Microsoft KB Archive/296051

= XADM: Public Folders Lose ACEs After Exchange 2000 Is Introduced to an Existing Exchange Server 5.5 Organization =

Article ID: 296051

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server

-



This article was previously published under Q296051



SYMPTOMS
When an Exchange 2000 server joins an existing Microsoft Exchange Server 5.5 organization, the public folder Access Control Lists (ACLs) may lose some Access Control Entries (ACEs).

An event ID 9551 message that is similar to the following may also be logged in Event Viewer:

Event Type: Warning

Event Source: MSExchangeIS Public Store

Event Category: General

Event ID: 9551

Date: 2001-03-29

Time: 08:31:33

User: N/A

Computer: Exchange Server

Description:

An error occurred while upgrading the ACL on folder [Public Folders]/PF located on database &quot;First Storage Group\Public Folder Store (Exchange Server)&quot;.

The Information Store was unable to convert the security for /O=Org/OU=Site/CN=RECIPIENTS/CN=DL into a Windows 2000 Security Identifier. It is possible that this is caused by latency in the Active Directory Service, if so, wait until the user record is replicated to the Active Directory and attempt to access the folder (it will be upgraded in place). If the specified object does NOT get replicated to the Active Directory, use the Microsoft Exchange System Manager or the Exchange Client to update the ACL on the folder manually. The access rights in the ACE for this DN were 0x41b.



CAUSE
This issue occurs because all of the recipients in Exchange Server 5.5 must be represented in Active Directory before an Exchange 2000 server can join the site. You can make sure that the Exchange Server 5.5 recipients are represented in Active Directory by using the Active Directory Connector (ADC). If the Exchange Server 5.5 recipients are not represented in Active Directory before an Exchange 2000 server joins the site, the issue that is described in the &quot;Symptoms&quot; section of this article may occur.



WORKAROUND
To work around this issue, make sure that all of the Exchange Server 5.5 recipients are represented in Active Directory before you start a migration.

You may also be able to work around this issue by restoring a backup of one of the Exchange Server 5.5 public folder information stores on a spare server, exporting the permissions with PfAdmin, and then importing the permissions again by using PFAdmin. For additional information about this procedure, click the article number below to view the article in the Microsoft Knowledge Base:

199319 XADM: Extracting Public Folder Permissions Using PFADMIN



STATUS
This behavior is by design.



MORE INFORMATION
The problem occurs if a change on the Exchange 2000 side requires replication to Exchange Server 5.5, and not all users are represented in Active Directory. The Exchange 2000 server is identified as more recent than the others. The Exchange 2000 server sends a status message for its entire hierarchy; 24 hours later, other servers request the Exchange 2000 server's hierarchy. This causes Exchange 2000 to replace the data in ptagACLData, (the earlier-version Exchange Server 5.5 ACL) with the data in ptagNTSD that contains the Exchange 2000 ACL. The ptagNTSD only contains accounts in Active Directory that are security principals.

Because of this, the ptagACLData that contains the earlier-version permissions for Exchange Server 5.5 removes all ACEs that are not represented in Active Directory. The ptagACLData is then replicated with the rest of the hierarchy to Exchange Server 5.5, and the ACEs are removed in the Exchange Server 5.5 ACL as well.

Keywords: kbprb KB296051

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.