Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Tue, 1 Jul 2008 03:28:01 -0700,    group: microsoft.public.exchange.setup        back       


Setup /PrepareLegacyPermissions permitts wrong group in multi doma    
Following environment:
root-domain: fsmo-roles, one DC 64bit for Exchange Setup
company-domain: user objects, uninstalled ADC E2k3 Server
server.company-subdomain: computer objects, E2k3 Server Cluster
special.company-subdomain: computer objects
production.compnay-subdomain: computer objects

sites: office (2 GC, 1 DC of each domain except production), production (1 
GC of company domain, 2GC, 1DC of production) separated by a firewall

After Setup /PL for all domains (except production) we got the strange right 
for the domain object in the compnay domain (all other are okay). The 
Exchange Enterprise Servers (EES), which is domain local was added with the 
special access for Exchange Information not form the company domain but from 
the server.company subdomain. So all users were missing rights for the 
company EES (i.e.: read and write alias). After going to advanced and 
changing the Group fom servers.company\EES to company\EES i got the read 
alias right, but there are compared to the other subdomains and the root 
domain many rights missing. In the ExchangeSetup.Log it is shown this wrong 
EES was selected so that I presume that there is an error in the Powershell 
script for the pl option (tested sp1 and rtm version).
Anyone who experienced the same?
Anyone knowing how to set the "Special Access for Exchange Information" 
rights with dsacls?

thanks
date: Tue, 1 Jul 2008 03:28:01 -0700   author:   ClemensBe

RE: Setup /PrepareLegacyPermissions permitts wrong group in multi doma    
additional info:
for the company domain we get MSExchangeAL 8317, 8168, 8022, 8270
for all other domains everthing okay, RUS is running (checked with 
user-objects)
date: Tue, 1 Jul 2008 03:36:01 -0700   author:   -clem

Problem solved: DSACLS to give rights on Exchange Information    
To solve the Problem I executed manually what setup /bl is doing for each 
domain (could verify that for the other domains):

dsacls "dc=company,dc=local" /I:T /G "company\Exchange Enterprise 
Servers":WP;"Exchange Information" 

dsacls "cn=AdminSDHolder,cn=system,dc=company,dc=local" /I:T /G 
"company\Exchange Enterprise Servers":RPWP;"Exchange Information"

dsacls "cn=ExOrg,cn=Microsoft 
Exchange,cn=Services,cn=Configuration,dc=root,dc=local" /I:T /G 
"company\Exchange Domain Servers":WP;"Exchange Information"

Obviously you have to replace company by your Domain and exorg by your 
Exchange Organisation Name Values!

For further information see: 
http://technet.microsoft.com/en-us/library/bb288907.aspx, ExchangeSetup.log 
and the rights.ldf file in setup\data.
Look there for 1F298A89-DE98-47b8-B5CD-572AD53D267E = "Exchange Information"
date: Tue, 1 Jul 2008 05:25:02 -0700   author:   -clem

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us