Exchange 2010 Pre-Deployment Analyzer - Permissions inheritance block on Organizational unit: Servers

I'm helping out with a place where it's actually an Exchange 2007 and Exchange 2010 mixed environment. I'm working to Migrate the resources from Exchange 2007 to 2010 (still looking into the best way for that actually, any recommended scripts or freeware?)

However, I wanted to run the "Pre-deployment Analyzer" from Microsoft to see if there were still any issues it could find, even though 2010 is already deployed.

It came back with one issue in the report:


Permissions inheritance block on Organizational unit: Servers
Domain: Cafenet
Access control list (ACL) inheritance is blocked for the Organizational unit: Servers object in domain 'cafenet.edu' (OU=Servers,DC=cafenet,DC=com). This may cause mail flow problems, recipient update service failures and other service outages. Use the Active Directory Users and Computers program to re-enable inheritance on this object.

Is that something I should be worried about?
garryshapeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mac carterCommented:
Its all about permissions.
If the inheritance is blocked, then the permissions that Exchange sets for correct operation, with Exchange being able to read and update objects will not work correctly.

It is very vague because it is impossible to be specific because the permissions could be very different. It can depend on the account being used, restrictions in place elsewhere etc.

Exchange is very heavily integrated to AD, therefore incorrect permissions can cause havoc
http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploylegacy/thread/d9165877-bbe3-4de9-84f3-c0a3b7dbb886#a5a7e170-c4a5-45e6-9aa4-de9e17b6cca7

Also, please have check with below thread to Check "CN=Administrative Group" has inheritable permission or not
https://social.technet.microsoft.com/Forums/exchange/en-US/e370e352-dae1-45b5-8094-25d2cdc41a21/active-directory-operation-failed-on-domainlocal-this-error-is-not-retriable-exchange-2010?forum=exchange2010

Checkout this informative blog post on Exchange Pre-Deployment Analyzer Notes: http://geekswithblogs.net/BWCA/archive/2010/07/16/exchange-2010-deployment-notes-ndash-exchange-pre-deployment-analyzer-notes.aspx 

Hope it helps you!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
Why do you need scripts or software to do a migration?
Unless there is something you haven't said (like it is cross forest) just move the content about. Everything with Exchange lives in the domain, Exchange is just the application and storage place. Therefore Exchange migrations are very easy to do once the server build is complete.

To answer the question - permission inheritance should not be blocked - so enable it again.
This is a common problem with user accounts as well - if you find accounts don't work correctly, features not working, unable to move the mailbox, then check permission inheritance.

Simon.
0
garryshapeAuthor Commented:
@Simon Butler (Sembee)
Ok that is interesting, I'm not sure.
So theoretically, I should just be able to select a dozen or so mailboxes from the Exchange 2010 management console that live on the Exchange 2007 mailbox servers, and then right-click and Move them all, to carry out their migration?
Or is powershell recommended instead of the GUI? Like just a move-request
0
Simon Butler (Sembee)ConsultantCommented:
Going from Exchange 2007 to 2010 will kick the users out of their mailbox while you move.
Otherwise, you can select as many as you like. Exchange will only move a few at a time, then move on to the next. I have selected 40 or 50 in the past - if they are all going to the same database.

Is there a CAS array configured on the Exchange 2010 server? If not, create one now, before you move any mailboxes. It is something that takes two minutes at this stage, but could save you from a lot of work later on if you are (or might be) deploying additional servers later on.

The GUI runs powershell commands in the background, so there is no difference.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.