The Environment
I have been recently involved in a business consolidation project
where two businesses joined forces and formed a new entity. Inevitably, it had
a strong migration component. My client stipulated that assuming the new identity in the early stages is critical and it has to be reflected in communications. Therefore e-mail was the first component to be migrated. The plan was to let users log on and access resources such as file, print, application etc. as normal, with their LEGACY\oldlogon account, while sending/receiving e-mail should happen under their NEW\newlogon identity.
To achieve this first milestone, the new AD forest has been
created and Exchange 2013 CU8 has been installed and configured.
The timeline was unclear as to when will users start to log
on with their NEW\newlogon accounts, and in relation to that, whether users
will start logging on to the new forest *before* or *after* other resources
will have been migrated.
For this reason user accounts have been migrated along with
the SIDHistory attribute in a “disabled” state, and their mailboxes moved cross-forest
as Linked Mailboxes. Effectively an Account/Resource forest topology has been built.
For more on Account/Resource forests see https://technet.microsoft.com/en-us/library/aa998031(v=exchg.150).aspx.
The Issue
All worked well, except delegation. Delegation was flaky at
best, users regularly losing access, and admins unsuccessfully trying to
re-establish permissions. While initially Get-MailboxPermission displayed the
correct LEGACY\oldlogon accounts, they’ve been replaced, automagically, with
NEW\newlogon as time passed. Inconsistency was the only constant.I searched the Internet far and wide, asked on professional forums, however my efforts yielded no useful results.
I ended up opening a case with Microsoft.
The Workaround
For each SID in the shared mailbox’s ACL
Exchange tries to find its corresponding AD account, and it searches its own forest first. It finds the SID of the LEGACY\oldlogon
account in the SIDHistory attribute of the migrated NEW\newaccount, and it says
“BINGO! This is the account!” Therefore it stops searching and does NOT follow
the chain of trusted forests to identify the real owner of the SID. Therefore
it incorrectly assigns permissions to NEW\newlogon in the resource forest instead
of LEGACY\oldlogon in the account forest.
If the SID on the shared mailbox’s ACL isn’t found in the
Exchange server’s home forest, then, and only then, Exchange will move on to find
the account in one of the trusted forests.
To date the only way to get delegated access to work again
is to clear the sIDHistory attribute of the NEW\newlogon account. There are a
number of ways to clear the SIDHistory. My preferred tool is Ashley McGlone’s
PowerShell module.
WARNING: Do NOT clear the SIDHistory unless the effects are fully understood AND if the effects will not affect the business in a negative way! Otherwise consider a career change.
While clearing the SIDHistory solves the immediate issue, it
introduces new challenges later on when the merger/migration is refocused onto accounts and
resources. Further steps must be carefully planned and coordinated, user
accounts potentially re-migrated to re-populate the sIDHistory attribute, otherwise
users risk to lose access (and the admin his/her job).WARNING: Do NOT clear the SIDHistory unless the effects are fully understood AND if the effects will not affect the business in a negative way! Otherwise consider a career change.
In my opinion the logic by which Exchange finds delegated accounts is flawed, and therefore I see the removal of SIDHistory not as a “fix” but rather as a quick and dirty “workaround”, lacking strategic view of the bigger picture. Hope Microsoft will fix it one day.
Happy migration!