Title: Understanding Public Folders in Exchange 2000 Part I Jude Egbejimba Program Manager Exchange Microso
1Understanding Public Folders in Exchange
2000Part IJude Egbejimba Program
ManagerExchangeMicrosoft Corporation
2Required Knowledge
- This presentation assumes a knowledge of the
- following technologies
- Microsoft Exchange Server 5.5
- Microsoft Windows 2000 Server
- Microsoft Exchange 2000 Server
3Agenda for Part I
- Public folder overview
- Public folder replication
- Windows 2000 groups
- Permissions
- Active Directory Connector
- Public folder referral
- Outlook Web Access (OWA)
4Agenda for Part II
- The WebCast for Part II will take place on March
20, 2001. Mark your calendars. - Part II will focus on troubleshooting public
folder issues. We will learn some tips to help
prevent, or diagnose and resolve public folder
problems.
5What We Will Not Discuss in Part I or Part II
- Inter-organizational scenarios
- Coexistence with foreign messaging platforms
- Application development with public folders
6Acronyms Used
- PF public folder
- ACL access control list
- UDG universal distribution group
- USG universal security group
- DL distribution list
- IPM interpersonal message
7Acronyms Used (2)
- ESM Exchange System Manager
- ADC Active Directory Connector
- CA Connection Agreement
- E2K Microsoft Exchange 2000
- Ex55 Microsoft Exchange 5.5
- Win2K Microsoft Windows 2000
8Public Folder OverviewIPM and Non-IPM Subtree
- IPM_Subtree
- Public folders
- Non IPM_Subtree
- System folders
- Free/Busy folder
- Events registry
- MAPI forms
- Offline address lists
9Top-level Hierarchy (TLH)
- A TLH is the root of a public folder tree
- E2K can have one MAPI and unlimited application
TLHs - A server can have multiple public folder stores
- On a server, there can be only one public store
per hierarchy - There can only be one public store for each TLH
per cluster - There can only be one MAPI TLH in the organization
10Client Access to Public Folders
11Mail-enabled Public Folders
- A mail-enabled folder is a PF that has a
directory entry, so that it can be looked up in
the address book and sent in e-mail - In Ex55, all PFs were mail-enabled (hidden by
default)
12Public Folder Replication
- Replication is the transmittal of data stored in
PFs between stores in the same TLH through a
mail-based replication engine - MAPI folders can replicate between Exchange 5.5
and Exchange 2000 - Application TLH public folders replicate only
between Exchange 2000 stores - Types of replication messages hierarchy,
content, backfill, and status - All updates (create, delete, and modify) are
assigned change numbers (CNs)
13PF Hierarchy Replication
- The hierarchy is the content of a special folder,
1-1 - This folder 1-1 is replicated to all the stores
in the same TLH through hierarchy replication
messages - A hierarchy replication message is generated
whenever the hierarchy is modified - Hierarchy replication events occur every 5
minutes by default
14PF Hierarchy Replication (2)
15PF Content Replication
- PF contents replicate between individual replicas
of folders - A content replication message is generated
whenever the contents of a folder are modified - Content replication events occur every 15 minutes
by default
16PF Content Replication (2)
17Backfill Replication
- Backfilling allows stores that have missed
replication updates to become synchronized - A backfill request message is used to request a
backfill of missing CN sets - A backfill response message is used to respond to
a backfill request message, and contains the
requested data
18Backfill Replication (2)
19Status Replication
- There are two categories status messages and
status requests - A status message is sent by one store to another,
to allow the receiving store to determine if it
is synchronized with the sender - A status request is sent by one store to another,
to trigger the replication of missing updates - Status requests are less common in E2K
20DLs and Windows 2000 GroupsReview
- Exchange 5.5
- Distribution lists
- Membership from any site
- Usable in any site
- Two functions
- Mail distribution
- Public folder access
- Exchange 2000
- Distribution lists no longer exist
- We use Windows 2000 groups
21Windows 2000 Groups Types
- Distribution groups
- Used only for e-mail distribution lists
- Cannot be used in access control lists (ACLs)
- Security groups
- Used in access control lists
- Can be mail-enabled and used for both e-mail
distribution and ACLs
22Windows 2000 Groups Scope
- Domain local
- Membership from anywhere, local scope of use
- Domain global
- Membership from local domain, global scope of use
- Universal
- Membership from anywhere, global scope of use
23UDGs vs. USGs
- Universal distribution groups (UDG)
- ADC will, by default, replicate Exchange 5.5 DLs
as UDGs - Cannot be used to ACL Public Folders
- Can be converted to security group in a native
mode domain - Universal mail-enabled security groups (USG)
- Can only be created in native mode Windows 2000
domains - Can contain membership from mixed mode domains
24Converting UDGs to USGs
- The Exchange 2000 store will convert distribution
groups to security groups at these points - PF upgrade from 5.5 to 2000
- PF replication from 5.5 to 2000
- Assignment of rights on a 2000 PF through Outlook
or ESM - Client access, if the UDG has not been
successfully converted - Conversion from UDG to USG only works in a native
mode domain - Only UDGs that are used in ACLs are converted
25PermissionsExchange 5.5 ACLs
26Exchange 5.5 ACLs
- ACLs on folders are stored in an ACLID table
- ACLID table points to an ACL Member table, which
holds the DNs of objects ACLd on the folder - There is no ACL property on the folder itself
- To replicate permissions, these properties are
used - ptagACLData
- ptagExtendedACLData
27Exchange 2000 ACLs (2)
- ACLs are now a property of folders
- ptagNTSD
- ptagAdminNTSD
- Access to a folder is no longer based on DNs it
is based on the Windows NT Security ID of the
user - Tip When viewing client ACLs in ESM
- MAPI folders display MAPI permissions
- Non-MAPI folders always show NTSD permissions
- Tip To view NTSD permissions on a MAPI folder,
press CTRL and click permissions
28MAPI Permissions
29NTSD Permissions
30ACL Replication Between 5.5 and E2K
- From Exchange 5.5 to Exchange 2000
- Replication Engine on E2K drops ptagNTSD and
ptagAdminNTSD - E2K converts the ptagACLData to NT SIDs
- If the conversion fails, only Owners will be
promoted to ptagNTSD - Why would ACL upgrade fail?
- Unknown object in 5.5 PF permissions that is not
represented in AD - Object is in AD but has no msExchMailboxSecurityDe
scriptor or msExchMasterAccountSID attributes - UDGs not converted to USG
31ACL Replication Between 5.5 and E2K (2)
- Ramifications of a failed ACL upgrade
- Only Owners can see the public folder
- Other users cannot see the folders and
sub-folders in the hierarchy - Owners cannot modify ACLs on the PFs
- Event IDs logged include
- 9551 - Error while upgrading ACL for a DN
- 9548 - Disabled user does not have master account
SID - 9556 - Failed UDG to USG conversion
- Replication from Exchange 2000 to Exchange 5.5
- ptagACLData and ptagExtendedACLData are
calculated, because Exchange 5.5 does not
understand ptagNTSD
32Active Directory ConnectorReview
- There are three types of connection agreements
- Configuration CA
- User CA
- Public folder CA
- Configuration CA replicates Site/Admin Group
Configuration objects - User CA replicates mailboxes, custom recipients,
and distribution lists - Public folder CA replicates PF directory objects
to the Microsoft Exchange System Objects container
33Active Directory Connector
34Active Directory ConnectorTips
- Configure User CA and PF CA to replicate between
Windows 2000 DC/GC and an SRS, where possible - Configure User CA to replicate Ex5.5 DLs to
native mode Windows 2000 domain - Create a PF CA to all the sites in your org
- Run DS/IS to remove zombie users from PF
permissions list before any CA is created
35Public Folder Referral
- Ex55 PF affinity has been replaced by E2K PF
referral - In E2K the store uses routing to calculate the
cost of a server (in Ex55 we used the costs in
the affinity table) - PF referrals are transitive
- A connector can be set to allow/disallow PF
referrals (default is to allow)
36Public Folder Referral Choosing the Public Store
- Client attempts to view the contents of a folder
- Store.exe retrieves the replica list of the
folder - If replica is on the same server, the client will
access it directly - If replica is on other servers in the same RG,
the client is referred to one of those servers - If replica is only on other server in another RG,
the client is referred to the server with the
cheapest cost
37Outlook Web Access
- To view public folders from OWA, you need a
virtual directory for the TLH - MAPI TLH virtual directory, public is
automatically created by setup - http//ltservernamegt/public/
- A replica of the folder must exist on an E2K
server
38Further Reading
- Exchange 2000 public folder replication
http//www.exinternals.com/Quickdocs/PFRepl.pdf
The URL above goes to a site outside of the
Microsoft domain.
39(No Transcript)