Re: NT4DC /Exchange 5.5 to Exch2003
From: Steven Halsey [MSFT] (Stevhal_at_Online.Microsoft.com)
Date: 08/07/04
- Next message: Bill Nguyen: "OL2003 and Exchange 2003 cache mode problem"
- Previous message: AJ: "PubFoldCheck?"
- In reply to: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Next in thread: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Reply: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 7 Aug 2004 09:31:09 -0700
The main thing for the native domain is the permissions in public folders.
If a distribution list was used in 5.5 for to deny or allow access to a
public folder then that is what the problem is. Basically, ADC will import
the Distribution List as a Universal Distribution Group into the Active
directory. Exchange 2000/2003 can't use a distribution list as a
permission object, so it tries to convert the Universal Distribution Group
to Universal secuirty group. If the domain is native mode then it normally
succeeds and there are no issues. If the domain is mixed then this upgrade
fails and an event gets logged to the event log.
The default behavior is if an item is read in the Public Folder ACL that
can't be understood (like a distribution group), then it is ignored. So if
you had a public folder "Managers", and only members of the DL "Managers"
could read the public folder and everyone else was denied read access. If
the group managers was not upgraded, then the Managers DL gets ignored for
permission issues, and hence everyone is denied access to that folder. The
Managers DL is not removed from the ACL so that at a later date the group
will be tried to upgrade again and could succeed, if say the domain was
since changed to native. Does that explain it?
So to work around this behavior, you could do 2 things: Either leave the
permissions broken then hand add group members or just wait if your mixed
mode domain will be a short time. Or Second, you could change the managers
group to a local security group, this has implications to mail routing and
group Usage and you would likely forget to change it back to a Universal
security group at a later date so I wouldn't really recommend this path.
Perhaps a better way to do the second would be to create a Managers2 group
that was local security and copy the membership of Managers DL.
Email to a Universal Distribution Group should always work regardless of the
mode of the domain. It is just for the public folder reasons.
Either have the Users container be your staging area or create your own
Organizational Unit in the domain. Either way it won't make much
difference. You can move the DLs, and the mailboxes around to different
Containers in the Domain at any time (so long as ADC Connection Account
still has permissions to the object in whatever container you move it to).
Just don't try and delete any of the containers that are created by ADC
until after you have removed ADC.
Hope this helps, let me know if you have any more questions.
-- Steven Halsey Stevhal@online.microsoft.com Microsoft Exchange Please do not send email directly to this alias. This alias is for newsgroup purposes only. This posting is provided "AS IS" with no warranties, and confers no rights. "rotech22" <anonymous@discussions.microsoft.com> wrote in message news:19de01c47bf9$6a0d82c0$a401280a@phx.gbl... > I have a similar situation - NT4 BDC with Exch5.5 and W2k > server as AD DC. I'm adding a new server with W2k3 and > Exchange 2003 - all in the same Domain. I have gone > through all the deployment wizards to the point I'm > running ADC Tools setting up the Connection Agreements. > > I get the warning about the Staging Area not being in > native mode, and it says membership and security cannot be > properly managed... > > What exactly does that mean???? Are you saying that's OK? > Go ahead and use my W2k DC as the staging area? What > permissions/security will not be managed then - just > Public Folders? E-mail distribution groups will still > function OK? > > Also, it suggests using the Users container as Staging > Area. Is that recommended, or is there a better way to > set that up? > > Help, please. I've been stuck for days trying to find the > answers. TIA > > Roger > >-----Original Message----- > >Exchange 2003 is supported in a mixed mode domain. The > only requirement is > >that there must be Windows 2000/2003 domain controllers. > For a couple of > >permissioning issues it is recommended that you have > native mode domains. > >So you could proceed with your 1 W2k3 and1 NT4 BDC, and > put Exchange 2003 in > >following the path laid out in the Deployment > Tools/Deployment Guide. Then > >once you had migrated your mailboxes etc from the 5.5 > server you could just > >decommision the NT4 BDC/Exchange server. > > > >Check out chapter 4 in the Deployment Guide: > >http://www.microsoft.com/technet/prodtechnol/exchange/2003 > /library/depguide.mspx > >Deployment Tools: > >http://www.microsoft.com/downloads/details.aspx? > FamilyID=271E51FD-FE7D-42AD-B621- > 45F974ED34C0&displaylang=en > > > >The main issue you'll hit in a mixed mode Windows domain > is: > >http://support.microsoft.com/default.aspx?scid=kb;en- > us;274046&Product=exch2003 > >You can hedge your way around this if you have a single > Windows Domain by > >changing/creating the groups as Local Security Groups. > Or living with the > >public folder behavior being broken until you complete > your migration. If > >your users are not heavy Public folder permissioning > users then you could > >probably get away with doing your migration and having > the PF permissions > >not working quite right. What happens is when Exchange > encounters a group > >permission in the security of a Public Folder it gets > ignored if the group > >is not a security group. > > > >Hope that helps, let me know if you need anything else > explained because the > >details here are a little light. > > > > > >-- > >Steven Halsey > >Stevhal@online.microsoft.com > >Microsoft Exchange > > > >Please do not send email directly to this alias. This > alias is for > >newsgroup purposes only. > > > >This posting is provided "AS IS" with no warranties, and > confers no rights. > > > > > > > >"John - TB" <JohnTB@discussions.microsoft.com> wrote in > message > >news:57133315-5A95-410D-B0BD-4D7E91631F1B@microsoft.com... > >> I have a current server that is an NT4BDC running > Exchange 5.5 > >> This server does not have enough hard drive free space > in order to upgrade > >> to 2000 to fulfill the DC requirements listed in. > >> http://support.microsoft.com/default.aspx?kbid=822179 > >> And Same reason it will be stuck as a NT4BDC. > >> > >> Exchange Server 2003 is supported in the following > Active Directory > >> environments: > >> A domain with only Windows 2000-based domain controllers > >> A domain with only Windows Server 2003-based domain > controllers > >> A domain with Windows 2000 and Windows Server 2003- > based domain > >controllers > >> > >> I will have one W2k3 DC and one NT4 BDC > >> > >> Do I have to use disk partitioning software in order to > upgrade the 4.0 > >> server to W2k? > >> > >> Any other thoughts on paths with limited user > interruptions? > >> > >> TIA, > >> -john > >> > >> -------------------------------------------------------- > >> > >> John Surprenant > >> www.techbridge.org > >> > >> TechBridge - Technology for a Better Community > >> Affiliate of the NPower Network (www.npower.org) > > > > > >. > >
- Next message: Bill Nguyen: "OL2003 and Exchange 2003 cache mode problem"
- Previous message: AJ: "PubFoldCheck?"
- In reply to: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Next in thread: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Reply: rotech22: "Re: NT4DC /Exchange 5.5 to Exch2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
