So I've found some fun things while upgrading from Exchange 2000 to an Exchange 2003 cluster. First is unable to categorize does not mean Journaling. Lots of "Messages Awaiting Directory Lookup", querying all the servers that the servers were using to figure out why they were complaining about it, only finding entries about Journaling and how to fix/disable it. Turns out it's not that it sees the msExchMessageJournalRecipient with bad data, but just it isn't able to access the object to read that attribute. The fix is to enable inherited permissions on the server object in ESM. I suspect the cause of the problem was adding another Exchange domain necessitated additional ACEs for the Exchange groups in the new domain. But the question of why it was broken in the first place is up in the air.
The second piece is I think why. I found after "fixing" the above that the admins couldn't get into any mailboxes. This is default behavior (it sets a Deny ACL on the mailboxes), but apparently was fixed at some point by breaking inheritance and removing the Deny. Proper fix if the server admins should be mailbox admins as well is to add an ACL to the Server object allowing full control for the admin (non-inherited Allow overrides an inherited Deny in DACLs). It'd also likely be possible to fix at the Organization or Administrative group level, but that requires work to make the Security tab visible, and is more likely to break if future versions change those permissions (or add additional ACEs in delegation and one has to figure out how to fix again). Probably better to just do it per server or store.
Third is that Exchange follows MX records for intra-domain routing. This was discovered when changing this to get names set up for externally established DNS names. This is the most pressing argument I've seen for split DNS (if mail should go through a central hub), which is unfortunate since there's not a clean workaround. That is other than a front end server architecture (everything seems to push that way in the end). It'd be nice if they just made an OWA URL that would be used for server referrals.
Thats it for now. Between those problems and replacing a failed drive in another machine, I'm calling it a day.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
