You cannot successfully decommission a Windows NT domain after you install Exchange 2000 Server or Exchange Server 2003 in an existing Exchange 5.5 site

Assume a situation where you install Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 in an existing Microsoft Exchange Server version 5.5 site. The service account for this site resides in a trusted Microsoft Windows NT domain. In this situation, you may experience one or more of the following symptoms:

• You cannot decommission the Windows NT domain. This behavior occurs even if all the following conditions are true:
  • You successfully moved all mailboxes.
  • You successfully moved all public folders.
  • You successfully moved all system folders from Exchange Server 5.5 to Exchange 2000 Server or to Exchange Server 2003.
• The mail flow between Exchange 2000 Server, Exchange Server 2003, and other Microsoft Exchange sites may stop when one of the following conditions is true:
  • You shut down the primary domain controller from your trusted Windows NT domain.
  • You remove the trust relationship between Active Directory directory services and the Windows NT domain.
• You may receive the following error message in the Exchange Administration program when you click the Permissions tab of any Exchange configuration object:
  
  The trust relationship between the primary domain and the trusted domain failed.
  Microsoft Windows NT ID: 0xc00206fc

These symptoms occur because an Active Directory domain controller cannot resolve the Security Identifier (SID) of a Microsoft Exchange service account that is from a trusted Windows NT domain. If you perform an action that requires Microsoft Exchange to resolve the SID information for the Exchange service account, one of the following actions occurs:

• A domain controller from the Windows NT domain resolves the request directly.
• An Active Directory domain controller examines the domain part of the SID of the service account. Then, the Active Directory domain controller forwards the request to the appropriate domain for resolution.

For example, the following are samples of an SID of an Exchange service account that is from a trusted Windows NT domain and from an Active Directory domain:

• Active Directory domain:
  0105000000000005150000003096AD17C238F289D82F7262
• Trusted Windows NT domain:
  0105000000000005150000005972F721BA0D7A3D4E0E286D
• SID of an Exchange service account:
  0105000000000005150000005972F721BA0D7A3D4E0E286DF401000
• Domain part of the SID of the service account:
  [0105000000000005150000005972F721BA0D7A3D4E0E286D]

In these examples, the domain part of the SID of the Exchange service account matches the SID of the trusted Windows NT domain. Because the SID value is foreign to the Active Directory forest, this request must be forwarded to a Windows NT domain controller to be resolved.

Exchange Server 5.5 services run under the security context of a domain account that is typically referred to as the Exchange service account. The Exchange service account can be from a Windows NT domain or from an Active Directory domain. The SID from the Exchange service account is a unique value in the domain. The SID is recorded in the NT-Security-Descriptor attribute on all Exchange configuration objects.

If the SID of the Exchange service account is from a Windows NT domain, the SID will exist in the Security Accounts Manager (SAM) database. The SID value can be resolved only by the primary domain controller or by a backup domain controller from the Windows NT domain. Alternatively, if the SID of the Exchange service account is from an Active Directory domain, the SID is stored in Active Directory. In this situation, the SID can be resolved only by the Active Directory domain controllers.

You cannot change the Exchange service account from a Windows NT domain account to an Active Directory domain account in any site that is running an instance of the Microsoft Exchange Site Replication Service (mixed site) This behavior is not supported in Exchange.

If you change the Exchange service account, mail flow will be interrupted. This interruption occurs because the message transfer agent (MTA) uses this account to authenticate with Exchange servers in other sites.

For customers who choose to migrate user accounts from a trusted Windows NT domain to an Active Directory domain, they must preserve the SID values from the source domain to continue uninterrupted access to trusted resources. The Active Directory Migration Tool (ADMT) from Microsoft allows for this functionality with the sIDHistory option.

The sIDHistory attribute is a multi-valued attribute of security principals in the Active Directory. The sIDHistory attribute may contain up to 850 values.

To provide backward-compatibility with domain controllers that are running earlier versions of Microsoft Windows, the sIDHistory attribute is only available in domains that operate at the functional level of Microsoft Windows 2000 or of Microsoft Windows Server 2003 native mode.

For more information about how to use the Active Directory Migration Tool (ADMT), click the following article number to view the article in the Microsoft Knowledge Base: If you migrate an Exchange service account from a Windows NT domain to Active Directory with the sIDHistory attribute, the SID value will exist in the following locations:

• In the sIDHistory attribute of the Exchange service account in Active Directory.
• In the Windows NT SAM database.

Any request that you make to resolve the SID information for the Exchange service account will be resolved by one of the following methods:

• A domain controller from the trusted Windows NT domain
• A domain controller from Active Directory

After you correctly migrate the Exchange service account to Active Directory with the sIDHistory attribute, you can remove the trust relationship with the Windows NT domain for more testing. Do not remove any one or more of the sIDHistory attribute values on any migrated Microsoft Windows accounts that are associated with Exchange objects until after the Exchange organization is operating in native mode. Otherwise, you will experience the symptoms that are mentioned in the "Symptoms" section.

The workaround that is described in this article works for many enterprise customers. However, we do not officially support the migration of Exchange service accounts. You should extensively test the Exchange environment for any residual dependencies on the Windows NT domain for a period of up to 60 days after you complete the following tasks:

• You migrate the Exchange service account to Active Directory with the sIDHistory attribute.
• You remove the trust relationship.

Additionally, we strongly suggest that you perform the following actions if you choose to migrate Exchange service accounts:

• You make a full, verified backup of the SAM database.
• You test recovery in a lab before you decommission the last domain controller from the Windows NT domain.

When you deploy Exchange 2000 Server or Exchange Server 2003 in an existing Exchange 5.5 site, the Setup program will prompt you for the domain account and password information for the Exchange 5.5 service account. This information is recorded in the properties of the Administrative Group in Active Directory in the following attributes:

• msExchLegacyAccount: <Service account name>
• msExchLegacyDomain: <Windows domain name>
• msExchEncryptedPassword: <Service account password>

In mixed sites, the Exchange 2000 or Exchange 2003 servers use the Exchange 5.5 service account information for authentication when you send and receive e-mail messages with other Exchange 5.5 servers in other sites. Additionally, the Exchange 5.5 service account is used extensively for security purposes by both the Microsoft Exchange Directory and the Site Replication Service (SRS).

When you migrate the Exchange service account from the Windows NT domain to Active Directory with the sIDHistory attribute, you enable domain controllers from your Active Directory forest to resolve the SID of the service account without having to forward the query to the Windows NT primary domain controller.

The following is a list of the other accounts that you must move with the sIDHistory attribute from the Windows NT domain to Active Directory:

• Any Windows NT domain accounts that appear on the Permissions tab in any configuration or recipient object.
• Any Windows NT domain accounts that have been delegated mailbox access for any Exchange 2000 or Exchange 2003 mailbox.
• Any Windows NT domain accounts that were used to create configuration or recipient objects.

When an object is created in the Exchange Directory, the SID of the account that is used to create the object is recorded in the objects NT-Security-Descriptor attribute as the owner of the security descriptor for that object. Although this does not give the account exclusive rights to the object, this SID must be resolvable against an Active Directory domain controller for the successful decommission of the Windows NT domain.

If you do not migrate any one or more of the Exchange service accounts to Active Directory with the sIDHistory attribute, you may experience the symptoms that are mentioned in the "Symptoms" section.