We have an additional domain within our AD forest which also has an Exchange server in its own admin group. It appears that a number of user accounts in this domain are displaying the wrong admin group when checking "Exchange advanced" and "admin group" on AD accounts. The problem first came to light when a number of Blackberry users reported problems. The mailboxes have never moved and are still visible in the correct exchange admin group. However, AD continues to specify the default admin group, which is used for the forest domain exchange server. I've created a new test user account with mailbox on that server and the correct admin group is displayed. I don't want to have to start creating user accounts for the 200+ user. It doesn't affect all users on this domain / exchange server. Very strange! I've been trying to find out exactly how this has happened and how I can make sure that the user account specifies the correct admin group. Any help would be greatly appreciated. Many Thanks

On Wed, 16 Feb 2011 14:40:34 +0000, Hozzie wrote: > > >We have an additional domain within our AD forest which also has an Exchange server in its own admin group. > >It appears that a number of user accounts in this domain are displaying the wrong admin group when checking "Exchange advanced" and "admin group" on AD accounts. The problem first came to light when a number of Blackberry users reported problems. The mailboxes have never moved and are still visible in the correct exchange admin group. However, AD continues to specify the default admin group, which is used for the forest domain exchange server. > >I've created a new test user account with mailbox on that server and the correct admin group is displayed. I don't want to have to start creating user accounts for the 200+ user. It doesn't affect all users on this domain / exchange server. Very strange! > >I've been trying to find out exactly how this has happened and how I can make sure that the user account specifies the correct admin group. > >Any help would be greatly appreciated. You're referring to the legacyExchangeDN property value assigned to a user? The names in that property stopped being significant in Exchange 2000 (well, at least in terms of "which directory owns the writable copy of the mailbox"). --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, Yes, I think that's the value. It's causing problems with our Blackberry users. The BES server thinks that the mailbox is in that admin group even though it's definately visible in another admin group. Problem only came to light because the Blackberry problems. The only fix I've got at the moment is exmerge mailbox to *.pst, delete existing mailbox then create new mailbox and import the *.pst using exmerge. Is it possible to edit this value in adsiedit for the users having the problems?

I found the legacyExchangeDN field in adsiedit and managed to change the admin group to the correct one. Removed / added problem users from Blackberry Enterprise Manager and all appears to be working.

On Thu, 17 Feb 2011 17:17:56 +0000, Hozzie wrote: >I found the legacyExchangeDN field in adsiedit and managed to change the admin group to the correct one. > >Removed / added problem users from Blackberry Enterprise Manager and all appears to be working. Well, that's a blackberry problem, then. The legacyExchangeDN *used* to be significant but it no longer is. It's still used by Exchange though so when you changed the value you ensured that any e-mail previously sent by that mailbox will now return a NDR when anyone insode your organization replies to the message -- unless you places the original legacyExchangeDN value into a custom X500 address for the user. By changing the LDN you probably also broke any mailbox folder permissions, access to calendar items, and other things. Let's just say that changing the LDN is not something to be undertaken lightly (if at all). --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I'll get a proper test of the accounts I've modified. Fortunately, it's only around 6 Blackberry users. I've not changed any of the other users that appear to have the incorrect admin group. So with exchange 2003 the LDN has no significance? The other forums I've read elsewhere online must relate to older versions. Everything else is working properly on the Blackberry server, so it must be a permissions issue between the 2 domains? All besadmin permissions are correct and nothing has changed. As soon as I changed the LDN, the Blackberry Server was able to access the mailbox as that's the admin group it referenced against. The exchange that has users with issues also has Blackberry users with no problems. These are ones listed against the correct admin group. Thanks for your advice.

On Thu, 17 Feb 2011 22:21:44 +0000, Hozzie wrote: > > >I'll get a proper test of the accounts I've modified. > >Fortunately, it's only around 6 Blackberry users. I've not changed any of the other users that appear to have the incorrect admin group. > >So with exchange 2003 the LDN has no significance? Only to uniquely identify the mailbox. >The other forums I've read elsewhere online must relate to older versions. Before Exchange 2000 each administrative group had it's own set of users. You couldn't move a user from one administrative group to another. Once you got rid of the old Exchange servers and switched the organization to native mode operation that restriction disappeared. So moving a user from one mailbox server in AG1 to another one in AG2 was possible -- but the LDN value never changed. If Blackberry has a problem with that then shame on them. >Everything else is working properly on the Blackberry server, .. . . and on the Exchange servers. >so it must be a permissions issue between the 2 domains? If that were true then changing the LDN wouldn't fix the problem. In fact, changing the LDN should have broken the user in BES since its the LDN that's used to ID the user. >All besadmin permissions are correct and nothing has changed. As soon as I changed the LDN, the Blackberry Server was able to access the mailbox as that's the admin group it referenced against. The exchange that has users with issues also has Blackberry users with no problems. These are ones listed against the correct admin group. You might find better information about how BES used the legacyExchangeDN value in their support site or forums. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I do find similar case that has been fixed by modifying the “LegacyExchangeDN” entry Please run ExBPA against exchange server for health and permission check James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

On Fri, 18 Feb 2011 05:43:07 +0000, James-Luo wrote: >I do find similar case that has been fixed by modifying the ?LegacyExchangeDN? entry And I'm pretty sure you'll find cases that were caused by changing the legacyExchangeDN as well. ;-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP