CAUSE
This problem occurs because the Exchange 2000 ADC does not accurately detect group membership changes when the changes to the group occur on a domain controller that is part of Windows Server 2003 Active Directory in forest functional level 1 or in forest functional level 2.
For additional information about forest functional levels, click the following article number to view the article in the Microsoft Knowledge Base:
322692
HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003
Windows Server 2003 Active Directory has a new feature that is named Linked Value Replication. This feature permits individual values of a multivalued attribute to be replicated separately. In Microsoft Windows 2000, when a change is made to a member of a group or when a new group member is added, the whole group membership value has to be replicated. When Linked Value Replication is enabled in Windows Server 2003, and you add a new member to the group, only the new member entry is replicated. The whole group membership is not replicated. An update sequence number for an object is updated when a linked attribute (such as group membership) changes, but the metadata for these particular attributes does not change. Exchange Server searches for metadata changes to particular attributes to decide whether the ADC must update an object. This metadata does not change when the forest functional level is set to enable Linked Value Replication; therefore, the ADC does not replicate the object.
When Linked Value Replication is enabled in an Active Directory forest, group membership changes do not replicate between a Windows Server 2003 Active Directory server (in forest functional level 1 or in forest functional level 2) and a Microsoft Exchange Server 5.5 computer when that group membership change originates in Active Directory.
For example, assume that you have a universal distribution group in Active Directory that is named UDG1. UDG1 is linked through the ADC to a distribution list in Exchange 5.5. This distribution group is also named UDG1. UDG1 has two members: David Daniels and Shu Ito. When David Daniels is deleted from the group membership in Active Directory, the ADC does not detect that an update occurred to the member attribute of the group. As a result, the change to the group (the removal of David Daniels) does not replicate from Active Directory to Exchange 5.5. David Daniels can continue to access resources that are available to the group in Exchange 5.5 and can continue to receive e-mail messages that are sent to the group from users in Exchange 5.5. At this point, the problem is that the group membership of UDG1 in Active Directory does not accurately reflect the group membership of UDG1 in Exchange 5.5. Additionally, David Daniels can be re-added to the group in Active Directory even though he was deleted in the previous step. This behavior may occur when a new user, Begoņa Hurtado, is added to UDG1 in Exchange 5.5. The ADC detects the group membership change in Exchange 5.5 and replicates the whole group membership back to Active Directory. As a result, David Daniels is added to the membership again, and the final group membership state of UDG1 in Active Directory includes three members: David Daniels, Shu Ito, and Begoņa Hurtado.