Cross-site moves: The importance of proper ADC Connection Agreements

re: Cross-site moves: The importance of proper ADC Connection Agreements

Tony Du — Wed, 25 May 2005 02:26:19 GMT

Evan,

I have read your posts regarding cross site move by using E2K3 SP1.

We are in mixed-mode Exchange 5.5 to Exchange 2003 migration which includes site consolidation (cross site mailbox move). We find an issue related to mailbox delegated permission.

For example, MailboxA and MailboxB were both in same Exchange 5.5 site (source). And mailboxB has delegated access to mailbox folders of mailboxA. Then mailboxB was cross site moved to Exchange 2003 via ESM (E2K3 SP1).

Logon mailboxA we could still see mailboxB on folder permission list which pointed to "Stub" hidden object of mailboxB left in source site. When this "Stub" object got deleted, name of mailboxB on permission entry list changed to its original DN name. We do wait (overnight) for more than 12hrs for ADC and DIRsync settled down.

Basically issue is that cross site moved mailbox lost its delegated access to some resources mailboxes still in source site.

I have not tested the situation of mailboxA cross moved as well.

As you indicated your post I can clearly see proxy address of X500:ADCDeleteWhenUnlinked dropped from "stub" hidden object and all DL membeship replicated and retain without problem for mailboxB.

I wonder if the cross site move tool covers situation of retaining mailbox delegate permissions. In my understanding those ACLs on are IS on DS of Exch55. ADC may not be able to handle. If not, we may have RCA issue here.

Hopefully you may cross similar situation and had good advices.

Mnay thanks,
Tony Du
tony.du@gsjbw.com

re: Cross-site moves: The importance of proper ADC Connection Agreements

evand — Wed, 25 May 2005 03:33:49 GMT

Tony -

Cross-site mixed-mode mailbox moves definitely do take mailbox delegation into account.

Exchange 2003 Sp1 servers are smart enough to take into account the idea that a mailbox might have been moved across 5.5 site boundaries, and that an X500 address on this moved mailbox might also be a suitable replacement as a directory-identifier for the "obj-dist-name" (ie - LegDN) attribute.

So, the short answer to your question is: Always move the manager (ie - the person who has the permissions defined in their mailbox) either before or at the same time as the delegate (the person who has been grated permissions in the manager's mailbox). And once this move is complete, be sure that the mailbox stays on an E2k3 Sp1 server.

This will ensure that the permissions are always evaluated by an E2k3 Sp1 server. Once the delegate has also been moved, the permissions will still properly resolve, and you'll never have a "broken" state.

Even if you've already moved the delegate, all hope is not lost. Simply move the manager to an E2k3 SP1 server, and the delegate permissions should resolve themselves at that point.

Hope it helps!
Evan

Weekend reading

subject: exchange — Fri, 27 May 2005 10:33:22 GMT

re: Cross-site moves: The importance of proper ADC Connection Agreements

philmara — Fri, 27 May 2005 12:14:42 GMT

I used cross site moved twice and it works fine.
I think the wizards are the best practice, even if you need to check after (CA for example).
The major problem is replication or network link, so same troobleshoot as a normal move mailbox.

Last point, THANKS EVAN, your blogs helps me a lot especially because I tried it when the service pack was launched on a 20,000 international mbx structure.

Philippe