You can assign access permissions of chat rooms by adding group chat users into specific security groups of Active Directory. However, Microsoft Office Communications Server 2007 R2 Group Chat Server does not obtain the correct group membership sometimes. When this issue occurs, you may experience the following scenario:
You have added a group chat user into a specific security group of Active Directory that has access permissions to a chat room. However, the user cannot access content of the chat room.
You have removed a group chat user from the specific security group of Active Directory. However, the user still can access content of the chat.
The following error message is logged in the Channel Server log:
ChannelService.exe Error: 0 : CRITICAL |<Data Time>| 19:Active D|ActiveDirectoryWatch.CheckForChanges | Failed to update database with AD changes: Difference of two datetime columns caused overflow at runtime.
A Group Chat Server syncs the Active Directory service changes into a Group Chat back-end database. The Group Chat Server maintains the last Active Directory sync time for every domain controller (DC) to determine the last time that the Group Chat Server synced with a particular domain controller. If a Group Chat Server finds that the time difference between the current time and last Active Directory sync time is more than 24 days, the Group Chat Server cannot sync the Active Directory changes from that domain controller.
To resolve this issue, apply the following update:
977338 Update package for Office Communications Server 2007 R2 Group Chat Server: January 2010