Re: Global Address List in Exchange 2003
From: Baris Eris [MS] (barise_at_online.microsoft.com)
Date: 06/22/04
- Next message: Steven Halsey [MSFT]: "Re: Netdiag erros- 'WINS' names is missing and You don't have a single interface with the <00>"
- Previous message: Millette: "Exch 5.5 to e2k3 Problem"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Global Address List in Exchange 2003"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 22 Jun 2004 14:27:04 -0700
Correct that changing membership setting of the workstation to the domain
mode will automatically take care of everything. It will apply any
applicable policies too. From that point forward, users would have logon to
their domain accounts.
Desktop settings on workgroup mode account will have to be migrated; there
are several options for that.
Baris.
-- This posting is provided "AS IS" with no warranties, and confers no rights. <anonymous@discussions.microsoft.com> wrote in message news:1f44001c457f9$93c067f0$a301280a@phx.gbl... > Baris: > > To put a user in the domain, do we only need to change > them from "workgroup" to "domain" and enter our Domain > name? Or, do we need to configure any additional > settings under TCP/IP, such as dns suffix, etc? > > Thank you >>-----Original Message----- >>Hi Ana, >> >>1. Due to new authentication mechanism (i.e. transition > into Kerberos from >>NTLM) and other security measures, we really need you to > authenticate to the >>domain explicitly. The previous workaround you have been > leveraging was not >>a best practice and never recommended. I recommend that > you make those >>client workstations member to the domain and implement > various group policy >>based restrictions to manage them inline with your > organizations security >>policies. >> >>Same recommendation holds true for managing passwords. > You know, passwords >>are vulnerable to brute-force attacks; meaning, given > enough time, all >>passwords can be cracked. Therefore having a password > expiration policy is >>highly recommended. >> >>2. This is essentially the same question. Workstations > must be member to one >>of the domains that the AD domain hosting Exchange 2003 > trusts (i.e. domains >>in the same forest). >> >>Baris. >> >>-- >>This posting is provided "AS IS" with no warranties, and > confers no rights. >> >>"Ana" <bean@discussions.microsoft.com> wrote in message >>news:1dfb101c45471$ae360530$a001280a@phx.gbl... >>> Baris, thanks again for your help. First, let me >>> apologize for the multiple postings in different >>> newsgroups. However, I have not been able to get an > answer >>> to the following question, and I am hoping you can help >>> me. This is a fairly critical issue in our environment >>> and will affect our migration. >>> >>> We have a test lab environment with Windows 2003 Domain >>> Controllers, Exchange 2003 running on Windows 2003, >>> Exchange 5.5 on Windows NT server, an Windows XP >>> workstation with Outlook XP, and a Windows 2000 >>> workstation with Outlook 2000. >>> >>> Our production environment has Exchange 5.5 on Windows > NT >>> and a mix of Windows XP\2000 clients. Some clients log >>> into the domain, and some are in a workgroup. In > either >>> case, the clients can access Exchange 5.5 through > Outlook >>> and they are not prompted for credentials. Their > windows >>> logon password matches their Exchange 5.5 userid and >>> password. >>> >>> Once we migrate to Active Directory and Exchange 2003, >>> there will be a period when a large number of people > will >>> not be in the domain and will still be in a > workgroup. In >>> our test environment, the clients that do not log into > the >>> domain, are prompted for credentials every time they > open >>> Outlook to access their Exchange 2003 mailbox. They > are >>> prompted for their userid, password, and domain each > and >>> every time they open Outlook. >>> >>> Question #1 >>> We don't understand why this worked fine with Exchange > 5.5 >>> and not Exchange 2003. That is, why we some users > could >>> be in a workgroup with an NT domain and Exchange 5.5 on >>> the PDC, and those users could access their Exchange > 5.5 >>> mailboxes and not have to provide credentials?(same as >>> users who logged into the domain) >>> >>> Question #2 >>> Is there a workaround so people who do not login into > the >>> Active Directory domain can access their Exchange 2003 >>> mailbox without having to enter credentials each time > they >>> open outlook? >>> . >>> >>> >>>>-----Original Message----- >>>>1. You need to create a new GAL, find a common AD >>> attribute among those >>>>groups of users (office location, city, country etc) > and >>> construct the new >>>>filter based on those attributes. Once you verified the >>> new view from the >>>>preview option in the GAL properties, go ahead and put > a >>> DENY access control >>>>entry on the default GAL for the same group. You will >>> have to create a new >>>>security group and include those users (who needs to > see >>> the new GAL) and >>>>then DENY them access to the default GAL. >>>> >>>>2. You need to create two SMTP addresses in single >>> recipient policy. Try and >>>>see if it helps. Again, LDAP filter of the policy is >>> critically important -- >>>>make sure not to apply incorrect policy to all users. >>> There is the risk of >>>>overriding existing primary addresses. >>>> >>>>HTH, >>>> >>>>Baris. >>>> >>>>-- >>>>This posting is provided "AS IS" with no warranties, > and >>> confers no rights. >>>> >>>><anonymous@discussions.microsoft.com> wrote in message >>>>news:1cde301c45308$3e908940$a401280a@phx.gbl... >>>>> Thank you for the help. I finally got it to work by >>> going >>>>> into Outlook, and removing the Microsoft Exchange >>> service >>>>> and then re-adding it back in. Then, the client > pointed >>>>> to the correct GC and I could see the GAL. >>>>> >>>>> I have two more questions, I hope you can help with: >>>>> >>>>> Question #1: >>>>> >>>>> I see custom recipients listed in my GAL that I don't >>> want >>>>> to be visible in the GAL. They will organized in a >>>>> separate address view. How can I modify the GAL > filter? >>>>> >>>>> Question #2: >>>>> >>>>> This is unrelated to the GAL. When I create a new >>> user, I >>>>> would like for the user to have two email addresses >>>>> created automatically. One of the two is currently >>>>> automatically generated. Is there a way to modify a >>>>> service or feature in Exchange to stamp these new > users >>>>> with the second email address automatically? >>>>> >>>>> Thanks again. >>>>>>-----Original Message----- >>>>>>Yes it should be pointing at the GC. >>>>>> >>>>>>I stress that you try this with OWA to eliminate > general >>>>> server-side issues. >>>>>>Also try creating a brand new mailbox on e2kX server > and >>>>> try to access it >>>>>>via a brand new MAPI profile. See if that works. >>>>>> >>>>>>I'm expecting others in the newsgroup to jump in > here, I >>>>> can't see how to >>>>>>fix (though with above steps you should be able to >>>>> isolate the root of the >>>>>>problem) this. >>>>>> >>>>>>For your Outlook clients, apply latest service packs >>> (SP3 >>>>> for both 2k and >>>>>>2k2) just to be sure. >>>>>> >>>>>>Baris. >>>>>> >>>>>>-- >>>>>>This posting is provided "AS IS" with no warranties, > and >>>>> confers no rights. >>>>>> >>>>>><anonymous@discussions.microsoft.com> wrote in > message >>>>>>news:1c44f01c4524c$ecc06380$a101280a@phx.gbl... >>>>>>> We are using only Outlook 2000 and Outlook 2002. I >>> have >>>>>>> not had a chance yet to try OWA. >>>>>>> >>>>>>> However, I did go into the Outlook client and used >>>>>>> KB317209 on "How to Identify your Global Catalog >>> Server >>>>>>> using Outlook 2000 and Outlook 2002". When I > followed >>>>>>> those instructions, it showed that the "Microsoft >>>>> Exchange >>>>>>> Address Book Provider" was set to the old Windows > NT >>>>>>> server with Exchange 5.5. Should this be pointing > to >>>>> the >>>>>>> Global Catalog server in our Active Directory? If > so, >>>>> is >>>>>>> that the issue? >>>>>>>>-----Original Message----- >>>>>>>>Ok try these now: >>>>>>>> >>>>>>>>1. Logon to Outlook Web Access and see if you can >>> access >>>>>>> GAL there >>>>>>>>2. Which Outlook version? If less than 2000, > Outlook >>>>> will >>>>>>> use Exchange >>>>>>>>DSProxy to retrieve the GAL. I strongly recommend > that >>>>>>> you use/try a recent >>>>>>>>version of Outlook. At least for one client, you > can >>>>> load >>>>>>> Outlook 2003 and >>>>>>>>use ctrl-rightclick on the little Outlook icon on > the >>>>>>> taskbar. Then, you can >>>>>>>>select "Connection Status..." menu option, which > will >>>>>>> give you the list of >>>>>>>>all servers being attempted for connection. See >>>>>>> if "directory" role owner >>>>>>>>server is accessible there. >>>>>>>>3. Create a new MAPI profile and attempt to > reproduce >>>>> the >>>>>>> problem. >>>>>>>> >>>>>>>>Baris. >>>>>>>> >>>>>>>>-- >>>>>>>>This posting is provided "AS IS" with no > warranties, >>> and >>>>>>> confers no rights. >>>>>>>> >>>>>>>><anonymous@discussions.microsoft.com> wrote in > message >>>>>>>>news:1bdd101c4521a$772112a0$a601280a@phx.gbl... >>>>>>>>>I went into ESM on the Exchange 2003 server, >>>>>>>>> then "Recipients", then " All Global Address > Lists" >>>>>>>>> and "Default Global Address List". Under the >>> general >>>>>>> tab, >>>>>>>>> I clicked "Preview" and it showed me a complete > list >>>>> of >>>>>>>>> the users in Active Directory. I then went to > the >>>>>>>>> Security tab, and checked permissions. I should >>> note >>>>>>>>> that we have a very basic install and we have not >>>>>>> changed >>>>>>>>> any permissions. We basically have accepted all >>>>>>> defaults >>>>>>>>> during this test deployment. >>>>>>>>> >>>>>>>>> Under the security tab, I see the following >>>>>>> listed: "Name >>>>>>>>> of our Exchange server", Anonymous Logon, >>>>> Authenticated >>>>>>>>> Users, Domain Admins, Enterprise Admins, > Everyone, >>>>>>>>> Exchange Domain Servers, Exchange Services, MS- >>>>> Exchange >>>>>>>>> Administrator, System. Am I in the correct > place? >>>>>>>>> >>>>>>>>> Also, I tested access to the GAL with a user who >>> was a >>>>>>>>> Member of Domain Admins and with a user who was >>>>>>> a "Domain >>>>>>>>> User". In both cases, I could not see a GAL > once I >>>>>>> turned >>>>>>>>> off Exchange 5.5. In their Outlook clients, all > I >>>>> could >>>>>>>>> see was an option for "Offline Address Book" > (which >>>>> was >>>>>>>>> not populated). >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>>>-----Original Message----- >>>>>>>>>>Agreed that this is most likely a permissions > issue. >>>>>>> Ana, >>>>>>>>> see if you have >>>>>>>>>>different behavior with different levels of > users. >>> For >>>>>>>>> example, try with a >>>>>>>>>>regular, non-admin user and with a user who is >>> member >>>>> to >>>>>>>>> domain admins >>>>>>>>>>group. See if situation changes. >>>>>>>>>> >>>>>>>>>>User, as an individual must be able to read the > GAL >>>>>>>>> filter off of Exchange >>>>>>>>>>configuration -- for that, as Chris pointed out, > GAL >>>>>>>>> configuration entry >>>>>>>>>>permission settings must allow users appropriate >>>>> rights. >>>>>>>>> It may not be very >>>>>>>>>>easy for you to calculate the resulting > permission >>>>>>>>> settings especially if >>>>>>>>>>there are deny rights placed at group level. >>> Remember, >>>>>>>>> most restrictive >>>>>>>>>>permission will be enforced. I.e. if user is > member >>> to >>>>>>>>> group1 and group2; >>>>>>>>>>and if you allowed group1 but denied group2, > access >>>>> will >>>>>>>>> be denied. >>>>>>>>>> >>>>>>>>>>Let us know how it goes, >>>>>>>>>> >>>>>>>>>>Baris. >>>>>>>>>> >>>>>>>>>>-- >>>>>>>>>>This posting is provided "AS IS" with no > warranties, >>>>> and >>>>>>>>> confers no rights. >>>>>>>>>> >>>>>>>>>>"Chris Scharff [MVP]" <puevf_fpuness@znvy- >>>>> erfbheprf.pbz> >>>>>>>>> wrote in message >>>>>>>>>>news:iqspc0dbfqlgsndegvbic7nrd023lniplm@4ax.com.. > . >>>>>>>>>>> Check the permissions on the Global Address > List >>> in >>>>>>> the >>>>>>>>> ESM. >>>>>>>>>>> >>>>>>>>>>> In the last exciting episode, >>>>>>>>> <anonymous@discussions.microsoft.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>>No, the 5.5 server in our lab is not the GC. > The >>> GC >>>>> is >>>>>>>>> on >>>>>>>>>>>>a Windows 2003 domain controller in our lab. > The >>>>> 5.5 >>>>>>>>>>>>server runs on Windows NT. >>>>>>>>>>>>>-----Original Message----- >>>>>>>>>>>>>Is the 5.5 server in your lab also the GC? As >>> Baris >>>>>>>>>>>>mentioned the >>>>>>>>>>>>>Exchange 2003 server doesn't really have a > GAL, >>> it >>>>>>> has >>>>>>>>>>>>an LDAP filter >>>>>>>>>>>>>defined which is executed against a GC. That >>> filter >>>>>>>>>>>>returns results >>>>>>>>>>>>>which are rendered to the clients as the GAL. > If >>>>> the >>>>>>>>>>>>users can't see >>>>>>>>>>>>>the GAL I'm guessing the query fails because > the >>> GC >>>>>>> is >>>>>>>>>>>>no longer >>>>>>>>>>>>>available. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>In the last exciting episode, >>>>>>>>>>>><anonymous@discussions.microsoft.com> >>>>>>>>>>>>>wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>>Yes, our Outlook Users are working online. > We >>> do >>>>>>> not >>>>>>>>>>>>use >>>>>>>>>>>>>>Outlook 2003 cached mode. >>>>>>>>>>>>>> >>>>>>>>>>>>>>Yes, we followed the Exchange deployment > tools >>>>>>> exactly >>>>>>>>>>>>as >>>>>>>>>>>>>>outlined. Yes, we implemented the ADC. >>>>>>>>>>>>>> >>>>>>>>>>>>>>I am not quite sure if I understand what you > are >>>>>>>>> trying >>>>>>>>>>>>>>to describe about the GAL and offline address >>>>> book?? >>>>>>>>>>>>>>>-----Original Message----- >>>>>>>>>>>>>>>Ana, "GAL" is not something that's created > and >>>>>>>>> hosted. >>>>>>>>>>>>>>It's just an LDAP >>>>>>>>>>>>>>>filter, which clients will read and perform >>> query >>>>>>>>>>>>>>against the AD with. OAB >>>>>>>>>>>>>>>(offline address book) is the one that gets >>>>>>> created. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>So in your case, clarify whether your > Outlook >>>>> users >>>>>>>>>>>>are >>>>>>>>>>>>>>working online or >>>>>>>>>>>>>>>not (for example, Outlook 2003 cached mode >>>>> behavior >>>>>>>>>>>>>>would be different).. >>>>>>>>>>>>>>>Clarify this first. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>How did you implement the ADC? Did you use >>>>>>> ADCTools? >>>>>>>>>>>>Did >>>>>>>>>>>>>>you follow Exchange >>>>>>>>>>>>>>>Deployment Tools (exdeploy.chm on E2k3 CD)? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>Look for the docs at >>>>>>>>> www.microsoft.com/exchange/library >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>Baris. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>-- >>>>>>>>>>>>>>>This posting is provided "AS IS" with no >>>>>>> warranties, >>>>>>>>>>>>and >>>>>>>>>>>>>>confers no rights. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>"Ana" <bean@news.postalias> wrote in message >>>>>>>>>>>>>>>news:1b68501c44ff1$1f2a8750 > $a101280a@phx.gbl... >>>>>>>>>>>>>>>> In our lab environment, we are testing >>> joining >>>>> an >>>>>>>>>>>>>>Exchange >>>>>>>>>>>>>>>> 2003 server to an existing Exchange 5.5 > site. >>>>>>> I've >>>>>>>>>>>>>>tested >>>>>>>>>>>>>>>> shutting down the Exchange 5.5 server and >>> have >>>>>>>>>>>>noticed >>>>>>>>>>>>>>>> that users with mailboxes on the Exchange >>> 2003 >>>>>>>>>>>>server, >>>>>>>>>>>>>>no >>>>>>>>>>>>>>>> longer have access to a Global Address > List >>> or >>>>>>> any >>>>>>>>>>>>>>address >>>>>>>>>>>>>>>> book views. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> How does the GAL get created on Exchange > 2003 >>>>>>> once >>>>>>>>>>>>the >>>>>>>>>>>>>>>> last 5.5 exchange server is removed from > the >>>>>>>>>>>>>>environment? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>. >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>. >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>. >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>. >>>>>>>> >>>>>> >>>>>> >>>>>>. >>>>>> >>>> >>>> >>>>. >>>> >> >> >>. >>
- Next message: Steven Halsey [MSFT]: "Re: Netdiag erros- 'WINS' names is missing and You don't have a single interface with the <00>"
- Previous message: Millette: "Exch 5.5 to e2k3 Problem"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Global Address List in Exchange 2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
