MIM creating Exchange 2010 legacy mailboxes RRS feed

  • Question

  • I wanted to see if anyone have ever run into this.  I have AD provisioning up and running with MIM. The AD account is created and all looks good from that perspective.  I have run into a problem however where the Exchange mailbox is created but is in a corrupted state when I query it with Powershell.  When I look in the Exchange console it states that it is a legacy mailbox.  I am using the following to provision the account and I know this has worked in other environments.  We have tried this manually from the Exchange console and it seems to work fine.

    The AD environment is is functional level 2003 and Exchange 2010.  The code is as follows:

    mailboxMDB = "CN=MyDB,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=acme,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acme,DC=com";

    CSentry = ExchangeUtils.CreateMailbox(ManagementAgent, dn, nickName, mailboxMDB);

    CSentry["msExchHomeServerName"].Value = "/o=acmeou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=myServer"; // msExchangeHomeServer;

     CSentry["msExchRBACPolicyLink"].Value = "CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=acme,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acme,DC=com";

    //Added the following line as a potential fix but no luck

    CSentry["homeMTA"].Value = "CN=Microsoft MTA,CN=PDMBXDB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=acme,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acme,DC=com";

    MIM doesn't throw any errors when exporting to AD and there is nothing else in the logs.  Does you have any idea what might be going on and why they are being created as legacy mailboxes?  

    Friday, December 18, 2015 5:29 PM

All replies

  • Hello,

    using the ExchangeUtils.CreateMailbox Method is an very old Approach, but normally should work, but I think that is why the Mailbox is created the "old" style.

    I would suggest to only set the Attributes and configure Exchange Provisioning for Ex2010 in MA you only Need to provides the Ex Remote PS URI, which is http://exchangeServer/Powershell

    This will run the "update-recipient" cmdlet which creates the Mailbox correctly.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Saturday, December 19, 2015 4:25 PM
  • Thanks Peter.  So a little more progress on this but now I get the following.  If you have seen this before let me know.  We can create users from the Exchange on other server besides MIM Sync.  MIM Sync now throws this:

    Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation.

    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS),

    Saturday, December 19, 2015 7:44 PM
  • Did you switch to Exchange Provisioning with MA like i mentioned above.

    To be able to run the update-recipient cmdlet the AD MA Account you need to have permissions in Exchange, the group Recipient-Management should give you the correct permissions.

    But the error above seems to come from AD DC. Did the service account have Replicate Directory Changes permission on the domain ?


    Peter Stapf - ExpertCircle GmbH - My blog:

    Sunday, December 20, 2015 11:51 AM
  • Thanks Peter, I did make the change in the code and removed the exchangeUtils call with just the standard create connector.  MIM can successfully read from AD without issue since it had the Replicate Directory permissions.  The AD account is successfully created if I exclude the Exchange attributes.  This error only appears when trying to provision Exchange mailboxes and since is being thrown by a DC and not MIM, I am not certain if there is deeper config problem or access setting in Exchange somewhere that needs to be updated.  If anyone has run into this please let me know.

    Sunday, December 20, 2015 2:37 PM
  • FIM_Admin

    If you have an Exchange 2003 server in the mix, it should have the RUS running on it. In 'configure extensions' for the AD MA, do you have Exchange provisioning disabled, meaning it is set to 'none'? In environments where you have a mixed environment of Exchange which included 2003 with RUS, using Exchange provisioning (meaning the dropdown is set to 2007 or 2010) will cause errors and should be avoided.

    Tuesday, December 22, 2015 5:04 AM
  • Thanks Glen, I did set the Exchange provisioning to "No provisioning" on the Config Extensions tab of the AD MA but it still errors out.  I am checking on the existence of an Exchange 2003 in the environment.

    Here something interesting that I found.  I am setting the following on the provisioning code:

    CSentry = ManagementAgent.Connectors.StartNewConnector("user");

    CSentry["msExchHomeServerName"].Value = myServer;

    CSentry["homeMDB"].Value = mailboxMDB;

    CSentry["mailNickname"].Value = nickName;

    I do get an export error when writing to AD but the user object is created.  The mailbox is created in a legacy state.   The error on the CAS server and MIM application log is:

    Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation.

    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS),

    If I manually run Update-Recipients on the newly created AD account from the MIM server with the AD MA creds the powershell works fine and the email address is assigned to the AD user object.  The mailbox appears to be fine.  The manual powershell command is:

    Update-Recipient -Identity $Account -Credential $UserCredential 

    I am assuming MIM is doing something different from my simple example that appears to work.  If any has any thoughts on this it would be appreciated.

    Tuesday, December 22, 2015 4:02 PM