Guido, are you saying that even if the member workstation is another domain than the DG they can write to it?
Interesting. Have to try that... -----Original Message----- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 05, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? as a workaround it may be worth to mention, that it's no problem for a user to edit a DL's (or any other group's) membership simply by using the find-people feature of the workstation (simply query for the groupname and if you have been granted write access to the member attribute of the group, then you can easily modify the membership via this UI). This does require that the workstation is part of a domain of the same forest, which contains the DLs. The good thing: this works for DLs and pure security groups alike (while Outlook can only handle DLs anyways). /Guido -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 4. Oktober 2003 02:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? That is exactly the problem. The issue from MS is that Outlook uses NSAPI (I think?) to do the DL management and it doesn't deal with referrals. So of course my next response was, well O2K3 just came out so of course you fixed this right? Ummm no, we don't consider it a bug... It is how it works.... If you want to get into some real fun, start working with hidden dl's and trying to allow non-acc ops to modify them or using third party tools to manage your group permissioning... At that point you aren't just fighting outlook, you are also fighting AD or at least the hokey way E2K sets the perms up. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, October 03, 2003 10:56 AM To: [EMAIL PROTECTED] In this case, MS says it isn't a bug because it would be extremely difficult to fix. I think the bug Joe is referring to is that Outlook can no longer manage distribution lists under some circumstances. Here's the reason: Outlook talks to GCs for all of it's directory operations (including DL membership). GCs (being DCs as well) have a full read/write copy of all the objects IN THEIR OWN DOMAIN. When outlook tells a GC to update membership for a DL in the GC's domain, the GC happily obliges. Unfortunately, GCs have a read-only copy[1] of objects from OTHER domains in the forest. So, if outlook is talking to a GC from a domain other than where the DL lives, outlook cannot modify the contents of the DL, since that GC has a read-only copy of the DL. Thus, if you want to manage DL membership from Outlook, you have to insure that Outlook talks only to GCs in the domain where the DL lives. This bit us hard. Since we could not take our main NT domain native mode right away (which meant no universal security groups), and we used Exchange 5.5 DLs to grant security to mailboxes, we had to tell ADC to put our DLs in our empty-root domain (which was native). After migrating users to Exchange 2000, we found that users could no longer manage their DLs via outlook. I wrote a Perl based CGI program to allow users to manage their DLs as a workaround. [1] Not quite absolutely true, but close enough for the purpose of this discussion. -----Original Message----- From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? Joe, Can you elaborate on this bug, or point me to some documentation? Thanks, Malcolm -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? I was thinking along the same lines only we don't have some critical information to make the call... That being what does the replication pathing look like and how big are these domains/how big will they be/how many changes going through them. If the two domains are on opposite sides of a very slow link this could be a bad solution. If they are all on the same LAN I would probably make them all GC's. One additional possible exception which is entirely Exchangecentric is if I was using DL's and wanted people to be able to modify them via Outlook. There is a nice bug[1] with the whole thing around how DL's are managed with Outlook in E2K. If you do want to do this, you have to be very careful on how you configure your GC's or the users will have to be hard set to a GC for outlook. Either way you have to be very smart about the placement of the DL's (i.e. what their home domain is). joe [1] Well MS says it is unintended feature, definitely not a bug. Those of us who identify bugs on a regular basis easily recognize this little multilegged bastard. I recognize a bug as either a negative change in previous functionality or unintended consequences that MS didn't realize before shipping. I.E. What was the intent? If the intent was for the functionality to specifically not work in a certain circumstance and MS specifically coded it that way on purpose with full understanding, that is not a bug. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, October 03, 2003 4:11 AM To: [EMAIL PROTECTED] I would like to "attack" this problem from an AD point of view. Your domain structure consists of an empty forest root domain with a child domain. This structure allows you to make every DC in the child DC a GC without much overhead. The information in the empty forest root should be relatively static (I hope empty stays empty) and the objects originating from the child domain added to the GCs are nothing more than "pointers". So, I don't see a problem in making all DCs in the child domain GCs. I hope this eases your decision making process... Cheers! John -----Original Message----- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Exchange 2k ? We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
