Difficulties Occur When Administering Exchange Users That Are Located in a Different Child Domain (270226)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q270226 SYMPTOMS
In a Microsoft Windows 2000-based forest with at least two child domains that run in Mixed mode, if Microsoft Exchange Server version 5.5 is installed in one of the child domains and user accounts are located in the other child domain, Exchange administrators cannot use the Primary Windows NT account to create the association between the mailbox and the user account.
The following error message is displayed when you attempt to create an account in the other Accounts child domain:
No mapping between account names and security IDs was done
Microsoft Windows NT
ID no: 0xc0020534
Also, if you attempt to associate to an existing account located in the Accounts child domain, the List Names From drop-down box does not display an option for the Accounts domain; only the parent domain is displayed and the domain where Exchange Server exists.
CAUSE
This behavior can occur because the Microsoft Exchange Administrator program does not take advantage of the Kerberos transitive trust that exists between the two child domains (by means of the parent). Instead, the program expects to see a down-level explicit or shortcut one-way or two-way trust between the child domains.
RESOLUTION
To work around this behavior, you must perform the following steps to create an explicit or shortcut trust between Exchange 5.5 domains and the Accounts domain: - In the Active Directory Domains and Trusts snap-in, right-click on the child domain where your Exchange 5.5 mailboxes are installed, and then click Properties.
- In the Properties dialog box of the child domain, click the Trust tab to reveal the existing trust relationships. There should be an entry representing the Kerberos transitive trust between the child domain and its parent domain. It should be displayed as the following entry:
|
| parentdomain.com | parent | yes |
|
| parentdomain.com | parent | yes |
- In the Domains trusted by this domain box, click Add to select the domain that can be trusted by this domain (in this situation, you select the child domain that is hosting the user accounts). You can be required to enter a trust relationship password.
- When the password is entered, click OK to process the first part of the one-way trust relationship. The Domains trusted by this domain box now displays the following entry:
|
| parentdomain.com | parent | yes | | accountsdomain.parentdomain.com | shortcut | yes |
- Click OK to accept the changes.
- In the Active Directory Domains and Trusts snap-in, right-click on the child domain hosting the user accounts, and then click Properties.
- In the Properties dialog box of the child domain, click the Trust tab to display the existing trust relationships.
- In the Domains that trust this domain box, click Add to add the name of the trusting domain (in this situation, you select the child domain where Exchange Server is installed). You can be required to enter a trust relationship password to complete the one-way trust relationship.
- When the password is entered, click OK to complete the second and final part of the one-way trust relationship. The Domains that trust this domain box now displays the following entry:
|
| parentdomain.com | parent | yes | | exchangedomain.parentdomain.com | shortcut | yes |
STATUS
Microsoft has confirmed this to be a problem with Exchange 5.5 when it runs in a Windows 2000 Mixed mode environment.
| Modification Type: | Minor | Last Reviewed: | 2/6/2004 |
|---|
| Keywords: | kbdomain kbenv kbnetwork kbprb KB270226 |
|---|
|