This article was previously published under Q277902
This article has been archived. It is offered "as is" and will no longer be updated.
If Exchange Server 5.5 is running on a Microsoft Windows NT Server 4.0-based computer, Exchange Server 5.5 does not replicate groups with membership hidden in Active Directory. The Exchange Server 5.5 version of the Exchange Server Administrator program also cannot display these objects.
This problem can occur because for groups with membership hidden in Active Directory, the Recipient Update Service writes a non-canonical security descriptor to the group.
When the Exchange 2000 Active Directory Connector (ADC) is used, the change is replicated to Exchange Server 5.5, but when the Exchange 5.5 security descriptor is created, an ACCESS_ALLOWED_OBJECT_ACE type Access Control Entry (ACE) is created, which is only supported on Microsoft Windows 2000 Server and later. This causes problems when displaying the object on Exchange Server 5.5 computers because the Exchange Server 5.5 version of the Exchange Server Administrator program cannot process this type of security descriptor. If Exchange Server 5.5 is running on a Windows NT Server 4.0-based computer, replication of any naming context halts with an object that contains this kind of ACE.
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
The English version of this fix should have the following file attributes or later:
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.