Logging into Exchange with NT vs. AD accounts in mixed mode
I'm planning an NT 4.0/Exchange 5.5 to Windows Server 2003/Exchange 2003 upgrade. In a new, parallel Active Directory deployment, I will use the Active Directory Migration Tool to migrate/copy user accounts to Active Directory. Then, I will use it again to modify the access control lists (ACLs) of the Exchange 5.5 mailboxes, so that the new Active Directory accounts would become the new owners.
After I run that, can I still log in with the old NT accounts and access those mailboxes? Or can I only log in with the Active Directory account from that point on?
It depends on the permissions that are modified during the ACL update. If you leave the old NT account as the primary NT account of the Exchange 5.5 mailbox, then the new account should still have access to the resource via SIDHistory. But it would require you to keep the legacy domain online indefinitely, and have a functioning trust in place.
You should determine how long you want to keep the legacy domain online, then re-ACL the primary NT accounts to the new accounts. After that, you can have your users log into the Active Directory domain versus NT.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Learning Center: Toolbox for Exchange administrators
Learning Guide: Exchange Server migration
Reference Center: Exchange permissions and authentication
This was first published in November 2005