Exchange Recovery Database with Backup Exec 2010 R2

Below are the steps in order to restore an Exchange 2010 DB to a recovery database using Backup Exec 2010 R2.

1. Create 2 folders on the Exchange mailbox server.

•Database –> E:\Recovery\Database

•Transaction Logs –> E:\Recovery\Logs


Make sure you're restoring full backup and not differential otherwise otherwise only the logs will restore.
New-MailboxDatabase -Recovery -Name RDB -Server DCEXMAILP01 -EdbFilePath "E:\Recovery\RDB\RDB.EDB" -LogFolderPath "E:\Recovery\RDB"


Mount the DB, need a blank DB file to Pre-exist then dismount and delete all files except the .edb in the E:\Recovery\Database. (Ensure that on the DB properties the check box is checked for for database can be overwritten by a restore. It should still be checked.

Once recover is complete, the DB will automatically be mounted.
Get-MailboxStatistics -Database RecoverDB

Restore-Mailbox -Identity User1 -RecoveryDatabase rdb

Restore to pst

New-MailboxExportRequest -Mailbox User1 -FilePath file://dcexmailp01/PST%20Dumps/User1.pst

Get-MailboxExportRequest (to show the status of the export)


James Chong
MCITP | EA | EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Web.config Configuration An Extension of Name "SecurityServiceBehavior" already appears in Extension Collection

The following error on your web app can be due to multiple reasons, however the root issue is because your web.config is being loaded twice. The error is does not indicate that you have duplicate tags in the web.config nor that its an issue with this specific tab. How does the web.config reoload twice? One is something within your code where when you get to your webapp, it can do some other function or loging that calls your web.config again. Another reason in my specific case was due to incorrect IIS settings on the web app for example:

The root on website test.com has an application declared with home:


d:\intepub\wwwroot\test\virdirectory instead of just d:\intepub\wwwroot\test
Then there is a virtual directory off the root of test.com called virdirectory with a  home directory of:

• d:\intepub\wwwroot\test.com\virtualdirectory

This causes the web.config to be loaded twice.

James Chong
MCITP | EA |EMA; MCSE |M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips

When migrating from Exchange 2003 to 2010, it may be imperative to set up coexistenance during the migration to ensure smooth transition during the period when you have both your Exchange 2003 and Exchange 2010 environments running. This is the idea situation if you have many users\servers and can't perform an day or weekend cutover of moving all your mailboxes to the Exchange 2010 server. To set up coexistenance here are some tips I've encountered:

1. If you are using mail.contoso.com as the DNS name for your Exchange 2003 Outlook Mapi, OWA, and Activesync then perform the following.

In external DNS update the DNS record mail.contoso.com to the IP of the Exchange 2010 server. Create another record legacy.contoso.com and point that to the IP of the Exchange 2003. In internal DNS create legacy.contoso.com with the IP of the Exchange 2003 server. Do not change the internal DNS mail.contoso.com, leave that as is because your Exchange 2003 Outlook users are still using mail.contoso.com, if you change the internal record, your Outlook 2003 users will not work since it will be pointing to the Exchange 2010 server and it can't proxy rpc back to 2003. Before making DNS changes, set the TTL to something like 5 minutes 24 hours before you create these record,  this ensures when you change the records, you're not waiting for an hour or more for the DNS cache to timeout and hamper your testing and\or toubleshooting.

2. Go to the Exchange 2010 EMC and add the externalURL

Set-OwaVirtualDirectory -Identity "exchange2010cas01\owa (Default Web Site)" -Exchange2003Url https://legacy.contoso.com/exchange

3. Set the same for the activesync virtual directory

Set-ActiveSyncVirtualDirectory \Microsoft-Server-ActiveSync* -ExternalURL https://legacy.contoso.com/Microsoft-Server-ActiveSync

Supposedly you don't necessarily need to set the legacy against the activesync virtual directory for 2003-2010 coexistenence because Exchange 2010 will directly proxy to the 2003 activesync. I have found this did not work and required you to set the activesyncvirtualdirectory and let it redirect. At this point you should be able to open a browser outside the network and be able to perform the following.


A. Go to mail.contoso.com from outside the network and access a mailbox for a 2010 user and a 2003 user

B. Go to legacy.contoso.com  from outside the network and access a 2003 user

C. On your activesync phone you should be able to access your 2003 user without changing any settings on your phone and still set to mail.contoso.com (some troubleshooting steps below if you can't)

D. On your activesync phone you can also set the mail server to legacy.contoso.com and access your 2003 server.


You also need to ensure the following are set. On your Exchange 2003 front end, make sure you enable integrated authentication for the activesync directory as well as Basic. Also DISABLE the require SSL on the activesync vdir as well. You also need to DISABLE require SSL on the exchange virtual directory on your 2003 FE. I set this directly from IIS and not ESM and didnt run into DS2MB re-writing.

In addition if you are doing http to https redirect on your Exchange 2003 OWA you need to turn this off whether you were performing this using the http custom error file or some other method.


If you experience activesync slowness its because you didnt disable the require SSL on the Exchange virdir on your 2003. I also didnt need to disable the RPC\HTTP nor disable forms based on the 2003 to have it work.

Another tip: You dont want to set up the HTTP to HTTPS redirect on your 2010 just yet. Because if you're using mail.contoso.com for everything, outlook, activesync, owa and you're in this split brain DNS setup then it can break services. This is because when a 2010 user logs into OWA using say just http://mail.contoso.com/ it goes to the 2010 CAS and CAS will do a redirect to to https://mail.contoso.com/ but your CAS will use the internal DNS and mail.contoso.com internally will go to your Exchange 2003 which your 2010 user doesnt reside. This will render a redirect loop in the browser.

This is just one of the limitations of coexistence if you use a single namespace mail.contoso.com for all your services. Another limitation is internal 2010 users after they are migrated will not be able to use OWA or activesync on the internal wifi because they will be pointed to mail.contoso.com which of course points to 2003 internally. Of course you can go with alternate solutions such as using a new namespace for your 2010 users but that would mean you would have to re-home their devices and outlook anywhere after they are migrated so not seamless.

Once complete you want to enable your Exchange 2010 cas Outlook Anywhere to allow for both NTLM and Basic authentication since it's possible you may have Outlook Anywhere clients that may be set to either NTML or Basic already. I ended up requiring to set all 3, just setting the -defaultauthentication method for ntlm and basic did not work.

Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod ntlm, basic

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod ntlm, basic

 Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod ntlm, basic


James Chong
MCITP | EA |EMA
Security+, Project+, ITIL
msexchangetips.blogspot.com

Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group DAG

When attempting to backup an Exchange 2010 DAG you recieve the following error:

V-79-57344-896 - Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group (DAG), however. Update the selection list and run the job again.


You have verified that the backup exec agent service is running with the LSA account and is in the Exchange org admin group. In this instance the issue was caused by renaming the database display name for example “MDB01 Tier1” to “MDB01 Tier 1 500GB”.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Calendar sharing is not available with the following entries because of permission settings on your network

When attempting to share a calendar to another internal user using outlook 2010 you receive the error

Calendar sharing is not available with the following entries because of permission settings on your network

After deleting the nickname cache and choosing the name from the GAL you still receive this error. In this instance it was resolved using:

set-mailbox user1 -applymandatoryproperties


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

UAG Exchange 2010 OWA Error_Code=51 has resulted in too many redirects

Summary: After rebooting UAG servers, you receive the following error in your browser when attemping to access owa.company.com

https://outlook.company.com/internalsite/internalerror.asp?site_name=trunk1&secure=1&error_code=51 has resulted in too many redirects.

Root cause: In this instance every time the UAG is rebooted (in our case montly windows patch) one UAG box failed to start the internal site in IIS. If you start the site or run "activate" in the UAG console, OWA will work.

What is happening is that UAG accepts the Outlook anywhere request, and does an internal redirect to its own “internal site”. This is normal, as the InternalSite, listening on port 6001, is UAG’s administrative engine (handles login, authentication, errors etc).

Root fix: There is an error event that comes up after we patch on UAG2 that doesn’t occur on UAG1 even though they are configured and patched exactly the same.

Event id 107
Report Server Windows Service (ISARS) cannot connect to the report server database.

Two services were stopped on UAG2 below. It appears one service is starting before the other “SQL Server Reporting Services (ISARS)” before “SQL Server (ISARS)”.

Set the dependency in the registry.

“SQL Server Reporting Services (ISARS)” Depend on service “SQL Server (ISARS)”


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010: Bulk Provision and Move Mailbox Import-csv

Import-CSV "C:\ADMT\users.txt" | foreach {.\Prepare-MoveRequest.Ps1 -Identity $_.users -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject -overwritelocalobject}

Import-CSV "C:\ADMT\users.txt" | foreach {New-MoveRequest -Identity $_.users -RemoteLegacy -TargetDatabase "mdb06 tier3" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete}


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Roadsync Sync Error: (-1002)

When attemping to synch with corporate Exchange server 2010, the roadsync is unsucessful and produces error Sync Error: (-1002).

Sony Ericsson Xperia X8 Model E15A Firmway 2.1 update 1 build 2.1.1.A.0.6.

Resolution: Use the upn as the login name jsmith@domain.com. The upn you can find in the account tab of Active Directory Users and computer.

username: jsmith@domain.com
server: mail.company.com (didn't need to specify the https in the url)
company: domain (didn't need the FQDN)


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Bulk Modify Targetaddress Attribute

Although there are multiple methods to bulk modify AD attributes the sample below shows how to use the the command line version of admodify to update the targetaddress.

C:\Admin\Tools\ADModify_2.1>admodcmd -dn OU=FromILM,OU=Galsync,DC=Corp,DC=dom -f
targetaddress=*@domain.local -custom targetaddress "%'mailNickName'%@domain.local

In this example AD modify will get all contacts in the specified OU with targetaddress of @domain.local and replace it with their alias@domain.local.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Outlook OAB 0x8004010f Not Found

When downloading the OAB from Outlook you recieve not found 0x8004010f. Although there are many issues that can cause this error mentioned in article below

Outlook clients receive error 0x8004010f when downloading the Offline Book Addresshttp://msexchangeteam.com/archive/2007/04/19/437902.aspx

Ensure that the DB has been configured to use the OAB.

Open EMC, Org Config, Mailbox, Database Management Tab.

Right click properties of each Database, Client Settings Tab. Offline Address Book, Browse and select your \Default Offline Address Book.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Microsoft Exchange RPC Client Access Service Fails to Start

When starting the Microsoft Exchange RPC Client Access Service you receive the following error:

The Microsoft Exchange RPC Client Access Service on the local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

Verify if you have statically configured the RPC port and that it is a valid port in decimal and not hex format.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeRpc\ParametersSystem

TCP/IP Port



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Public Folder Cannot expand the folder. Microsoft Exchange is not available

When launching Outlook, you receive a login prompt. Email flow continues to work whether you login or not. However when you expand the public folder, you receive the error after you enter your credentials.

Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance. (/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=Servername

From OWA public folder access works.

Ensure that the Microsoft Exchange RPC Client Access Service is running on your mailbox server.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Migrating BES 5.0 to new Forest Using Transporter Suite

Coming soon.

The critical property 'LegacyExchangeDN' is missing in the MailUser object

When performing a new-moverequest you receive the following error:

The critical property 'LegacyExchangeDN' is missing in the MailUser object 'migrateme3'.
+ CategoryInfo : InvalidArgument: (corp.dom/GALSync/FromILM/migrateme3:MailboxOrMailUser
IdParameter) [New
-MoveRequest], RecipientTaskException
+ FullyQualifiedErrorId : 9DC9C0BA,Microsoft.Exchange.Management.RecipientTasks
.NewMoveRequest


The issue is you used ADMT to migrate the user first then ran prepare-moverequest. The issue is that prepare-moverquest although says it is sucessful did not properly convert it into a mail enabled user. The script failed to stamp the legacyexchangeDN as well as the target address. If you manually add the legacyexchagneDN you then run into the error below:

Cannot find a recipient that has mailbox GUID 'f41a2905-8ea2-4ff3-a56f-4ed8739a2622'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : B5053E67,Microsoft.Exchange.Management.RecipientTasks.
NewMoveRequest

I'm still investigating this as prepare-moverequest is supposedly supported after Exchange 2010 SP1 with the overwritelocalobject parameter. The workaround in the meantime that I have if you want to use ADMT first:

1.Use ADMT to migrate all user accounts
2.Prepare-moverequest on all accounts (legacyexchangedn or targetaddress is still missing)
3.Use script to add targetaddress of mailnickname@company.com on all migrated accounts, I use admodify, but you can use powershell etc.
4.Update-recipient on all migrated accounts. This will stamp the legacyexchangedn
5.New-moverequest succeeds



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Mailbox Move An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present

When performing a cross forest mailbox move using the new-moverequest, the mailbox move fails at the completing stage when viewing in the move request in the EMC. When you open the move request for the user in the details tab you see the following error.

Error details: An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present in the collection.

Resolution: Delete the protocolsettings using adsiedit for both the source and target user.

1. Open adsiedit.msc from run command on source DC
2. Locate your user in the domain partition
3. Locate attribute protolsettings and delete all values
4. Repeat steps for target user in target domain
5. Resume the failed mailbox move


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ActiveX component can't create object: 'ADMT.Migration'

When attempting to set exclusions or add exclusions on ADMT you receive the following error:

C:\Admin\scripts\ADMTExclusion.vbs(1, 1) Microsoft VBScript runtime error: Activ
eX component can't create object: 'ADMT.Migration'


Resolution:

Run the command from the C:\Windows\SysWOW64> directory.

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 New Forest Migration Provisioning Distribution Lists

Exchange 2007 and Exchange 2010 have the ability to provision mailbox enabled users. What about Exchange Distribution Lists? Previous options were to use a third party migration suite or powershell or even LDIFDE. As you noticed ADMT 3.2 by default does provision or create Exchange Distribution Lists. If you use ADMT 3.2 to migrate a Distribution List, it will get migrated to the target forest but as a flat AD group only. Exchange is unware of this group being a Distribution Group. In order for ADMT 3.2 to provision this as an AD group you have to prevent ADMT 3.2 from exluding Exchange attributes during the migration.

Create a new notepad file and name it ADMTexclusion.vbs and enter the lines below.
Set objMig = CreateObject("ADMT.Migration")
objMig.SystemPropertiesToExclude = ""

Then run the file on your ADMT server:

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs

Caveats: ADMT excludes Exchange attributes by default to prevent issues with provisioning mailbox users prior to Exchange 2010 SP1. So ensure that you're on SP1. To get additional details read article below. Also note that even though you provision the DL with ADMT it will not bring over all the attributes such as send restrictions, hide from GAL etc.

Exchange 2010 Cross-Forest Mailbox Moves
http://msexchangeteam.com/archive/2010/08/10/455779.aspx


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

IIS7 Application Request Routing and Outlook Anywhere 2010?

Is it possible to use IIS7 ARR as an alternative reverse proxy in lieu of UAG\TMG? From testing, I was able to get it to work but had to pan out some key issues.

After setting ARR up to point to my CAS servers, OA did not connect.

The issue was with IIS7 default 30MB HTTP request limit. The IIS trace logs show that Outlook is trying to send 1GB (1073741824 bytes) of data and getting 404.13 Content length too large. Note this is an empty mailbox. Once we up this to this value it works. The request is always sending exactly this much data which MS thinks it could actually an error code in the bytes field and not actually the bytes. 1073741824 also represents “unknown error condition” code. Highly unlikely it’s sending 1GB since the IIS logs on the Exchange server do not show this. Theory is that ARR is running into some error condition trying to process rpc over http requests.



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange Powershell "Cannot save changes made to an item to store"

When running the following powershell command you receive the "Cannot save changes made to an item to store"

[PS] C:\Windows\system32>Get-Mailbox -Server "dcexmailp02" |
Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (14:Int32) [
Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DF365789,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

In additional if you run:

[PS] C:\Program Files\Microsoft\Exchange Server\v14\Scripts>Get-Mailbox
| Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (21:Int32)
[Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DEBD37F4,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

Resolution: You have a mailbox that has a quota of 0 set. In this case, I had configured a mailbox with a 0 send\receive limit for users to use to check Freebusy times during migration coexistence and prohibited the account from sending\receiving email.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

5.4.6 Hop count exceeded - possible mail loop - Forest Migration

After you perform a cross forest mailbox move, the user is able to send emails, but cannot receive. You receive the following NDR.

Delivery has failed to these recipients or groups:
Bob Smith (bsmith@company.com)
A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.
The following organization rejected your message: mail.company.com.





Diagnostic information for administrators:
Generating server: exchangeserver.corp.dom
bsmith@company
mail.company.com #554 5.4.6 Hop count exceeded - possible mail loop ##


Resolution: Disable the mailbox and reconnect.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Cannot create mail enabled user because an existing object with type already has the same proxy addresses/MasterAccountSid.

When provisioning an MEU using the Prepare-MoveRequest.Ps1 script you receive the following error:

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\Prepare-MoveRequest.Ps1 -Identity "CN=mbperm1,OU=office,D
=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $R
mote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=office,DC=corp
DC=dom" -uselocalobject -overwritelocalobject
The operation couldn't be performed because object 'corp.dom/Office/mbperm1' couldn't be found on 'EQDCP01.corp.dom'.
+ CategoryInfo : NotSpecified: (:) [Get-Recipient], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 4A3D86A8,Microsoft.Exchange.Management.RecipientTasks.GetRecipient

C:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1 : Cannot create mail enabled user becaus
e an existing object with type already has the same proxy addresses/MasterAccountSid.
At line:1 char:26
+ .\Prepare-MoveRequest.Ps1 <<<< -Identity "CN=mbperm1,OU=office,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainCo
ntroller "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.do
m" -LocalForestCredential $Local -TargetMailUserOU "OU=office,DC=corp,DC=dom" -uselocalobject -overwritelocalobject
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1

The reason is you used ADMT and didn't exclude the necessary exchange attributes. Therefore prepare-moverequest fails to merge to the existing object brought over by ADMT. The provisioning script must match 3 attributes: Proxyaddresses, mail and mailnickname. You must have all 3 attributes set in order for the script to match and merge the MEU then excluse all other Exchange attributes.

You must script the move to stop the exclusion of some core exchange attributes. The link below shows a sample script. You would then need to append the following lines.

Create a new notepad file and name it ADMTexclusion.vbs and enter the lines below.
Set objMig = CreateObject("ADMT.Migration")

objMig.SystemPropertiesToExclude = "homeMDB, homeMTA, showInAddressBook, msExchHomeServerName, msExchRecipientTypeDetails, msexchrecipientdisplaytype msExchMailboxSecurityDescriptor, msExchMDBRulesQuota, msExchPoliciesIncluded, msExchUserAccountControl, msExchVersion, mdbusedefaults"

Then run the file on your ADMT server:


C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs

Migrating All User Accounts
http://technet.microsoft.com/en-us/library/cc974368(WS.10).aspx


Another option is to use ADMT to bulk move\seed them without any attributes, then use either powershell or old friend ADModify to bulk update the proxyaddresses, mail and mailnickname. Typically you would use %'samaccount'% as the variable to fill in these attributes.

Finally you can just provision the account using Prepare-MoveRequest.ps1 first then use ADMT.



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address

Error is caused by duplicate SMTP proxy addresses. In this instance Galsync created a contact during a sync to the target forest even though the user was already migrated to the target forest. Since the contact and user had the same SMTP address, messages to this user was queued.


James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Preserve Cross Forest Free Busy When Migrating to New Forest Feasible?

FreeBusy requires that both old and new Forest needs two unique SMTP domains @newdomain.com and @legacydomain.com. The issue is that since both orgs are also sharing @company.com with @company.com being the primary SMTP domain for both orgs we run into problems with Galsync.

Scenario: For newdomain.dom users to see legacydomian.com user’s FreeBusy

1. Add @legacydomain.com as another SMTP email address to userA in ipcfcdom forest
2. Galsync will create a contact in corp.dom for userA with @company.com being the primary email and @legacydomain.com being secondary
3. User in newdomain.com tries to look up FreeBusy for userA and fails. Although @legacydomain.com is in userA’s contact, userA’s primary email is still @company.com
4. To resolve; Galsync must change what’s known as the targetaddress (foreign email address) to @legacydomain.com on the contact. By default Galsync makes the targetaddress the same as the primary email address @company.com. This is the problem. According to MS you will need to do custom coding on the source code for the GALsync to change this default behavior.

What I implemented:

ForestA has @ADdomainA.com as authoratative accepted domain and Email address policy.
ForestB has @ADdomainB.dom as authoratative accepted domain and Email address policy.

Create respective SMTP send connectors to forward these SMTP domains to each respective HT servers shared SMTP mail flow.

Now internal mail flow between both forests will be based on these internal SMTP domains. FreeBusy will also be based on these internal domains.

Then follow doc
How to Configure the Availability Service for Cross-Forest Topologies
http://technet.microsoft.com/en-us/library/bb125182(EXCHG.80).aspx

You will need to export the SCP of each respective domain and configure the availability address space.

If you do still are not able to see the FreeBusy after you have configured everything, make sure that the Firewall is not blocking HTTPS between the CAS server in 2007 and CAS servers in 2010. HTTPS needs to be open for the respective CAS servers to query each others serviceBindingInformation.

https://outlook.company.com/autodiscover/autodiscover.xml
https://mail.company.com/autodiscover/autodiscover.xml


Then my GALsync contacts in ForestB (new forest) I will need to change the targetaddress to @ADdomainA.com. GALsync created contacts for MB users from FroestA to ForestB but sets the targetaddress on the contacts as the shared primary SMTP of @company.com.

What I did was use good old Admodify, and limit the scope to the OU where the GALsync contacts got created and do a cusom LDAP query for (targetaddress=*@company.com) The reason is I don't want to inadvertently modify the targetaddress for external contacts that may have actual external addresses say @yahoo.com. This query will search for all contacts that have the targetaddress of @company.com. Then I go into the custom tab and set the targetaddress to %'mailNickName'%@ADforestA.com.

Now when you migrate a user's mailbox from ForestA to ForestB, the MB user gets converted to a mail enabled user. You need to ensure that the targetaddress is set to @ADforestB.com. You can append this in the new-moverequest parameter.

New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "ADforestB.com"

Note when you run GALsync again, it will overwrite the targetaddress of the contacts back to the shared SMTP namespace @company.com. This will break FreeBusy again. So your options are, don't run Galsync again or you will need to fix again using Admodify to update the targetaddress again.

Also GALsync will create a mail contact even if a matching mailbox enabled user exists on the target forest. Therefore after you migrate a mailbox user, you need to have GALsync exlude those accounts from being synced up. Two methods move the migrated users to a separate OU in the source domain and have Galsync ignore those OUs when it syncs. Or what I did was set up GALsync to ignore all accounts that have attributeextension15 with the work "migrated". You would set this on the attribute flow rule.

As far as autodiscover for externally connected, non domain joined clients for users who get migrated, you have no option. FreeBusy, OOF will not work. You will need to tell your migrated users to use OWA in during the coexistence. This is because externally connected clients will have to use DNS to find the autodiscover. Unless you are willing to publish and use two unique public SMTP namespace you have no other option.



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 moving mailboxes back to source forest

The following examples show moving a mailbox from a 2007 Exchange Forest to a new 2010 Exchange Forest then moving back to the 2007 Exchange Forest. When moving mailboxes cross forest, the source mailbox is deleted. For contingency planning you can export the mailboxes to a pst prior to moving or move the mailboxes back to the source Forest.

Moving the mailbox from the Exchange 2007 Forest to new Exchange 2010 Forest.

1. .\Prepare-MoveRequest.Ps1 -Identity "CN=migusr5,OU=Office,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject


2. New-MoveRequest -Identity "CN=migusr5,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb01 tier1" -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "simplexity.com"


Moving the mailbox back from Exchange 2010 Forest to Exchange 2007 Forest.

1. New-MoveRequest -Identity "migusr5@simplexity.com" -remotelegacy -RemoteTargetDatabase "DCEX01\Third Storage Group\Third Storage Group Mailbox Database 250MB Limit" -Remoteglobalcatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "simplexity.com"


Make sure to clear the move request log in EMC prior to moving the mailbox back.

Known issues:
It may take 2 hours for the mail to start working in the source domain. This is because the source Exchange server's information store caches the homemdb value. You either have to restart the IS service or wait. During this time the recipient will not receive any emails and will bounce back to the sender. As a temporary workaround, you can create a transport rule to redirect all emails sent to this moved user to another mailbox to save all emails and prevent bounces.



James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ILM 2007: Microsoft Identity Server has detected a Microsoft Exchange Version different from the one you have selected.

When creating the GALsync MAs you receive the error:

Microsoft Identity Server has detected a Microsoft Exchange Version different from the one you have selected. Do you want to continue? If you believe this is an error, please re-enter forest credentials to run detection again.


This is an innocuous error and can be ignored according to MS tech. I have not seen any issues with functionality.


James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ILM 2007: It appears this forest is not exchange enabled

When configuring ILM 2007 for GALsync you receive the following errors when configuring the Galsyn MA for the target forest.


"It appears this forest is not exchange enabled"

To resolve enter the credentials for the target MA in upn format.

domain: target.com
username: user@target.com
pass: password

If you delete the MA and recreate you do not have to use the UPN. Appears to be a bug.


James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)

When performing a new-moverequest you receive the error MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)

New-MoveRequest -Identity "CN=miguser7,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb01 tier1" -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliver
yDomain "company.com"

MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)
Diagnostic context:
......
Lid: 15000 dwParam: 0x6BA Msg: EEInfo: prm[2]: Pointer val: 0x2910810A00000000
Lid: 16280 dwParam: 0x6BA Msg: EEInfo: ComputerName: n/a
Lid: 8600 dwParam: 0x6BA Msg: EEInfo: ProcessID: 3260
Lid: 12696 dwParam: 0x6BA Msg: EEInfo: Generation Time: 2010-11-16 19:40:52:880
Lid: 10648 dwParam: 0x6BA Msg: EEInfo: Generating component: 18
Lid: 14744 dwParam: 0x6BA Msg: EEInfo: Status: 10060
Lid: 9624 dwParam: 0x6BA Msg: EEInfo: Detection location: 318
Lid: 13720 dwParam: 0x6BA Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6BA Msg: EEInfo: NumberOfParameters: 0
Lid: 45169 StoreEc: 0x977
Lid: 52465 StoreEc: 0x977
Lid: 60065
Lid: 33777 StoreEc: 0x977
Lid: 59805
Lid: 52209 StoreEc: 0x977
Lid: 19778
Lid: 27970 StoreEc: 0x977
Lid: 17730
Lid: 25922 StoreEc: 0x977
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : 9CEC0AD3,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest


In this instance, the issue was that their was a firewall prevening the target forest communicating to the source forest for the required ports for mailbox move.

In addition if you are getting error code:

(hr=0x80040115, ec=-2147221227)

This may be due to ISA installed on or between the servers.


Port Protocol
808 (TCP) Mailbox Replication Service uses to communicate
53 (TCP) DNS
135 (TCP) RPC End Point
389 (TCP) LDAP
3268 LDAP
1024 > (65535) if mailbox store is not statically configured then 1024 higher ports need to be open. We don’t have static ports configured for 2007 only 2010 currently so we need this big port range.
88 (TCP) Kerberos
445 (TCP) Microsoft-DS Service
443 (TCP) Mailbox Replication Proxy service uses port 443 to communicate with other Exchange 2010 client access server via HTTPS.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com