XADM: The Recipient Update Service Writes a Non-Canonical Security Descriptor to the Group

If Exchange Server 5.5 is running on a Microsoft Windows NT Server 4.0-based computer, Exchange Server 5.5 does not replicate groups with membership hidden in Active Directory. The Exchange Server 5.5 version of the Exchange Server Administrator program also cannot display these objects.

This problem can occur because for groups with membership hidden in Active Directory, the Recipient Update Service writes a non-canonical security descriptor to the group.

When the Exchange 2000 Active Directory Connector (ADC) is used, the change is replicated to Exchange Server 5.5, but when the Exchange 5.5 security descriptor is created, an ACCESS_ALLOWED_OBJECT_ACE type Access Control Entry (ACE) is created, which is only supported on Microsoft Windows 2000 Server and later. This causes problems when displaying the object on Exchange Server 5.5 computers because the Exchange Server 5.5 version of the Exchange Server Administrator program cannot process this type of security descriptor. If Exchange Server 5.5 is running on a Windows NT Server 4.0-based computer, replication of any naming context halts with an object that contains this kind of ACE.

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: The English version of this fix should have the following file attributes or later:

Component: ADC

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.