An associated external account is an account from another domain (NT or Active Directory) that has been given permissions to fully access an Exchange 2000 mailbox. There are only a few instances when you would use an associated external account. One is when you’re migrating from Windows NT 4.0 and Exchange 5.5 to Windows 2000 Active Directory (AD) and Exchange 2000, the other is when you’re using a separate Windows 2000 domain as a resource domain (and forest) for Exchange 2000.
I’ll address the second scenario first. In this case, you probably have a Windows 2000 AD forest structure. For security purposes, domain-wide account policies, and identity, you partitioned it into multiple forests; I’ll call them A (accounts) and E (Exchange). This might be the case if the business units housed in those forests are competitors and can’t (or won’t) share administrative responsibilities, but the overall company must share the same centrally administered Exchange infrastructure in forest E. So, you need to allow users in forest A to use mailboxes in forest E.
First, you must make sure you’ve created the appropriate inter-forest trusts between A and E. You must create them manually and they’re therefore non-transitive. Next, you must create one disabled user account in forest E for every account in forest A that needs to use a mailbox. You can do this with the Active Directory Migration Tool (ADMT), Clone Principle, or a third-party tool.
Once this is done, using the Advanced Features from the View menu in Active Directory Users and Computers (ADUnC), open the disabled user account properties and navigate to the Exchange Advanced tab and click on the Mailbox Rights button. This brings up a dialog box where you can add the account from the foreign forest/domain and choose to allow or deny the associated external account. Note you’ll also be required to grant the external account full mailbox access. Now the user can log on to their account domain, create a MAPI profile that points to the correct mailbox in Exchange 2000, and connect.
In the first scenario, migrating from Exchange 5.5 to 2000, you must be aware of two important items: the msExchMasterAccountSID and the SELF account. The msExchMasterAccountSID is an attribute of the mailbox-enabled, disabled user account that gets populated with the Security Identifier (SID) of the NT 4.0 account when you use Active Directory Connector (ADC) to populate AD from the Exchange 5.5 directory. There are some cases in which this doesn’t happen correctly and you must manually assign the SELF account external associated account permissions on the mailbox-enabled account. The SELF account has a well known value to be used for the msExchMasterAccountSID
Once you’ve populated the AD with disabled user accounts, you can use the ADUnC to move the mailboxes from an Exchange 5.5 server to an Exchange 2000 server in the same Exchange Site. If, after the mailbox move, the user can’t access the mailbox, check the permissions to ensure that at least the SELF account is there. Better yet, using Windows tools such as LDIFDE, LDP, or ADSI Edit, check the properties of the account and ensure that the msExchMasterAccountSID has been populated appropriately. The NT 4.0 account should have been granted Send As on the user permissions, and Read, Associated External Account and Full Mailbox Rights on the mailbox permissions.
- Nilesh Roy. (firstname.lastname@example.org)