How does DMA translate security for Microsoft Exchange 5.5 mailboxes and what are the requirements? (NETIQKB2139)

  • 7702139
  • 02-Feb-2007
  • 21-Jan-2008



From the Domain Migration Administrator console, use the Translate Security for Exchange Mailboxes wizard.  This operation can be performed at either the global or project level. 

Install Microsoft Exchange Administrator on the same computer as Domain Migration Administrator (DMA). Next, verify that LDAP is enabled on the Exchange 5.5 server. DMA will use the account credentials that you are logged on with to query the Exchange server about which port it is communicating through. This account should have Permissions Admin rights. The credentials you provide to DMA in the Exchange mailbox translation wizard must have Permissions Admin rights in Exchange so that security translation can occur.

Please be aware that Windows NT Challenge/Response must be an enabled authentication method for the LDAP protocol on your Exchange Site/Server. Domain Migration Administrator cannot provide your credentials to Exchange through any type of SSL authentication method alone. To check your settings, go to the Site container/Protocols/LDAP/Authentication tab.

When you translate security on an Exchange mailbox you will have three options, Replace, Add, or Remove. If you choose 'Replace', DMA will remove the old source NT account SIDs (ACEs) from the mailbox ACL and add the new target account SIDs (ACEs). If you choose 'Add', DMA will add the new target account SIDs (ACEs) to the mailbox, but the old source NT account SIDs will still have access to the mailbox ACL. If you choose 'Remove', DMA will remove the old source NT account SIDs (ACEs) from the mailbox ACL. Therefore, choosing 'Replace' results in target account access only, choosing 'Add' results in both source and target account access, and choosing 'Remove' results in target account access only.

'Add' is usually used in conjunction with 'Remove' and NetIQ recommends this as a best practice to ensure that permissions have been translated as desired. 'Add' allows for the flexibility of reinstating the source account should something in the migration go awry. Once you have verified that the migrated accounts can access the mailboxes, use 'Remove' to finalize the state of the ACLs. 'Replace' is a much more permanent option that's difficult to roll back. The 'Add' and 'Remove' options also allow for a staged migration over time where both source and target accounts might need access at the same time.

Please note that this information can also be obtained from Chapter 2 of the DMA 7.1 User Guide under the heading 'Maintaining Exchange Access Permissions'.

Additional Information

Formerly known as NETIQKB2139