locked
Exchange mailbox(s) unavailable after server restart RRS feed

  • Question

  • Hi folks,

    Just arrived back from holiday to find my company's exchange server has been encountering error(s) in my absence. Looking at the event logs there doesn't seem to be anything unusual (i.e.: errors that are in the event log have been prevalent since before this issue). What is known is the following:

    * Our mail filter (postini) sent me a message last week saying that the server was unavailable for about 5 minutes

    * Some stand-in administrators investigated and found the following service had stopped: Microsoft Exchange Information Store. The admin at the time started this service, which apparently fixed the problem for most users

    * The remaining users who still could not access their mail where only able to access their mail again after the admin added them to the Domain Admins group in Active Directory

    * As of this moment, it seems that the only thing that is not working is my mailbox. My Outlook client prompts me for a password but never accepts it i.e.: continual prompt with no error as though I was entering the wrong credentials.

    * If I try to log in to my mailbox from Outlook Web Access I encounter the following error: (IP addresses and domain names removed)

    Request
    Url: https://mail.domainname.co.uk:443/owa/default.aspx
    User host address: xx.xx.102.121

    Exception
    Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
    Exception message: Cannot open mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=firstname.lastname.

    Call stack
    Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
    Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
    Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString)
    Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags)
    Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString)
    Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
    Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo)
    Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
    System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    Inner Exception
    Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
    Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=981] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][latency=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x3F2 Lid: 26937 Lid: 21921 StoreEc: 0x3F2 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropLogon [254] Lid: 4740 StoreEc: 0x80070005 Lid: 30409 StoreEc: 0x80070005 Lid: 19145 StoreEc: 0x3F2 Lid: 23241 StoreEc: 0x3F2 Lid: 32186 Lid: 8620 StoreEc: 0x3F2 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x3F2 Lid: 26297 Lid: 16585 StoreEc: 0x3F2 Lid: 32441 Lid: 1706 StoreEc: 0x3F2 Lid: 24761 Lid: 20665 StoreEc: 0x3F2 Lid: 25785 Lid: 29881 StoreEc: 0x3F2

    Call stack
    Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)
    Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
    Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
    Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
    Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)

     

    * The above error was apparently what was being encountered before said user was added to the Domain Administrator AD group i.e.: a user experiencing this error stopped seeing it after being added to the Domain Admins group.

    * To my knowledge, the only thing which was changed as a troubleshooting step by the stand-in admin was that the logon format for forms-based authentication was changed to 'Domain\user name' from 'User name only'. I have since changed this back to 'User name only'

     

    Supplimentary information:

    Server is Windows Server 2008 Service Pack 2 x64 (VM), Exchange server 2007

    Client is Windows 7 Enterprise x64, Outlook 2010 x64

    Server has functioned fine for over a year. This is a difficult one to troubleshoot due to not being present at the time of the error and because a handful of people logged into the server to attempt to fix but any advice on troubleshooting steps would be hugely appreciatated - Exchange server is not a strong area for me.

    Thanks,

    Peter

    Tuesday, May 3, 2011 10:22 AM

All replies

  • Hi,

    Check whether the databse is mounted properly


    Regards from www.windowsadmin.info
    Tuesday, May 3, 2011 10:42 AM
  • Hi MenU PhiliP,

     

    Thanks for your suggestion. The database is mounted fine. Another development:

    I right-clicked my mailbox in exchange, selected 'Manage full access permission' and added the Domain Admins group access to my mailbox - now I can access it ( I am in the domain admins group)

    So this seems to be a permissions issue. Why would I need to allow domain admins to access my mailbox, for me to access it?

    Any suggestions?

    Tuesday, May 3, 2011 11:30 AM
  • Hi,

    Microsoft Exchange Server accounts with Enterprise Administrators mailbox access rights are denied by default.  This restriction is also applicable if your login account is the Administrator account or you are a member of the Domain Admins or Enterprise Admins groups. In these cases also, access to all mailboxes other than your own will be denied, even if you have full administrative rights.


    Regards from www.windowsadmin.info
    Tuesday, May 3, 2011 12:21 PM
  • Hi,

     

    Thanks for your response. It would seem feasible and likely that the security group properties you describe are at play here. What I find confusing though is this:

     

    "If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own" ( http://support.microsoft.com/kb/262054 )

     

    This seems inconsistent with what has happened - surely if my account falls into this category (i.e.: is in the Enterprise Admins and Domain admins groups), I will STILL be able to access my own mailbox surely??

     

    Tuesday, May 3, 2011 1:23 PM
  • Somehow, there were denay access rule for you. May be some other admins done it


    Regards from www.windowsadmin.info
    Wednesday, May 4, 2011 3:59 AM
  • Hi mate

     

    The head of dept left the company on the same day that the issue occurred - I'm currently exploring the possibility that disabling his domain account may have broken some inherited permissions chain or something. Does this sound sensible/possible?

     

    Thanks for your help

     

    P

    Wednesday, May 4, 2011 9:09 AM
  • Hi,

    Permissions hold by a user is not inherittable anyway. You may simple remove his account


    Regards from www.windowsadmin.info
    Wednesday, May 4, 2011 9:15 AM
  • So the best explanation here is that the server encountered some problem, then someone else logged in, tried to fix and messed up permissions?
    Wednesday, May 4, 2011 3:57 PM
  • Hello Peter,

     

    You can use “get-mailboxpermission” command to compare the difference between a good and problematic mailbox.

     

    http://technet.microsoft.com/en-us/library/aa998218(EXCHG.80).aspx

     

    Thanks,

    Simon

     

    Thursday, May 5, 2011 6:07 AM
  • Hello Simon/Philip,

     

    Thanks for your input. I ran the get-mailboxpermission cmdlet and output the results to a file for a user who had issues with their mailbox and a user who didnt.

    Now, bearing in mind that the individual mailbox user's issue was resolved by adding 'Domain Admins' to the Full Access permission list via the UI, I have compared the permissions between one affected and one unaffected user and found the following:

    *The user who experienced problems accessing their mailbox had only one additional user in their Full Access list - BUILTIN\Administrators.*

    Do you think I am on the right track here?

    If I removed the Domain Admins user from the full access permissions for this user, they would immediately lose the ability to access their mailbox - I have tested this. Is the solution to remove the user from the AD group 'Administrators' or to simply remove this user from the permissions list for their mailbox? If so, why would this spontaneously be the case?

    Any thoughts that anyone has would be appreciated.

    Cheers,

    Peter

    Friday, May 6, 2011 1:49 PM
  • An update - I've compared another 2 users, one with and one without the problem. They have EXACTLY the same result from get-mailboxpermissions.

     

    I am completely baffled.

    Friday, May 6, 2011 1:55 PM