Understanding Public Folders in Exchange 2000 Part I Jude Egbejimba Program Manager Exchange Microso

1
Understanding Public Folders in Exchange
2000Part IJude Egbejimba Program
ManagerExchangeMicrosoft Corporation
2
Required Knowledge

• This presentation assumes a knowledge of the
• following technologies
• Microsoft Exchange Server 5.5
• Microsoft Windows 2000 Server
• Microsoft Exchange 2000 Server

3
Agenda for Part I

• Public folder overview
• Public folder replication
• Windows 2000 groups
• Permissions
• Active Directory Connector
• Public folder referral
• Outlook Web Access (OWA)

4
Agenda for Part II

• The WebCast for Part II will take place on March
  20, 2001. Mark your calendars.
• Part II will focus on troubleshooting public
  folder issues. We will learn some tips to help
  prevent, or diagnose and resolve public folder
  problems.

5
What We Will Not Discuss in Part I or Part II

• Inter-organizational scenarios
• Coexistence with foreign messaging platforms
• Application development with public folders

6
Acronyms Used

• PF public folder
• ACL access control list
• UDG universal distribution group
• USG universal security group
• DL distribution list
• IPM interpersonal message

7
Acronyms Used (2)

• ESM Exchange System Manager
• ADC Active Directory Connector
• CA Connection Agreement
• E2K Microsoft Exchange 2000
• Ex55 Microsoft Exchange 5.5
• Win2K Microsoft Windows 2000

8
Public Folder OverviewIPM and Non-IPM Subtree

• IPM_Subtree
• Public folders
• Non IPM_Subtree
• System folders
• Free/Busy folder
• Events registry
• MAPI forms
• Offline address lists

9
Top-level Hierarchy (TLH)

• A TLH is the root of a public folder tree
• E2K can have one MAPI and unlimited application
  TLHs
• A server can have multiple public folder stores
• On a server, there can be only one public store
  per hierarchy
• There can only be one public store for each TLH
  per cluster
• There can only be one MAPI TLH in the organization

10
Client Access to Public Folders
11
Mail-enabled Public Folders

• A mail-enabled folder is a PF that has a
  directory entry, so that it can be looked up in
  the address book and sent in e-mail
• In Ex55, all PFs were mail-enabled (hidden by
  default)

12
Public Folder Replication

• Replication is the transmittal of data stored in
  PFs between stores in the same TLH through a
  mail-based replication engine
• MAPI folders can replicate between Exchange 5.5
  and Exchange 2000
• Application TLH public folders replicate only
  between Exchange 2000 stores
• Types of replication messages hierarchy,
  content, backfill, and status
• All updates (create, delete, and modify) are
  assigned change numbers (CNs)

13
PF Hierarchy Replication

• The hierarchy is the content of a special folder,
  1-1
• This folder 1-1 is replicated to all the stores
  in the same TLH through hierarchy replication
  messages
• A hierarchy replication message is generated
  whenever the hierarchy is modified
• Hierarchy replication events occur every 5
  minutes by default

14
PF Hierarchy Replication (2)
15
PF Content Replication

• PF contents replicate between individual replicas
  of folders
• A content replication message is generated
  whenever the contents of a folder are modified
• Content replication events occur every 15 minutes
  by default

16
PF Content Replication (2)
17
Backfill Replication

• Backfilling allows stores that have missed
  replication updates to become synchronized
• A backfill request message is used to request a
  backfill of missing CN sets
• A backfill response message is used to respond to
  a backfill request message, and contains the
  requested data

18
Backfill Replication (2)
19
Status Replication

• There are two categories status messages and
  status requests
• A status message is sent by one store to another,
  to allow the receiving store to determine if it
  is synchronized with the sender
• A status request is sent by one store to another,
  to trigger the replication of missing updates
• Status requests are less common in E2K

20
DLs and Windows 2000 GroupsReview

• Exchange 5.5
• Distribution lists
• Membership from any site
• Usable in any site
• Two functions
• Mail distribution
• Public folder access
• Exchange 2000
• Distribution lists no longer exist
• We use Windows 2000 groups

21
Windows 2000 Groups Types

• Distribution groups
• Used only for e-mail distribution lists
• Cannot be used in access control lists (ACLs)
• Security groups
• Used in access control lists
• Can be mail-enabled and used for both e-mail
  distribution and ACLs

22
Windows 2000 Groups Scope

• Domain local
• Membership from anywhere, local scope of use
• Domain global
• Membership from local domain, global scope of use
• Universal
• Membership from anywhere, global scope of use

23
UDGs vs. USGs

• Universal distribution groups (UDG)
• ADC will, by default, replicate Exchange 5.5 DLs
  as UDGs
• Cannot be used to ACL Public Folders
• Can be converted to security group in a native
  mode domain
• Universal mail-enabled security groups (USG)
• Can only be created in native mode Windows 2000
  domains
• Can contain membership from mixed mode domains

24
Converting UDGs to USGs

• The Exchange 2000 store will convert distribution
  groups to security groups at these points
• PF upgrade from 5.5 to 2000
• PF replication from 5.5 to 2000
• Assignment of rights on a 2000 PF through Outlook
  or ESM
• Client access, if the UDG has not been
  successfully converted
• Conversion from UDG to USG only works in a native
  mode domain
• Only UDGs that are used in ACLs are converted

25
PermissionsExchange 5.5 ACLs
26
Exchange 5.5 ACLs

• ACLs on folders are stored in an ACLID table
• ACLID table points to an ACL Member table, which
  holds the DNs of objects ACLd on the folder
• There is no ACL property on the folder itself
• To replicate permissions, these properties are
  used
• ptagACLData
• ptagExtendedACLData

27
Exchange 2000 ACLs (2)

• ACLs are now a property of folders
• ptagNTSD
• ptagAdminNTSD
• Access to a folder is no longer based on DNs it
  is based on the Windows NT Security ID of the
  user
• Tip When viewing client ACLs in ESM
• MAPI folders display MAPI permissions
• Non-MAPI folders always show NTSD permissions
• Tip To view NTSD permissions on a MAPI folder,
  press CTRL and click permissions

28
MAPI Permissions
29
NTSD Permissions
30
ACL Replication Between 5.5 and E2K

• From Exchange 5.5 to Exchange 2000
• Replication Engine on E2K drops ptagNTSD and
  ptagAdminNTSD
• E2K converts the ptagACLData to NT SIDs
• If the conversion fails, only Owners will be
  promoted to ptagNTSD
• Why would ACL upgrade fail?
• Unknown object in 5.5 PF permissions that is not
  represented in AD
• Object is in AD but has no msExchMailboxSecurityDe
  scriptor or msExchMasterAccountSID attributes
• UDGs not converted to USG

31
ACL Replication Between 5.5 and E2K (2)

• Ramifications of a failed ACL upgrade
• Only Owners can see the public folder
• Other users cannot see the folders and
  sub-folders in the hierarchy
• Owners cannot modify ACLs on the PFs
• Event IDs logged include
• 9551 - Error while upgrading ACL for a DN
• 9548 - Disabled user does not have master account
  SID
• 9556 - Failed UDG to USG conversion
• Replication from Exchange 2000 to Exchange 5.5
• ptagACLData and ptagExtendedACLData are
  calculated, because Exchange 5.5 does not
  understand ptagNTSD

32
Active Directory ConnectorReview

• There are three types of connection agreements
• Configuration CA
• User CA
• Public folder CA
• Configuration CA replicates Site/Admin Group
  Configuration objects
• User CA replicates mailboxes, custom recipients,
  and distribution lists
• Public folder CA replicates PF directory objects
  to the Microsoft Exchange System Objects container

33
Active Directory Connector
34
Active Directory ConnectorTips

• Configure User CA and PF CA to replicate between
  Windows 2000 DC/GC and an SRS, where possible
• Configure User CA to replicate Ex5.5 DLs to
  native mode Windows 2000 domain
• Create a PF CA to all the sites in your org
• Run DS/IS to remove zombie users from PF
  permissions list before any CA is created

35
Public Folder Referral

• Ex55 PF affinity has been replaced by E2K PF
  referral
• In E2K the store uses routing to calculate the
  cost of a server (in Ex55 we used the costs in
  the affinity table)
• PF referrals are transitive
• A connector can be set to allow/disallow PF
  referrals (default is to allow)

36
Public Folder Referral Choosing the Public Store

• Client attempts to view the contents of a folder
• Store.exe retrieves the replica list of the
  folder
• If replica is on the same server, the client will
  access it directly
• If replica is on other servers in the same RG,
  the client is referred to one of those servers
• If replica is only on other server in another RG,
  the client is referred to the server with the
  cheapest cost

37
Outlook Web Access

• To view public folders from OWA, you need a
  virtual directory for the TLH
• MAPI TLH virtual directory, public is
  automatically created by setup
• http//ltservernamegt/public/
• A replica of the folder must exist on an E2K
  server

38
Further Reading

• Exchange 2000 public folder replication
  http//www.exinternals.com/Quickdocs/PFRepl.pdf

The URL above goes to a site outside of the
Microsoft domain.
39
(No Transcript)