Interesting.
I can't think of anything that a FSMO role move would have
changed that would have caused that behavior. However, my love of exchange is
not unknown on this list nor is it, in my opinion, unfounded. There are many
things in Exchange that aren't quite logical. :o)
So anyway, did anything ELSE change and are you sure and
how do you know?
I would assume that you set up the mailbox so that DC2
machine account had full mailbox access? If not, how was it accessing the
mailbox? Any errors in the event log? What do you see in a network
trace?
joe
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, April 02, 2004 7:07 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Move FSMO Roles Affect Permissions?
Windows 2000 Native
Mode, flat (single) domain, single site.
DC1 and DC2 are both
Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday
(3/28), DC1 holds all FSMO roles. Both DC1 and DC2 are
GCs.
DC2 runs a service,
under localsystem, that logs into an Exchange mailbox, which is explicitly set
to allow "Domain Admins" to have "Full Mailbox Access".
Everything works fine.
Two Wednesdays
ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed
to be there for five days to ensure no problems happened.
Last Sunday (3/28),
all FSMO roles were moved to DC3.
This Wednesday
(3/31) the service running on DC2 suddenly reports that it can't log into the
Exchange mailbox anymore. After a restart it reports the same thing. After a
reboot it reports the same thing.
It took changing the
service account to a domain admin account for the service to start operating
again.
Two
questions:
1) Just WTF?
:-)
2) Should I have
expected that transferring FSMO roles would affect how permissions of
localsystem on a DC were applied?
3) Why the 3 day
delay?
(yeah yeah, I know
that was three, not two, but the first one was really
specious.)
Thanks,
Michael
