RE: Permission Problems with Interorg Replication between Exchange 5.5 and Exchange 2000

[Ragar, Russell]

Sometimes writing out a summary helps.  It looks like the problem was
that my permission assignment for the Exch2000Mailbox to the
ExchsyncSecurityFolder didn't take effect for some reason.  When I went
in using Outlook 2000 as that user, I couldn't see the public folder.  I
changed the Default right to Owner and the InterOrg Sync tool started
working.  I'll need to tighten the rights back down, but at least I can
see where the problem is.  Thanks for your help.  

Russell Ragar, MCSE+I, CCNA, CNE
Senior Network Engineer
PowerTV, Inc.  

-----Original Message-----
From: Ragar, Russell 
Sent: Wednesday, July 10, 2002 3:23 PM
To: Exchange Discussions
Subject: Permission Problems with Interorg Replication between Exchange
5.5 and Exchange 2000


I believe I am having permission problems setting up the Interorg
Replication utility.  

I am attempting to set up bidirectional Interorg Replication of the
Free/Busy Folders between an Exchange 5.5 (SP4) Org running on a NT 4.0
domain and a Exchange 2000 (SP2) Org running on a
single-domain/tree/forest AD domain.  AD domain trusts the NT 4.0
domain, but not the reverse.  The Interorg Replication service is
running on a Win2K member server of the AD domain using the Exchange
service account from the NT 4.0 domain.  Using the domain trust, I've
granted that account full send as/receive as rights for the public
folder container and the mailbox container. Logged in as the Exchange
5.5 service account on the InterOrg Replication server, I am able use
Outlook 2000 to access the Exchange 5.5 mailbox and the Exchange 2000
mailbox (using two different profiles).  I've granted the Exchange 2000
mailbox owner rights to the Schedule+ Free Busy public folder.  

Both Interorg Replication log show:

Start Time : Wednesday, July 10, 2002  14:54:45
ERROR: Unable to initialize MAPI interface.
ERROR: Current relication session skipped.
@@STATS 0 0 0 0 0 0 0 0
Stop Time : Wednesday, July 10, 2002  14:54:53

The event log of the InterOrg Replication server shows:
------------------------------------------------------------------------
------
Source:  Exchsync
Category:  None
Event ID: 116
Mailbox user [Exchange 2K mailbox] does not have enough security to
replicate to server [Exhange 2K server] on session 'Exchange 2K to
Exchange 5.5'.
------------------------------------------------------------------------
------
Source:  Exchsync
Category:  None
Event ID: 115
Mailbox user [Exchange 2K mailbox] does not have enough security to
replicate to server [Exhange 2K server] on session 'Exchange 5.5 to
Exchange 2K'.
------------------------------------------------------------------------
------


The security event log of the Exchange 2K Server shows:
------------------------------------------------------------------------
------
Source:  Security
Category:  Object Access
Event ID:  565
User:  NT4\NT4ServiceAccount
Object Open:
        Object Server:  Microsoft Exchange
        Object Type:    Microsoft Exchange Logon
        Object Name:    /o=PowerTV/ou=First Administrative
Group/cn=Recipients/cn=exch2Kmailbox
        New Handle ID:  -
        Operation ID:   {0,2147434465}
        Process ID:     1784
        Primary User Name:      Exch2KSrv$
        Primary Domain: WIN2K
        Primary Logon ID:       (0x0,0x3E7)
        Client User Name:       Services
        Client Domain:  NT4
        Client Logon ID:        (0x0,0x7FFAB0F6)
        Accesses                Unknown specific access (bit 8) 
                        
        Privileges              -

 Properties:
DELETE 
ACCESS_SYS_SEC 
MAX_ALLOWED 
Unknown specific access (bit 5) 
Unknown specific access (bit 7) 
Unknown specific access (bit 8) 
Unknown specific access (bit 11) 
Unknown specific access (bit 14) 
Unknown specific access (bit 15) 
                %{ab721a54-1e2f-11d0-9819-00aa0040529b}
------------------------------------------------------------------------
------

It looks like a permission is missing when accessing the Exchange 2K
mailbox using the NT 4.0 account, but I can do so using Outlook 2000
manually so I'm not certain what the missing permission could be.  Any
ideas?

FYI, I tried overriding the service account authenication for the Exch2K
mailbox using the account and domain settings in the Interorg tool, but
I get the same result and it also shows that the service account from
the trusted domain is the account that is failing to get the access
(i.e. the override doesn't work).  

Russell Ragar, MCSE+I, CNE, CCNA
Senior Network Engineer
PowerTV, Inc.  

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]