none
Migrated mailbox fails to connect

    Question

  • I have an unusual issue where I can initiate and successfully move a mailbox from Exchange 2010 to Exchange 2013 using the ECP web tool.  Once the mailbox is moved, I can access with OWA but Outlook and iPhone are no longer able to connect to the mailbox.  If I migrate the mailbox back to Exchange 2010, I *still cannot* access the mailbox.  At that point, I can use the Exchange 2010 admin tool to move to another Exchange 2010 database and I can then access everything as before.

    I can create new mailboxes on Exchange 2013 without an issue of connecting.  No errors or warning are given in the mailbox migration.  Exchange 2013 is on CU2 version 2.  Exchange 2010 is on the lastest SP and Update Rollup as well.  The external Outlook connectivity test sometimes is successful but sometimes fails on opening certain folders.

    I would like to troubleshoot this since I'm planning to move 1K+ mailboxes but don't know what could be causing this issue or if anyone else has seen this.

    Monday, November 11, 2013 4:51 AM

Answers

  • So here is the solution.  Run the following command on all of your Exchange servers

    Get-ClientAccessServer ExchangeServerName | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Domain\Exchange Servers"

    Get-MailboxServer ExchangeServerName | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Domain\Exchange Servers"

    I also added the CAS servers for permissions just in case although I don't think that was necessary.

    This command fixed everything for me.  It fixed the ability for users to access their Exchange 2010 mailboxes.  It allowed for Exchange 2013 users to access their mailboxes.  

    So I don't understand why this command is so powerful and why this set of permissions isn't on any of my Exchange servers.  I am running CU2.  Anyway, I am completely set as far as I can see.  Again, I don't understand why something so crucial has not been addressed by MS.  I have read sooo many other posts in the past year of users that have faced similar issues and the only post that I saw was from someone that actually paid for MS support to help them.  They received this answer which IMO should be shared with everyone for free.  It would also be good to know what this command does and why it isn't run by default on Exchange servers.



    • Edited by DavidR1 Saturday, November 16, 2013 11:46 PM
    • Proposed as answer by Sukh828 Sunday, November 17, 2013 1:22 AM
    • Marked as answer by DavidR1 Sunday, November 17, 2013 4:23 AM
    Saturday, November 16, 2013 11:42 PM

All replies

    1. What version of Outlook are you running?
    2. For Exchange 2013 you MUST/CAN ONLY connect via RPC/HTTPS aka Outlook Anywhere c heck out this for more info http://msexchangeguru.com/2013/01/10/e2013-outlook-anywhere/

    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 --> 2013 with Lucid8's DigiScope

    Monday, November 11, 2013 5:14 PM
  • Hi David,

    Is this problem with all Exchange 2010 mailboxes that you moved till now? When you say that you are able to access that moved mailbox via OWA - did you mean internally or externally? Outlook and iphone will use Rpc over https and you must make sure that you have all the ports/firwall (if any) and network is setup correctly before moving all mailboxes.

    Since new mailboxes in E2013 works good - firewall and ports for the most part should be good but check specifically around the E2010 server VLAN.

    Also check and compare the RPCClientAccessServer paramater in the Exchange 2010 and E2013 MDB - this wont be an issue - just to make sure

    Let us know how it went!


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Regards, Siva

    Monday, November 11, 2013 6:45 PM
  • Thank you for your suggestions.  I will check these fields when I attempt to move some more mailboxes this weekend.  The strange thing is that I also thought about the CAS server but the fact that it doesn't work even after I migrate the mailbox back makes me think that the mailbox structure is somehow altered.  If I move to another E2K10 server using E2K10 admin then I can access the mailbox.

    Migrating using E2K13 tool = fail

    Migrating using E2K10 tool = success

    Wednesday, November 13, 2013 6:55 AM
  • Hi,

    Is there any update on this thread?

    Thanks,

     If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Wednesday, November 13, 2013 6:56 AM
    Moderator
  • Thank you for your response.  Please note that I mentioned that I can connect with newly created mailboxes.

    I am running the latest service pack and update for Outlook 2010.  We only use Outlook Anywhere to connect to mailboxes.

    Wednesday, November 13, 2013 6:56 AM
  • Yes, I made two replies.  Thank you for monitoring this message.
    Wednesday, November 13, 2013 6:57 AM
  • Hi,

    It seems we just replied at the same timeJ

    Have you tried rebuilding the Outlook profile for the migrated users?

    Also try creating a new mailbox on Exchange 2o1o and migrate it to 2013, does the issue perisist?

    Thanks,

    If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Thursday, November 14, 2013 4:17 PM
    Moderator
  • So I was able to move the front end of our mail system back to E2K13 so that I can continue testing.  It seems that I cannot access any mailboxes on the E2K13 side with ActiveSync or Outlook Anywhere.  OWA is not an issue.  I tested with migrated mailboxes and with new mailboxes unsuccessfully.

    I recall that new mailboxes used to work before but I've rebuilt the CAS servers since then.  I attempted to use testexchangeconnectivity.com but it either times out or fails (problem with their website).  

    When I migrate a mailbox, the new Outlook settings are located but I keep getting prompted for a password and it will not connect.  When I try to use the iPhone, it says that server cannot be contacted.  Setting up a new iPhone account fails at 'unable to verify account information'.

    I was looking at the Outlook Anywhere settings but I don't believe that it would also affect ActiveSync.  I was able to download the MS Connectivity Analyzer tool and run it.  It shows that the RPC/HTTP test failed.  Then the attempt to ping RPC endpoint 6001 also failed with error RPC_E_ACCESS_DENIED

    I am confused as to where to go next.

    Saturday, November 16, 2013 10:22 AM
  • The MS connectivity test started working again this morning so these are the results.  This is a fresh new mailbox that I just created and can access over OWA without any issues.  A little more background.  I have a set of E2K13 CAS servers as a front-end and the MBX/HT servers as a back-end DAG.

    Outlook Anywhere (RPC over HTTP)

    Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server 7413fc10-9b81-4bf5-b5c4-7b7495d626d3@company.com.
    The attempt to ping the endpoint failed.
     
    The RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime process.

    Exchange ActiveSync

    An ActiveSync session is being attempted with the server.
    Errors were encountered while testing the Exchange ActiveSync session.
     
    Attempting to send the OPTIONS command to the server.
    Testing of the OPTIONS command failed. For more information, see Additional Details.
     
    An HTTP 500 response was returned from Unknown.

    Synchronization, Notification, Availability, and Automatic Replies

    Test does not complete, times out

    I've attempted to set the lmcompatibilitylevel on the mailbox database server to 1 and rebooted with the same results.


    Saturday, November 16, 2013 2:57 PM
  • So here is the solution.  Run the following command on all of your Exchange servers

    Get-ClientAccessServer ExchangeServerName | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Domain\Exchange Servers"

    Get-MailboxServer ExchangeServerName | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Domain\Exchange Servers"

    I also added the CAS servers for permissions just in case although I don't think that was necessary.

    This command fixed everything for me.  It fixed the ability for users to access their Exchange 2010 mailboxes.  It allowed for Exchange 2013 users to access their mailboxes.  

    So I don't understand why this command is so powerful and why this set of permissions isn't on any of my Exchange servers.  I am running CU2.  Anyway, I am completely set as far as I can see.  Again, I don't understand why something so crucial has not been addressed by MS.  I have read sooo many other posts in the past year of users that have faced similar issues and the only post that I saw was from someone that actually paid for MS support to help them.  They received this answer which IMO should be shared with everyone for free.  It would also be good to know what this command does and why it isn't run by default on Exchange servers.



    • Edited by DavidR1 Saturday, November 16, 2013 11:46 PM
    • Proposed as answer by Sukh828 Sunday, November 17, 2013 1:22 AM
    • Marked as answer by DavidR1 Sunday, November 17, 2013 4:23 AM
    Saturday, November 16, 2013 11:42 PM
  • That permission missing is specific to your env.  For some reason this wasn't set when it should have or it was removed.  Unlikely the latter.

    My guess is a an CU update,permissions inheritance at some level was removed then added or some GPO messing with security settings.


    Sukh


    • Edited by Sukh828 Sunday, November 17, 2013 1:34 AM
    Sunday, November 17, 2013 1:32 AM
  • That sounds very interesting.  For your point, what groups/users should I see then when I query for those permissions?  What do you have listed on yours?

    Get-MailboxServer <servername> | Get-ADPermission | where {$_.Extendedrights -like "ms-Exch-EPI-Token-Serialization"} | ft -AutoSize

    Get-ClientAccessServer <servername> | Get-ADPermission | where {$_.Extendedrights -like "ms-Exch-EPI-Token-Serialization"} | ft -AutoSize

    Sunday, November 17, 2013 5:28 AM
  • Will try in coming week, but from memory only Exch servers should have that right.

    Sukh

    Sunday, November 17, 2013 1:05 PM
  • NT AUTHORITY\NETWORK SERVICE      False False
    xx\Domain Admins           True  True
    xx\Schema Admins           True  True
    xx\Enterprise Admins       True  True
    xx\Organization Management True  True

    Sukh

    Monday, November 18, 2013 3:24 PM
  • thx.  Interestingly, that is exactly what mine was showing also but it was giving me all sorts of access denied issues.  I have a feeling that even though my workaround may have fixed it, the permissions problem may exist somewhere else.  Perhaps there are some other groups that were not provisioned properly.
    Monday, November 18, 2013 3:55 PM
  • There's obviously an issue you had, and it needed that permission, I don't think anyone will what caused it.

    Sukh

    Monday, November 18, 2013 4:16 PM