exchange 5.5 DN then the ADC will first look at the legacyexchangedn attribute of the Active Directory object to decide which location to create that object at in the 5.5 directory. If that fails the ADC will then create the object in the default destination specified on the From Windows tab of the connection agreement (as it is set to act by default). Why would this be useful? If you have a huge, complex OU hierarchy that you DON’T want replicated to your 5.5 Directory you can simply specify this option to have all of the replicating objects created in the Recipients container of the 5.5 directory.
For details, see 313218 XADM: Active Directory Connector Replicates Organizational Unit
Oh yeah, what is a legacyexchangedn? It’s the Exchange 5.5-style Distinguished Name of the Exchange 5.5 object that the Active Directory object is matched to. For example: /o=ORG/ou=SITE/cn=CONTAINER/cn=RELATIVE_DN