When I try to add a new Exchange 2000 Server machine to my organization, the Setup program returns an error that says permissions on the Deleted Items container haven't been replicated. How can I find out what the problem is?

This error message is rather bizarre, considering what its real cause is. If you use Replmon (one of the Support Tools on the Windows 2000 CD-ROM) to check replication between your Global Catalogs (GCs), you'll probably find that your replication is working fine. The reason is that this particular error message has nothing to do with replication but does involve permissions. Specifically, you'll see this message when you try to use an account that doesn't have Exchange Full Administrator privileges to install Exchange 2000.

To fix this problem, either use an account that has adequate privileges or delegate Exchange Full Administrator access to the account you're trying to use. The latter solution is better because you should control Exchange administrative privileges with a suitable security group. Here's the easiest method.

  1. Use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to create a new security group. Name the security group ExAdmins or another meaningful name that will remind you what the group is for.
  2. On the Members tab of the group's Properties dialog box, add the accounts on which you want to grant access to people with Exchange Full Administrator privileges.
  3. Log on with an account that currently has Exchange Full Administrator privileges, then open Exchange System Manager (ESM).
  4. Right-click your Exchange organization, then select the Delegate Control command from the context menu to launch the Delegation Wizard.
  5. The second page of the Exchange Administration Delegation Wizard displays a table showing which users and groups have which levels of delegated access. Click Add to select the group you created in Step 1. When prompted, specify that you want this group to have Exchange Full Administrator access.

This approach gives you better control over who has Exchange access. As long as you do a good job of adding and removing users from that group, you never have to worry that you've accidentally granted excessive access to someone.