You cannot add a distribution group to permissions of a public folder in Exchange 2000

Article translations Article translations
Article ID: 274046 - View products that this article applies to.
This article was previously published under Q274046
Expand all | Collapse all

Symptoms

When you attempt to add a Distribution Group (DG) to the Permissions tab of a public folder, you may receive the following error messages:

From Exchange System Manager:
The operation failed.
80004005
Exchange System manager
From Outlook:
The Client Operation Failed.
You may also see one of the following events in the Exchange Server application event log:
Event Type: Error
Event Source: MSExchangeIS Public Store
Event Category: General
Event ID: 9556

Description:
Unable to set permission for DL /O=Org/OU=Site/cn=Recipients/cn=GroupName because it could not be converted to a security group. This most likely is because your system is in a Mixed domain. Event Type: Error
Event Source: MSExchangeIS Public Store
Event Category: General
Event ID: 9552

While processing public folder replication, moving user, or copying folders on database "First Storage Group\Public Folder Store (ServerName), DL /O=Org/OU=Site/CN=Recipients/CN=GroupName could not be converted to a security group. Please grant or deny permissions to this DL on Folder (Public Folders)/TestFolders/TestFolder1 again. This most likely is because your system is in a Mixed mode domain.

Cause

You can only use Microsoft Windows 2000 Universal Security Groups (USGs) for client permissions. If you try to add a Universal Distribution Group (UDGs) to a client permission, the Exchange information store converts the UDG to a USG.

Note This conversion occurs without any notification to the user who is adding the UDG.

Only a Native-mode Windows 2000 domain can make this conversion, because USGs are only available in Native mode. If a Mixed mode domain tries to make the conversion, you receive the error messages that are mentioned in the "Symptoms" section.

Additionally, a domain Recipient Update Service must exist for the Native-mode domain that contains the UDGs. If there is no domain Recipient Update Service, you receive the error messages that are mentioned in the "Symptoms" section.

Resolution

To use a Microsoft Exchange Server 5.5 Distribution List (DL) for client permissions, the DL must be a USG, and USGs can only exist in Native-mode domains.

There must be a Native-mode Windows 2000 domain in your forest that can hold the USGs. To accommodate this, you can either convert your existing domain to Native mode, or install another domain that you can use to manage the USGs, and that you can switch to a Native-mode domain. This allows the store process to correctly convert UDGs to USGs.

UDGs can only be converted to USGs if a domain Recipient Update Service exists for the domain that contains the UDGs. If you install an Exchange 2000 server or an Exchange 2003 server in the native mode domain, a Recipient Update Service for that domain will be created automatically. Otherwise, you must manually create a domain Recipient Update Service for the domain.

Note Make sure to review the domain structure before you convert it to Native mode.

For more information about how to convert to Native mode, click the following article number to view the article in the Microsoft Knowledge Base:
186153 Modes supported by Windows 2000 domain controllers

More information

The Active Directory Connector replicates all Exchange Server DLs to the Active Directory as UDGs. You can create these UDGs in either a Mixed- or Native-mode Active Directory domain. However, if you are using the equivalent Exchange Server DL object for controlling access to public folders in Exchange Server, the Exchange store process will try to convert the UDG to a USG. This behavior occurs because DGs are not security principals. If the UDG exists in a Mixed-mode Active Directory domain, the USG conversion process does not succeed because USGs can only exist in Native-mode domains. The result is that the public folder in Exchange 2000 or Exchange 2003 has an ambiguous Access Control List (ACL), and because of this, only the folder owner can access its content, and other Exchange 2000 users are not even be able to see the public folder in the client hierarchy. When a UDG-to-USG conversion does not succeed, a 9552 event ID is generated in the Exchange 2000 or Exchange 2003 application event log.

To avoid these difficulties, you can create the ADC Recipient Connection Agreement in such a way that the DL objects in the Exchange Server directory replicate to a Native-mode Active Directory domain. It is not important whether this Native-mode domain exists purely for group management or the domain is where your users reside. You only have to have a Native-mode domain somewhere in the forest. For companies that do not have any Native-mode domains, a new domain must be created just to hold these groups, unless you can convert an existing Mixed-mode domain to Native mode.

Note By default, universal security groups are used to grant permission to a public folder or to a mailbox folder in Microsoft Exchange Server 2003 and in Microsoft Exchange 2000 Server. The default settings in Microsoft Exchange do not let you use universal distribution groups to grant permissions to a public folder or to a mailbox folder. When a user tries to grant universal distribution group permission to a public folder or to a mailbox folder by using Microsoft Outlook, the Microsoft Exchange Information Store service automatically converts the universal distribution group to a universal security group. To grant access to the public folder resource or to the mailbox resource in a multi-domain environment, the Microsoft Exchange Information Store service must communicate with domain controllers from every one of the domains that may host the universal distribution list.

In this scenario, network communications must be available between Exchange and the domain controller from the domain where the distribution list resides on the ports that are listed in the following table:

Collapse this tableExpand this table
PortTransportResource
389TCPLDAP
3268TCP global catalog
88TCPKerberos
If this network communication is not available, error event IDs 9551 and 9552 are logged on the Exchange computer. This situation may cause the Store.exe process to stop responding (hang). Additionally, Event ID 623 may be logged on the Exchange computer.

Generally, error event IDs 9551 and 9552 alone may indicate a lack of permissions during the distribution list conversion process. However, if both these events are logged together with event ID 623, and if the Store.exe process stops responding (hangs), you may be experiencing a communications problem between Exchange and a domain controller.

Properties

Article ID: 274046 - Last Review: September 3, 2013 - Revision: 7.0
Applies to
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbprb KB274046

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com