In previous versions of Exchange, distribution lists were used to send e-mail to people and to set permissions on public folders. Distribution lists allowed membership from any Exchange site and could be nested. This functionality is similar to the functionality of Windows 2000 universal groups. Exchange 2000 uses Windows 2000 universal security groups and Access Control Lists (ACLs) to provide a flexible model for permission management.
To preserve this functionality in your Windows 2000 and Exchange 2000 deployment, you need to create a group management domain. A group management domain is a Windows 2000 domain that has been switched to native mode and is the target of an ADC connection agreement that is extracting distribution list data from an Exchange 5.5 site.
Note If your strategy for populating Active Directory includes creating a transition domain, you can use the same domain as a group management domain.
While objects that reside in mixed-mode domains can be members of a universal security group, you must create or convert universal security groups from a Windows 2000 server in native mode. To port the functionality of existing Exchange distribution lists so it can seamlessly operate within the Windows 2000 permissions model, you should establish a group management domain in which you can create and convert Exchange 4.x and 5.x distribution lists. You can use any domain controlled by Windows 2000 Server that has been switched to native mode as a group management domain.
Your topology dictates whether you will want more than one group management domain. As you plan your Connection Agreements, define at least one Connection Agreement for distribution list replication that specifies a native domain as the Windows 2000 destination target. If you have multiple domains managing distribution lists, you need to run Connection Agreements to each of these domains. For seamless interoperability between distribution lists and functionality, you must create ADC Connection Agreements before you upgrade to Exchange 2000.
If your organization does not use distribution lists nested within ACLs on public folders, or if your organization does not need to control access to public folders with the Windows 2000 or Exchange 2000 equivalent of distribution lists (universal security groups), you do not need a native-mode Windows 2000 domain.
If you do not want to use universal security groups, or if you do not want to switch your domains controlled by Windows 2000 server to native mode, you can use domain local or global groups to control access to public folders. This method requires ongoing maintenance and administration as your organization changes. For more information, see the Exchange online documentation.
For more information on Windows 2000 groups, see the Windows 2000 documentation.
Use the information in the following tables to understand the advantages and disadvantages to using groups of various scopes and types with Exchange.
| Group Type | Advantages | Disadvantages |
|---|---|---|
| Security | Can be mail-enabled by assigning an
Simple Mail Transfer Protocol (SMTP) address so the group can act
as a distribution list equivalent.
Can be used for assigning permissions to public folders in Exchange 2000. Useful if you also want to assign network permissions for the members in this group Lowers the number of groups in Active Directory and the messaging system, as well as the maintenance they require. |
Accidentally placing users in the group can give users unauthorized access to network resources. |
| Distribution | Can be used for bulk mailing.
Membership's only purpose is to send messages to its membership. Can be used for universal groups, even in a mixed-mode domain. |
Cannot be assigned as permissions to
network resources.
Cannot be assigned as permissions to public folders. |
| Group Scope | Advantages | Disadvantages |
|---|---|---|
| Domain local | Membership is not published to the
global catalog server, so changes do not require global catalog
replication.
Microsoft Outlook clients can view full user membership if they are located in the domain in which the group exists. |
Cannot assign permissions to network
resources and public folders in other domains.
Outlook users in other domains cannot view the full membership. Group membership must be retrieved on-demand if expansion takes place in a remote domain. |
| Global | Membership is not published to the
global catalog server, so changes do not require global catalog
replication.
Outlook clients can view full user membership if they are located in the domain in which the group exists. Can assign permissions to network resources and public folders in the same domain. |
Can contain recipient objects from the same domain and can be assigned permissions only on public folders in the same domain as the server running Exchange. Outlook users in other domains cannot view the full membership. Group membership must be retrieved on-demand if expansion takes place in a remote domain. |
| Universal | Membership can consist of any object in the forest. Outlook users in any domain can view full membership. Membership never has to be retrieved from remote domain controllers. Can be used in mixed-mode domains when type is set to Distribution. | Membership modifications incur replication to the global catalog servers. |
Related Topics
Understanding Coexistence Between Previous Versions of Exchange