none
Exchange 2013 CU 11 breaks some admin accounts ?

    Question

  • Hi,

    I upgraded two separate test forests from CU10 to CU11. The versions before the upgrade are Exchange 2010 Sp3 RU11 and Exchange 2013 CU10. In both forest I see the same behavior;

    The accounts used worked and still work fine in CU10 and have not been altered. Accounts I tested with are member of Domain Admins and Organization Management. I should be able to virtually anything.

    With account 1, I connect to the CU11 server I cannot see the Exchange 2013 servers anymore. I also cannot see any databases or other resources on the other Exchange 2013 servers. If I connect to the Exchange 2013 CU10 server I can see all the other Exchange 2013 servers including the CU11 server.

    With account 2, I connect to the CU11 server and I can see everything. Connecting to a CU 10 server still works fine

    The only workaround that I could find is to create a new account and that works flawlessly. Moving the failing account to an Exchange 2013 CU11 database did not make a difference.

    Using the account that fails using CU11 I also cannot perform a get-mailboxdatabase.When I try to do a new-moverequest for instance and I get an accessdenied exception...

    The operation couldn't be performed because object 'mbxdb13100' couldn't be found on 'dc001.testdomain.com'.

    below some examples using a simple get-exchangeserver cmdlet.

    --------------------Situation 1------------------

    Working, CU10, administrator@testdomain.com

     VERBOSE: Connected to Exchange201302.testdomain.com

    [PS] C:\Windows\system32>Get-ExchangeServer | select name,edition, admin*

     Name                                                                    Edition AdminDisplayVersion

    ----                                                                    ------- -------------------

    EXCHANGE201001                                               StandardEvaluation Version 14.3 (Build 123.4)

    EXCHANGE201302                                               StandardEvaluation Version 15.0 (Build 1130.7)

    EXCHANGE201303                                               StandardEvaluation Version 15.0 (Build 1156.6)

    ____________Situation 2___________________

    Fault -  CU11 administrator@testdomain.com

     VERBOSE: Connected to exchange201303.testdomain.com

    [PS] C:\Windows\system32>Get-ExchangeServer | select name,edition, admin*

     Name                                    Edition                                 AdminDisplayVersion

    ----                                    -------                                 -------------------

    EXCHANGE201001                          StandardEvaluation                      Version 14.3 (Build 123.4)

     --------------Situation 3, another account who appearently kept its permissions--------------

    Correct, CU11 admin2@testdomain.com

     VERBOSE: Connected to Exchange201303.testdomain.com

    [PS] C:\Windows\system32>Get-ExchangeServer | select name,edition, admin*

     Name                                                                    Edition AdminDisplayVersion

    ----                                                                    ------- -------------------

    EXCHANGE201001                                               StandardEvaluation Version 14.3 (Build 123.4)

    EXCHANGE201302                                               StandardEvaluation Version 15.0 (Build 1130.7)

    EXCHANGE201303                                               StandardEvaluation Version 15.0 (Build 1156.6)

    __________________

    Regards,

    Thorwald



    Thorwald van Elburg


    Thursday, December 24, 2015 8:18 PM

Answers

  • Here are the steps I had to take to resolve this issue with Exchange 2013 CU11.

    • I opened up Exchange shell on the 2013 server and ran: Get-ExchangeServer | select name,edition, admin*
      It was only showing the 2010 server in the list.

    • I already had a mailbox for my Admin account, so I moved it from the 2010 to the 2013 server using the Exchange Administrative Center GUI.

    • I opened Exchange Shell again on the 2013 server and again ran: Get-ExchangeServer | select name,edition, admin*
      It still showed only the 2010 server in the list.

    • I then went into the registry and removed the PowerShell Profile cookie that is stored here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies

    • Finally, I went back to the Exchange Shell on the 2013 server and ran: Get-ExchangeServer | select name,edition, admin*
      Success! It now shows both servers in the list!

      After that, I was able to use Exchange Shell successfully.

    Wednesday, March 09, 2016 4:12 PM
  • What you're seeing is normal.  Your administrator session will look like it's connected to the local server but under the covers it's really connected to the server where your account's mailbox, or the arbitration mailbox if your account isn't mailbox-enabled or its mailbox server is unavailable, is mounted, and that could be an Exchange 2010 server, in which case you won't be able to do much of anything in Exchange 2013. 

    Mailbox-enable your admin account and ensure that the mailbox is on the server you're connecting to.

    If you log on to that server but it still doesn't connect to the right server, what I've done is log on to it with a different account and delete the Windows profile.  Apparently the wrong server name is sticky in the PowerShell profile.  I'm advised that you can remove all the cookies in the registry here:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies

    but I haven't tested that approach yet.

    If you've installed an Exchange 2013 CU11 server in an Exchange 2010 organization, then you can open PowerShell as administrator and execute this command to get an Exchange command shell you can use to move your mailbox and/or the arbitration mailboxes.

    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
    You might have to use one of the approaches above to fix the account profile if you still can't get to the Exchange 2013 Shell commands.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 06, 2016 10:58 PM
    Moderator

All replies

  • Hi Thorwald,

    Starting with Exchange Server 2013 CU11 and Exchange Server 2016 CU1, the Exchange Management Shell (EMS) session will be using mailbox anchoring.

    In Exchange 2013 CU11, if a user logs on to the Exchange server and open up EMS, the session will be proxyed to the server where the user’s mailbox is located. If the user does not have a mailbox, we will utilize the arbitration mailboxes for the mailbox anchoring logic. Wherever the arbitration mailbox is mounted is where the EMS session will be proxied.

    Therefore, in your scenario, if administrator@testdomain.com mailbox is located in EXCHANGE201001, the EMS session would be proxyed to EXCHANGE201001 though this administrator is logged on to  exchange201303.testdomain.com. Please move administrator@testdomain.com mailbox and all the arbitration mailboxes to the latest Exchange 2013 CU11 or CU10 database to have a try.

    For more information about Exchange Management Shell and Mailbox Anchoring, please refer to:
    http://blogs.technet.com/b/exchange/archive/2015/12/15/exchange-management-shell-and-mailbox-anchoring.aspx

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Friday, December 25, 2015 6:45 AM
    Moderator
  • Hi Winnie,

    I did already move the arbitration mailboxes and the admin mailboxes to different server versions to test the results and that did not solve the problem for the account at hand. In both forest placing the arbitration mailboxes and the admin mailboxes on the 2013CU11 server and connecting to those specifically resulted in one admin with an access denied and the other one still working while nothing was changed to the accounts at hand.

    Unless there is something wrong with anchoring, I don't get it.

    As mentioned, I tested this on two isolated forests of the same configuration ( one site, centralized ) and the results were the same.I think anchoring in combination with a coexistence situation something that needs to be looked into. Until further notice, we decided not to deploy CU11 for now and stick with CU10.

    What I forgot to mention earlier, a "broken" account in powershell does work while working with the Web UI or a local powershell with snapin added.

    I'll keep one test forest in dual CU10/CU11 for now to test stuff you might suggest.

    Regards,

    Thorwald


    Thorwald van Elburg



    Monday, December 28, 2015 10:30 AM
  • Hi Thorwald,

    Exchange 2013 CU11 is the latest Exchange release for Exchange 2013. I am trying to involve someone familiar with this topic to further look at this issue.

    This is just a quick note to let you know that we are performing research on this issue.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Wednesday, December 30, 2015 6:42 AM
    Moderator
  • Hi,

    you have to move your admin-mailbox first, then after 2 hours it worked. We had the same issue and a little bit patience did the trick :)

    Greetings
    Martin

    Tuesday, January 05, 2016 3:57 PM
  • Hi Martin,

    Thank you for replying. Waiting did not help me either, despite waiting for 24 hours.

    However, we are not alone in this matter:

    https://exchangemaster.wordpress.com/2016/01/06/mailbox-anchoring-affecting-new-deployments-upgrades/#comment-5445

    There is a regkey mentioned in this article, one thing I did not try yet.

    Regards,

    Thorwald


    Thorwald van Elburg

    Wednesday, January 06, 2016 9:50 PM
  • Here is your answer.

    http://blogs.technet.com/b/exchange/archive/2015/12/15/exchange-management-shell-and-mailbox-anchoring.aspx


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 06, 2016 10:08 PM
    Moderator
  • Hi Ed,

    thanx for replying. I know it has to do with anchoring. I'm not the only one experiencing this problem as can be read in the follow post ( where you were mentioned in by the way :-)

    https://exchangemaster.wordpress.com/2016/01/06/mailbox-anchoring-affecting-new-deployments-upgrades/

    something needs fixing

    Regards,

    Thorwald


    Thorwald van Elburg

    Wednesday, January 06, 2016 10:17 PM
  • What you're seeing is normal.  Your administrator session will look like it's connected to the local server but under the covers it's really connected to the server where your account's mailbox, or the arbitration mailbox if your account isn't mailbox-enabled or its mailbox server is unavailable, is mounted, and that could be an Exchange 2010 server, in which case you won't be able to do much of anything in Exchange 2013. 

    Mailbox-enable your admin account and ensure that the mailbox is on the server you're connecting to.

    If you log on to that server but it still doesn't connect to the right server, what I've done is log on to it with a different account and delete the Windows profile.  Apparently the wrong server name is sticky in the PowerShell profile.  I'm advised that you can remove all the cookies in the registry here:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies

    but I haven't tested that approach yet.

    If you've installed an Exchange 2013 CU11 server in an Exchange 2010 organization, then you can open PowerShell as administrator and execute this command to get an Exchange command shell you can use to move your mailbox and/or the arbitration mailboxes.

    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
    You might have to use one of the approaches above to fix the account profile if you still can't get to the Exchange 2013 Shell commands.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 06, 2016 10:58 PM
    Moderator
  • Here are the steps I had to take to resolve this issue with Exchange 2013 CU11.

    • I opened up Exchange shell on the 2013 server and ran: Get-ExchangeServer | select name,edition, admin*
      It was only showing the 2010 server in the list.

    • I already had a mailbox for my Admin account, so I moved it from the 2010 to the 2013 server using the Exchange Administrative Center GUI.

    • I opened Exchange Shell again on the 2013 server and again ran: Get-ExchangeServer | select name,edition, admin*
      It still showed only the 2010 server in the list.

    • I then went into the registry and removed the PowerShell Profile cookie that is stored here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies

    • Finally, I went back to the Exchange Shell on the 2013 server and ran: Get-ExchangeServer | select name,edition, admin*
      Success! It now shows both servers in the list!

      After that, I was able to use Exchange Shell successfully.

    Wednesday, March 09, 2016 4:12 PM
  • Yeah, that cookie thing is a bitch.  Before I learned about that I was deleting the Windows user profile.  Thanks for the reminder on that--I'm going to add it to my notes.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Wednesday, March 09, 2016 6:21 PM
    Moderator