Permissions and 'mixed mode' don't mix, part 2

One problem you may run into relates to public folder permissions. One possible solution, in addition to careful planning, is to run a DS/IS Consistency Adjustment.

Before I explain how to run a DS/IS Consistency Adjustment, I want to pass along some words of caution. First, you need to verify that all sites within your Exchange organization are accessible before running the check. If a site is not accessible at the time that the check is run, you could end up disconnecting the site or causing other major problems.

Second, don't try to run a DS/IS consistency check without manually confirming the existence of corresponding AD accounts first. The DS/IS consistency check will delete references to users who do not have AD accounts.

How to run a DS/IS consistency check
First open the Exchange Administrator program and select the server containing the public folders that you intend to replicate. Next, select the Properties command from the File menu to reveal the server's Properties sheet. Now, select the Properties sheet's Advanced tab and click the Consistency Adjuster dialog box.

When the DS/IS Consistency Adjuster opens, select the Remove Unknown User Accounts from the Public Folder Permissions checkbox and select the All Inconsistencies radio button. It is very important that all other checkboxes are deselected before running the consistency adjustment.

Once the consistency adjustment is complete, it is safe to start migrating public folders to the new server. Even so, there are some other issues that you must watch out for.

Remember that the original cause of the problem that I just described was a mismatch between the public folder's permissions and the AD membership. The DS/IS consistency check will guarantee that the Exchange 5.5 organization and the AD match by deleting anything in Exchange 5.5 that doesn't have a corresponding AD entry. Just because everything matches at the time of migration, though, doesn't mean that things will always match.

For example, suppose that you had a user with a mailbox residing on an Exchange 5.5 server, and access to a public folder that is also on that same server. Even if you deleted the user's mailbox, the user's ACL entries for the public folder remain. All of a sudden there are public folder permissions for which no account exists!

In an Exchange 2000 mixed-mode environment, all users would lose access to the public folder in question (except for the folder's owner). However, this issue was addressed in Exchange 2000 Service Pack 1 and in Exchange Server 2003. Service Pack 1 for Exchange 2000 allowed Exchange to tell the difference between an initial public folder migration and a subsequent permission update. If a mismatch occurs and is related to an update rather than to an initial deployment, the mismatch is simply ignored.

As you can see, some of the permission problems associated with mixed-mode environments can be solved by simply applying service packs or by upgrading to Exchange Server 2003.

However, there is one other issue that you need to be aware of. Exchange Server 2000 and 2003 provide a mechanism that allows you to view and /or alter public folder permissions through the Exchange System Manager (at the ptagNTSD level). If you alter the permissions at this level in a mixed-mode environment, then MAPI-based tools such as Outlook can no longer be used to control the folder's permissions. If you try, you will receive an error stating that there is an invalid Windows Handle.

Again, the solution is to avoid the problem in the first place. As long as you use only MAPI-based tools to modify folder permissions, you should never encounter this issue.

To read part one, click here,.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Migration Tips Virtualizing Exchange Server 2007 with Microsoft's Hyper-V Slipstreaming Microsoft Office 2007 deployments Finding the best tool to migrate Exchange public folders to SharePoint Migrating antispam settings from Exchange 2003 to Exchange 2007 Migrating resource mailboxes from Exchange 2003 to Exchange 2007 Methods for moving mailboxes and public folders to Exchange 2007 Planning a Microsoft Exchange Server 2007 migration Exchange 2007 prerequisites and custom server role installation Managing Exchange 2003 and Exchange 2007 in mixed mode Testing Exchange Server 2007 on a virtual machine Exchange Security Tips Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Grant or deny permissions to access a user's Exchange 2007 mailbox Create a global Safe Senders List in Exchange 2007 to filter spam Migrating antispam settings from Exchange 2003 to Exchange 2007 Deploying ISA Server as a firewall for Exchange Server mobile devices How to customize OWA authentication logon in Exchange Server 2003 Exchange 2007 out-of-office (OOF) feature adds usability and security Exchange Server Deployment and Migration Advice Migrating mailboxes from Exchange Server 5.5 to Windows SBS 2003 Slipstreaming Microsoft Office 2007 deployments How to keep a copy of migrated Exchange mailboxes on original server What is Windows Server 2008's impact on an Exchange 2007 migration? A primer on Exchange 2007 server roles Exchange 2007 memory and hardware configuration best practices Migrating resource mailboxes from Exchange 2003 to Exchange 2007 Exchange 2007 prerequisites and custom server role installation Planning a Microsoft Exchange Server 2007 migration Methods for moving mailboxes and public folders to Exchange 2007 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary rehoming  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.