locked
Allow user from trusted domain to access mailbox RRS feed

  • Question

  • Recently our company merge with another company. So now we have 2 forest in the organization, forest A and B. I have created a domain trust between domain A and domain B. Domain A is running on Win 2000 mix mode while domain B is on Win 2008 native mode. I have a request from user in domain B to access mailbox in domain A. Is it possible for me to grant the permission to user from domain B? I have read that you can create a domain local group in domain A and add user from domain B to the local group. After that you can assign permission to the domain local group to access the mailbox. I just want to know whether it is workable or do I need to change my AD to 2003 native mode in order for it to work? Any advice appreciated.
    Friday, June 17, 2011 7:07 AM

Answers

  • While your procedure definitely will work, you'll have to get rid of your NT4 BDCs and raise the domain level. In a Windows 2000 domain that is operating in mixed mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user will not have Domain Local Security Group in TOKEN_GROUPS.

    You might get away with raising the functional level to Windows 2000 native mode (very long ago for my part), but there are at least two additional benefits in your scenario if you raise the forest level to 2003:

    * You can establish a forest trust
    * Only changes in Universal Group memberships are replicated

    Domain Local Groups Cannot Be Used in Mixed-Mode Domain
    http://support.microsoft.com/kb/296369

    Domain Local Group scope in Windows 2000 domain operation modes
    http://support.microsoft.com/kb/259392


    MCTS: Messaging | MCSE: S+M
    • Marked as answer by Affendi M H Monday, June 20, 2011 2:58 AM
    Saturday, June 18, 2011 4:28 AM

All replies

  • what is the exchange version???
    Mumin CICEK | www.cozumpark.com | Please click Vote As Helpful if it is helpful for you and Propose as Answer!!!
    Friday, June 17, 2011 9:00 PM
  • While your procedure definitely will work, you'll have to get rid of your NT4 BDCs and raise the domain level. In a Windows 2000 domain that is operating in mixed mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user will not have Domain Local Security Group in TOKEN_GROUPS.

    You might get away with raising the functional level to Windows 2000 native mode (very long ago for my part), but there are at least two additional benefits in your scenario if you raise the forest level to 2003:

    * You can establish a forest trust
    * Only changes in Universal Group memberships are replicated

    Domain Local Groups Cannot Be Used in Mixed-Mode Domain
    http://support.microsoft.com/kb/296369

    Domain Local Group scope in Windows 2000 domain operation modes
    http://support.microsoft.com/kb/259392


    MCTS: Messaging | MCSE: S+M
    • Marked as answer by Affendi M H Monday, June 20, 2011 2:58 AM
    Saturday, June 18, 2011 4:28 AM
  • I am still running on Exchange 2003. Thanks for the info Jon. I'll do a bit more reading from the article your provide so I can explain to my boss better. Thanks for the explainantion.
    Monday, June 20, 2011 2:58 AM