none
Cannot link mailbox to user in accounts forest RRS feed

  • Question

  • original forest is a single domain configuration named mydomain.com.  A new accounts forest was created named ad.mydomain.com.  This domain is *not* a subdomain of the original domain, but a separate domain in a separate forest.  This forest also uses a single domain design. (It's a long story) All mailboxes reside in a single mailbox database on an Exchange 2010 server running on Windows Server 2008 R2.  I've used the ADMT to migrate some test accounts to the accounts forest.  The migration works and the account appears functional, i.e., SID history migrated and the account can still get to shares and files on machines located in the resource forest. 

    I then use the disable-mailbox and connect-mailbox commands to setup the linked mailbox.  My test account is user Joe Doakes (as listed in Get-MailboxStatistics), username is jdoakes, mailnickname is jdoakes and SMTP address is jdoakes@mydomain.com.  Here is the exact command I am using:

    Connect-Mailbox -Identity "Joe Doakes" -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred

    to which the command shell replies-

    Confirm

    Do you want to connect this mailbox to user "mydomain.com/Testing/Joe Doakes" with the alias "JoeDoakes"?

    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

    I've re-entered the credentials for the accounts forest twice.  The canonical name above is the name of the now disabled account in the resource forest.  If I select Y here, it reconnects to the old account and changes the alias from jdoakes to JoeDoakes.  This behavior is very strange.  I have confirmed the distinguished name used is correct.  Can anyone point out what I am doing wrong?

    TIA

    Tom

    Thursday, March 13, 2014 1:43 PM

Answers

  • I wanted to update this post in case anyone else runs into this problem.  I wound up opening
    a support ticket and spent a day and a half on the phone with Microsoft. 
    This issue was the result of several chance problems and my misinterpretation
    of the command's results.  To start off, when the command comes back to
    say that it wants to connect the mailbox to "mydomain.com/Testing/Joe Doakes", it
    really means that it is the disabled account in the Exchange (source) forest to which the
    mailbox will be connected.  It will be "linked" to the account in the accounts forest, but the command does not say that.  This behavior is by design.  We also found that I have to specify the alias in the command or a new alias is created that concatenates the target account's first
    and last names.  Last, we found that running a number of
    clean-mailboxdatabase commands was the trick that finally made things
    work.  To recap, the procedure that worked for me was:

    1. Disable-mailbox to disconnect the user in the source forest

    2. Verify the mailbox is actually disconnected.  If it does not show up in the
    Disconnected Mailbox node in the EMC, run the clean-mailboxdatabase "<database
    name>" command

    3. Disable the source forest user account.

    4. Enter the account forest credential ($cred = get-credential)

    5. Connect the mailbox to the linked account.  This is the command that worked for me:

      Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential
    $cred 

    6. The new account may not be able to get to the mailbox without running another clean-mailboxdatabase.

    I hope this saves someone else a call to Microsoft.


    Wednesday, March 19, 2014 5:21 PM
  • Hi Tom,

    If you want to use jdoakes as the connected mailbox alias, we can use Alias parameter in Connect-Mailbox comdlet. The Alias parameter specifies the alias (mail nickname) for the mailbox after it's connected.

    Therefore, we can run the following command to connect a linked mailbox:

    Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred

    Hope it works.

    Best Regards,


    Winnie Liang
    TechNet Community Support

    Friday, March 14, 2014 8:32 AM
    Moderator

All replies

  • Hi Tom,

    If you want to use jdoakes as the connected mailbox alias, we can use Alias parameter in Connect-Mailbox comdlet. The Alias parameter specifies the alias (mail nickname) for the mailbox after it's connected.

    Therefore, we can run the following command to connect a linked mailbox:

    Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred

    Hope it works.

    Best Regards,


    Winnie Liang
    TechNet Community Support

    Friday, March 14, 2014 8:32 AM
    Moderator
  • Thank you for responding.  When I enter the cmdlet you suggest, I now receive this error:

    Confirm
    Do you want to connect this mailbox to user "mydomain.com/Testing/Joe Doakes" with the alias "jdoakes"?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

    I would think this response should say Do you want to connect this mailbox to user "ad.mydomain.com/Accounts/Testing/Joe Doakes", but maybe I am misinterpreting what the response is trying to tell me.

    Do you have any other suggestions?

    Friday, March 14, 2014 12:22 PM
  • Hi,

    It seems that the connected mailbox is still connected to the original forest account. Before you change the mailbox connect to the new forest user, please make sure your new forest (ad.mydomain.com) is trusted by the Exchange resource forest.

    Generally, we use Set-Mailbox comdlet to change the linked mailbox properties. This following example changes the linked master account in the fabrikam.com account forest that is associated with a linked mailbox in an Exchange forest.

    Set-Mailbox -Identity "Ayla Kol" -LinkedDomainController DC1.fabrikam.com -LinkedMasterAccount "fabrikam\robinw" -LinkedCredential:(Get-Credential fabrikam\administrator)

    For more information about managing linked mailbox, we can refer to:

    http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx

    Thanks,


    Winnie Liang
    TechNet Community Support

    Monday, March 17, 2014 2:19 AM
    Moderator
  • Thank you for responding.  I have verified the following:
    The mailbox for Joe Doakes has been disabled.
    The mailbox for Joe Doakes appears in the Disconnected Mailboxes node in the EMC.
    The user account for Joe Doakes in the MYDOMIN domain is disabled.
    The cross-forest trust relationship between the AD and MYDOMAIN domains.
    The user ad\administrator can logon to the AD domain from the Exchange Console.

    I have used the set-mailbox command as you suggested.  I now receive a different error:

    [PS] C:\Windows\system32>Set-Mailbox -Identity "Joe Doakes" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred
    The operation couldn't be performed because object 'Joe Doakes' couldn't be found on 'MDL03DC.mydomain.com'.
        + CategoryInfo          : NotSpecified: (0:Int32) [Set-Mailbox], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : 6D79090,Microsoft.Exchange.Management.RecipientTasks.SetMailbox


    [PS] C:\Windows\system32>

    Do you have any other suggestions?

    Thanks.


    Monday, March 17, 2014 9:20 AM
  • I wanted to update this post in case anyone else runs into this problem.  I wound up opening
    a support ticket and spent a day and a half on the phone with Microsoft. 
    This issue was the result of several chance problems and my misinterpretation
    of the command's results.  To start off, when the command comes back to
    say that it wants to connect the mailbox to "mydomain.com/Testing/Joe Doakes", it
    really means that it is the disabled account in the Exchange (source) forest to which the
    mailbox will be connected.  It will be "linked" to the account in the accounts forest, but the command does not say that.  This behavior is by design.  We also found that I have to specify the alias in the command or a new alias is created that concatenates the target account's first
    and last names.  Last, we found that running a number of
    clean-mailboxdatabase commands was the trick that finally made things
    work.  To recap, the procedure that worked for me was:

    1. Disable-mailbox to disconnect the user in the source forest

    2. Verify the mailbox is actually disconnected.  If it does not show up in the
    Disconnected Mailbox node in the EMC, run the clean-mailboxdatabase "<database
    name>" command

    3. Disable the source forest user account.

    4. Enter the account forest credential ($cred = get-credential)

    5. Connect the mailbox to the linked account.  This is the command that worked for me:

      Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential
    $cred 

    6. The new account may not be able to get to the mailbox without running another clean-mailboxdatabase.

    I hope this saves someone else a call to Microsoft.


    Wednesday, March 19, 2014 5:21 PM