Configure Exchange to ignore zombie ACEs and ACLs

When an Exchange 2003 server is introduced into an Exchange 5.5 organization, the format of all the Exchange 5.5 ACLs and ACEs is modified in order to make co-existence possible. However, problems can occur if you fail to replicate the entire Exchange 5.5 directory to Active Directory or if you attempt a Directory Service/Information Store consistency adjustment against the Exchange 5.5 organization.

Most of the time, these issues manifest themselves in the form of performance problems or the inability to view public folders homed on a different server than your mailbox. You can usually get past these problems just by cleaning up any inconsistencies that might exist between the Exchange 5.5 directory and Active Directory.

Occasionally, though, you may encounter a more serious ACE and ACL-related problem. I have seen situations in which organizations will either decommission an Exchange 5.5 server or upgrade the server to Exchange 2003 while inconsistencies still exist. This causes an interesting problem, because you can't go back to the Exchange 5.5 server and fix the inconsistencies, since the server no longer exists (at least not in its previous form).

When a situation like this occurs, there are two different ways you can fix the problem. The easiest solution is to convert your Exchange organization to native mode (this is different than converting your Windows domain to native mode). When you convert your Exchange organization to native mode, Exchange will automatically ignore any zombie ACEs and ACLs. The problem is that

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Exchange Server 2003 Changing email address formats in Exchange Server 2003 Should you remove .STM files from Exchange Server 2003? Troubleshoot 'System Attendant' error messages in OWA Configuring the default recipient policy in an Exchange 2003 environment Removing old disclaimers from Exchange Server 2003 ExMerge gotchas to watch for when migrating Exchange 2003 mailboxes Recovering deleted items after an Exchange 2003 migration Linking two Exchange 2003 servers in different forests Microsoft Exchange Server virtualization tutorial Installing Exchange Server 2003 and a domain controller on the same hardware Microsoft Exchange Server 2003 Research Microsoft Exchange Server 5.5 Migrating mailboxes from Exchange Server 5.5 to Windows SBS 2003 Remove Exchange 5.5 servers from a mixed mode Exchange environment Solve server problems with the Exchange Troubleshooting Assistant tool Best approaches for upgrading Exchange 5.5 to Exchange 2000 or 2003 Sharing free/busy calendar information between disparate Exchange 5.5 and Exchange 2003 organizations Can we install another instance of Exchange Server on a second domain controller? Connecting an Exchange 5.5 server to a new domain controller Duplicating Exchange 5.5 Global Address views in Exchange Server 2003 Importing an Exchange 5.5 Global Address List into Exchange 2003 Active Directory Is it safe to upgrade directly from Exchange 5.5 to Exchange Server 2003? Microsoft Exchange Server 5.5 Research Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

you can't switch to native mode if you still have any Exchange 5.5 servers in your organization. Furthermore, once you switch to native mode, there is no going back, so you will never be able to join another Exchange 5.5 server to your organization.

The other solution is to create a registry key on your Exchange servers that will make Exchange ignore zombie ACLs and ACEs.

Important: Modifying the registry can be dangerous. An incorrect registry modification can destroy Windows and/or your applications. Perform a full system backup before continuing.

If you ever need Exchange to not ignore zombies for some reason, you can either set the registry key's value to 0x0 or you can delete it completely.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

MEMBER FEEDBACK TO THIS EXCHANGE SERVER TIP

Is this also applicable for Exchange 2000?
—Jason H.

******************************************

I'm inclined to think that the procedure will work with Exchange 2000, but I'm not absolutely positive.
—Brien M. Posey, tip author

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.