Re: NT4DC /Exchange 5.5 to Exch2003

From: Steven Halsey [MSFT] (Stevhal_at_Online.Microsoft.com)
Date: 08/10/04 

Date: Tue, 10 Aug 2004 09:57:10 -0700

It is refering to the Client Permissions. These are the permissions that
Exchange validates when a public folder is accessed.

The other set of permissions refers to the Windows permissions on the active
directory object. Exchange does not evaluate this permission when a client
attempts to access a public folder. 

-- 
Steven Halsey
Stevhal@online.microsoft.com
Microsoft Exchange
Please do not send email directly to this alias.  This alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"rotech22" <anonymous@discussions.microsoft.com> wrote in message 
news:2ddc01c47e3e$fd08c8e0$a501280a@phx.gbl...
> Thanks for the great information Steven.  That helped a
> lot.  One last question regarding permissions on Public
> Folders:  In the properties of a Public Folder (using Exch
> Admin) there is a permissions tab that sets permissions
> using our Domain Users accounts; under the Properties
> General tab, there is a button for Client Permissions that
> sets the Owner, Author, etc using our GAL.
>
> Which permissions of the Public Folder is MS referring to
> when it talks about setting the permissions on the folder?
>
> Thanks again.  Roger
>
>
>>-----Original Message-----
>>The main thing for the native domain is the permissions
> in public folders.
>>If a distribution list was used in 5.5 for to deny or
> allow access to a
>>public folder then that is what the problem is.
> Basically, ADC will import
>>the Distribution List as a Universal Distribution Group
> into the Active
>>directory.   Exchange 2000/2003 can't use a distribution
> list as a
>>permission object, so it tries to convert the Universal
> Distribution Group
>>to Universal secuirty group.   If the domain is native
> mode then it normally
>>succeeds and there are no issues.  If the domain is mixed
> then this upgrade
>>fails and an event gets logged to the event log.
>>
>>The default behavior is if an item is read in the Public
> Folder ACL that
>>can't be understood (like a distribution group), then it
> is ignored.  So if
>>you had a public folder "Managers", and only members of
> the DL "Managers"
>>could read the public folder and everyone else was denied
> read access.  If
>>the group managers was not upgraded, then the Managers DL
> gets ignored for
>>permission issues, and hence everyone is denied access to
> that folder.  The
>>Managers DL is not removed from the ACL so that at a
> later date the group
>>will be tried to upgrade again and could succeed, if say
> the domain was
>>since changed to native.  Does that explain it?
>>
>>So to work around this behavior, you could do 2 things:
> Either leave the
>>permissions broken then hand add group members or just
> wait if your mixed
>>mode domain will be a short time.  Or Second, you could
> change the managers
>>group to a local security group,  this has implications
> to mail routing and
>>group Usage and you would likely forget to change it back
> to a Universal
>>security group at a later date so I wouldn't really
> recommend this path.
>>Perhaps a better way to do the second would be to create
> a Managers2 group
>>that was local security and copy the membership of
> Managers DL.
>>
>>Email to a Universal Distribution Group should always
> work regardless of the
>>mode of the domain.   It is just for the public folder
> reasons.
>>
>>Either have the Users container be your staging area or
> create your own
>>Organizational Unit in the domain.  Either way it won't
> make much
>>difference.  You can move the DLs, and the mailboxes
> around to different
>>Containers in the Domain at any time (so long as ADC
> Connection Account
>>still has permissions to the object in whatever container
> you move it to).
>>Just don't try and delete any of the containers that are
> created by ADC
>>until after you have removed ADC.
>>
>>
>>Hope this helps, let me know if you have any more
> questions.
>>
>>-- 
>>Steven Halsey
>>Stevhal@online.microsoft.com
>>Microsoft Exchange
>>
>>Please do not send email directly to this alias.  This
> alias is for
>>newsgroup purposes only.
>>
>>This posting is provided "AS IS" with no warranties, and
> confers no rights.
>>
>>
>>
>>"rotech22" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:19de01c47bf9$6a0d82c0$a401280a@phx.gbl...
>>> I have a similar situation - NT4 BDC with Exch5.5 and
> W2k
>>> server as AD DC.  I'm adding a new server with W2k3 and
>>> Exchange 2003 - all in the same Domain.  I have gone
>>> through all the deployment wizards to the point I'm
>>> running ADC Tools setting up the Connection Agreements.
>>>
>>> I get the warning about the Staging Area not being in
>>> native mode, and it says membership and security cannot
> be
>>> properly managed...
>>>
>>> What exactly does that mean????  Are you saying that's
> OK?
>>> Go ahead and use my W2k DC as the staging area?  What
>>> permissions/security will not be managed then - just
>>> Public Folders?  E-mail distribution groups will still
>>> function OK?
>>>
>>> Also, it suggests using the Users container as Staging
>>> Area.  Is that recommended, or is there a better way to
>>> set that up?
>>>
>>> Help, please.  I've been stuck for days trying to find
> the
>>> answers.  TIA
>>>
>>> Roger
>>> >-----Original Message-----
>>> >Exchange 2003 is supported in a mixed mode domain.  The
>>> only requirement is
>>> >that there must be Windows 2000/2003 domain
> controllers.
>>> For a couple of
>>> >permissioning issues it is recommended that you have
>>> native mode domains.
>>> >So you could proceed with your 1 W2k3 and1 NT4 BDC, and
>>> put Exchange 2003 in
>>> >following the path laid out in the Deployment
>>> Tools/Deployment Guide.  Then
>>> >once you had migrated your mailboxes etc from the 5.5
>>> server you could just
>>> >decommision the NT4 BDC/Exchange server.
>>> >
>>> >Check out chapter 4 in the Deployment Guide:
>>>
>>http://www.microsoft.com/technet/prodtechnol/exchange/2003
>>> /library/depguide.mspx
>>> >Deployment Tools:
>>> >http://www.microsoft.com/downloads/details.aspx?
>>> FamilyID=271E51FD-FE7D-42AD-B621-
>>> 45F974ED34C0&displaylang=en
>>> >
>>> >The main issue you'll hit in a mixed mode Windows
> domain
>>> is:
>>> >http://support.microsoft.com/default.aspx?scid=kb;en-
>>> us;274046&Product=exch2003
>>> >You can hedge your way around this if you have a single
>>> Windows Domain by
>>> >changing/creating the groups as Local Security Groups.
>>> Or living with the
>>> >public folder behavior being broken until you complete
>>> your migration.  If
>>> >your users are not heavy Public folder permissioning
>>> users then you could
>>> >probably get away with doing your migration and having
>>> the PF permissions
>>> >not working quite right.  What happens is when Exchange
>>> encounters a group
>>> >permission in the security of a Public Folder it gets
>>> ignored if the group
>>> >is not a security group.
>>> >
>>> >Hope that helps, let me know if you need anything else
>>> explained because the
>>> >details here are a little light.
>>> >
>>> >
>>> >-- 
>>> >Steven Halsey
>>> >Stevhal@online.microsoft.com
>>> >Microsoft Exchange
>>> >
>>> >Please do not send email directly to this alias.  This
>>> alias is for
>>> >newsgroup purposes only.
>>> >
>>> >This posting is provided "AS IS" with no warranties,
> and
>>> confers no rights.
>>> >
>>> >
>>> >
>>> >"John - TB" <JohnTB@discussions.microsoft.com> wrote in
>>> message
>>> >news:57133315-5A95-410D-B0BD-
> 4D7E91631F1B@microsoft.com...
>>> >> I have a current server that is an NT4BDC running
>>> Exchange 5.5
>>> >> This server does not have enough hard drive free
> space
>>> in order to upgrade
>>> >> to 2000 to fulfill the DC requirements listed in.
>>> >> http://support.microsoft.com/default.aspx?kbid=822179
>>> >> And Same reason it will be stuck as a NT4BDC.
>>> >>
>>> >> Exchange Server 2003 is supported in the following
>>> Active Directory
>>> >> environments:
>>> >> A domain with only Windows 2000-based domain
> controllers
>>> >> A domain with only Windows Server 2003-based domain
>>> controllers
>>> >> A domain with Windows 2000 and Windows Server 2003-
>>> based domain
>>> >controllers
>>> >>
>>> >> I will have one W2k3 DC and one NT4 BDC
>>> >>
>>> >> Do I have to use disk partitioning software in order
> to
>>> upgrade the 4.0
>>> >> server to W2k?
>>> >>
>>> >> Any other thoughts on paths with limited user
>>> interruptions?
>>> >>
>>> >> TIA,
>>> >> -john
>>> >>
>>> >> -----------------------------------------------------
> ---
>>> >>
>>> >> John Surprenant
>>> >> www.techbridge.org
>>> >>
>>> >> TechBridge - Technology for a Better Community
>>> >> Affiliate of the NPower Network (www.npower.org)
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
Loading