Question : SID History/re-ACL'ing when moving to new AD forest


I recently asked a question about moving objects from a Windows 2003 AD forest to a new 2008 R2 Forest.


We are currently a multi-domain forest with Windows 2003 FL/DL with Exchange 2003. We're looking into implementing Windows 2008 DC's and one option is to just create an entirely seperate, and new, forest based on Windows 2008 R2 DC's and Exchange 2010.

We'll implement two way trusts between the two forests. Forest1 is the 2003 Forest and Forest2 will be the 2008 one.

This is very much in the initial phase so I was hoping for some feedback from the experts here :)

I was advised that if AD objects (e.g. user accounts) were moved to Forest2, then they could still keep access to resources in Forest1 (e.g. fileshare) via either SID History (i.e. keeping the SID of the AD account when it is moved) or re-ACL'ing the resource so that the SID of the AD account in the Forest2 is added to the access list.

However - how does this work with Exchange mailbox permissions? Let's say I have Manager1 and PA1 mailboxes in Forest1. PA1 has access to Manager1 mailbox.

I then move Manager1 to the new forest (Forest2).....I assume PA1 would still have access to Manager1's mailbox if we kept the SID of PA1's associated AD account?

Conversely, what if we moved Manager1 to the new forest but PA1 remained in Forest1.  Would this not make a difference since the ACL is on the Manager1 mailbox and PA1's SID is still the same since it has not been moved. Or are ACL's lost when moving objects between forests?

Finally, when we talk about SID's in Exchange terms, are these the SID's of the primary AD account or the SID of the Exchange mailbox?

Thanks for any help!

Answer : SID History/re-ACL'ing when moving to new AD forest

> And what would be the advantage of taking across the legacyExchangeDN as an X500 address? Not sure what you
> mean here either!

If you don't you'll find the following to be a problem:

1. Calendar entries created prior to the migration will no longer be "owned" by the mailbox owner
2. Replies to (internal) messages received prior to the migration will bounce
3. Outlook's Auto-Complete feature will auto-complete with addresses thare are only valid on the old mail system

> So I guess it would be permissions on a mailbox.....not sure of the difference though?

It's more of a problem when it comes to using the permissions. Mailbox rights, those defined on the mailbox itself should be fine. But it will be extremely difficult to use the other at all as a connection to New-Exchange-Org will not give you access to resources on Old-Exchange-Org.

> Why would SendAs/ReceiveAs make a difference?

On reflection they probably won't make a whole lot of difference :)

Random Solutions  
programming4us programming4us