New Mailboxes cannot login, cannot Get-MailboxPermission
- I have a set of mailboxes that I created a few days ago, and they work fine. Users can access their mail through OWA and/or Outlook.
However, any new mailboxes I create have the following problems:
- Cannot log into the mailbox either through OWA (see bottom of this post for details), or Outlook ("The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.")
- When I issue a Get-MailboxPermission for these (new) mailboxes, I get the following error: "WARNING: An unexpected error has occurred and a Watson dump is being generated: The Identity of the object is invalid."
Any thoughts?
The OWA error message is below:
Request
Url: https://owatest.company.com:443/owa/default.aspx
User host address: 192.168.50.2
Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: Cannot open mailbox .
Call stack
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString)Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, ADOrgPerson delegateUser, Object identity, OpenMailboxSessionFlags flags)Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, ADOrgPerson delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString)Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo)Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext)Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext)Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Exception
Exception type: Microsoft.Mapi.MapiExceptionInvalidParameter
Exception message: MapiExceptionInvalidParameter: Unable to open message store. (hr=0x80070057, ec=-2147024809) Diagnostic context: Lid: 27833 Lid: 29881 StoreEc: 0x80070057
Call stack
Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Answers
- For the benefit of anyone who may stumble across this post at a later time, I found my problem.
Apparently, I had one domain in my environment which was not up to the Server 2003 domain functional level. Naturally, of all the GCs in the environment, the Exchange server chose to use a GC in that domain.
All Replies
- For the benefit of anyone who may stumble across this post at a later time, I found my problem.
Apparently, I had one domain in my environment which was not up to the Server 2003 domain functional level. Naturally, of all the GCs in the environment, the Exchange server chose to use a GC in that domain. Same problem, but only one domain.
New mailboxes created on Exchange 2007 using Exchange Management Console appear to be created, but the mailboxes cannot be accessed using Outlook 2007 or OWA.
New mailboxes created on Exchange 2003 using ADUC are not stamped with "
msExchUserAccountControl", which should be "0" fro an enabled account. Using ADSI edit and setting to "0" resolves the problem for that user.
The event logs on EX07 do not indicate any problems and the Best Practice Analyzer does not either.
The following errors are on the Exchange 2003 server for any new EX2003 users.
Logon Failure on database "First Storage Group\Mailbox Store (SG1)" - Windows 2000 account NT AUTHORITY\SYSTEM; mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=eds.
Error: -2147467259
Failed to read attribute msExchUserAccountControl from Active Directory for /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=eds.
- Hi Jim,
I am actually stuck in a similar position, except we are in a spot where new users being created through Exchange 2007 tools (EMC or EMS) are missing several ADSI properties:
- legacyExchangeDN
- msExchALObjectVersion
- msExchMailboxGuid
- msExchMailboxSecurityDescriptor (set to "not set", all other accounts have a blank value here)
- msExchUserAccountControl
- msExchUserCulture (set on new accounts, not set on pre-existing accounts)
http://forums.msexchange.org/Can't_open_new_mailboxes/m_1800455217/tm.htm
http://episteme.arstechnica.com/eve/forums?a=tpc&s=50009562&f=12009443&m=362006418831&r=606003038831#606003038831
The last Exchange 2003 server is still around (until we can get this worked out), but RUS has been set to 'never run'. If we create new mailboxes using ADUC on the 2003 box, those properties do get stamped properly, but we then have to update the mailbox to 2007 (Set-Mailbox "new user" -ApplyMandatoryProperties).
Any thoughts? - legacyExchangeDN
This sounds the same problem I was trying to resolve with my post to the Admin forum:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2021296&SiteID=17
since then I have been trying to find a solution, including re-running the setup process. Specifically I tried re-running "Setup /PrepareLegacyExchangePermissions" but it had no effect.
Sorry it is not a positive message, but perhaps the cross-reference might help.
--philip.
- We actually just got some help from PSS on this.
There is a bug with the Microsoft Exchange System Attendant service in Exchange 2007 at this point. The support tech will still be emailing me details, but for now the workaround is simple (at least in our case).
Restart the Microsoft Exchange System Attendant service (Restart-Service MSExchangeSA in powershell) on your mailbox server(s), and try again!
We are running Exchange 2007 with Update Roll-Up 4 and Update Roll-Up 5 installed, and this did the trick for us. We are using a script for mailbox provisioning at the moment, so it was easy enough to just restart the System Attendant on the new user's mailbox server prior to creating the mailbox with the new-mailbox command (Used psservice.exe from pstools/systinternals from http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx).
The bug is not documented at this point, but the MS support tech noted that there were about 5 or 6 cases other than our own that reported this issue recently, while there is no KB for it at the moment and the fix is not public, a bug fix will most likely be included with SP1 (due by the end of this month).
Let me know if this helps you in your experience. Thanks for your updated informatino.
Unfortunately applying Update Roll-Up 5 and restarting the System Attendant hasn't fixed it for me. If SP1 is coming out by the end of the month, perhaps that will fix it for me.
--philip.
We had a similar issue and we tried a number of things to resolve it but I think the following resolved it:
Restart System Attendant service on all Exch2007 servers
Logon to Exchange Management Shell (EMS)
Confirm the mailbox is corrupted by running "get-mailbox username"
Run "set-mailbox username -applymandatoryproperties" on the faulty mailbox
Wait 10-15 seconds and run "get-mailbox username" to confirm that the mailbox corruption has been resolved.
Closing Outlook
Deleting the username within the Mail ==> Email Accounts options in Control Panel.
Re-typing the username and clicking on Check Name within the Mail ==> Email Accounts options in Control Panel.
Starting OutlookAlso make sure you aren't using Cached account when trying to diagnose Outlook problems....
I posted an answer to a similar problem I have been having with not being able to create new mailboxes after removal of my last E2K3 server.
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2687386&SiteID=17&mode=1
The problem was the "purportedSearch" attribute in the CN=Mailbox Enable User system policy. I had an ampersand in the mailnickname filter part instead of an asterisk and this prevented the Exchange 2007 tools from being able to create a new user or mailbox. On correcting the filter as per the KB903291 (actually aimed at solving a different problem on E2K3) I no longer have the problem and I can now create new users and mailboxes.
Don't know if this might help in your case, but worth checking out if you still have the trouble.
--philip.
- That:
http://technet.microsoft.com/en-us/library/bb885050.aspx
did it for me.
Here's what I had to do:
CauseThis exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in Active Directory Users and Computers.
You should also verify that the Exchange Servers group appears on the Security tab of the top-level domain container. This security group is required on the top-level container and must be propagated to each organizational unit that includes users before users can successfully log on to Outlook Web Access.
Before You BeginTo perform this procedure, the account you use must be delegated membership in the Domain Administrators group.
For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.
ProcedureHope this solves it.To use Active Directory Users and Computers to set permissions for users and organizational units-
Open the Active Directory Users and Computers snap-in.
-
On the View menu, click Advanced Features.
-
Open the properties of a user who cannot log on to Outlook Web Access.
-
Click the Security tab, and then click Advanced.
-
Select the Allow inheritable permissions check box if it has not already been selected.
-
Repeat steps 3 through 5 for each organizational unit between the user object and the top-level container.
-
Allow time for replication to occur.
Patrick Monfette -
- And for me too, THANKS!!!!
Ticking Inheritable permissions did the trick for me, Thank you so much, saved me a lot of hassle! (although i don't know why 1 single account decided to not inherit permission)
Worked for me too!!! I'm using Exchange 2007 SP1 with Roll-up #3 so apparently this is still a bug.- I ran into this issue ...
Situation :
Normal users are created in a part of the ad tree that DOES have the EXCHANGE SERVERS group permissions inheritable as created by the exchange install
new admin users are created in a sperate part of the AD tree that DOES NOT have the EXCHANGE SERVERS group inheritable
An admin account requires Exchange account to be able to send / recieve messages
We were able to create the mailbox but recieved the above error plus the ad exception error
Resolution:
you have 2 options
1. Add the EXCHANGE SERVERS group with the same perms as the main user container to the container and ensure inheritance is enabled
or
2. Add the EXCHANGE SERVERS group with the same perms as the main user container to the individual user account
