locked
New-MailboxExportRequest : Couldn't find system mailbox 'SystemMailbox{xxxxxxx-xxxx-xxxx-xxx-xxxxx}' in Active Directory. RRS feed

  • Question

  • I've been working with Microsoft for nearly a month on this issue and we just aren't making progress.

    I have an RBAC role group that contains the Mailbox Import Export role. The user is assigned. The user is also a member of Domain Users -- and no other groups.

    All we know, at this moment, is if we add the user to the Exchange Admins group, the New-MailboxExportRequest works. Without that group, he gets that error that the SystemMailbox could not be found.

    It seems like an AD issue --- some rights are not being granted correctly? Or something is being denied?

    The SystemMailbox that cannot be found is the one for the Database of the target mailbox we are trying to export. Somehow, the user who is trying to export doesn't seem to have access to the SystemMailbox on the other database.

    Bearing in mind that this functions correctly if the user is in the Exchange Admins group, it would appear that on the Exchange side, all the parts are at least working correctly. The problem must be specific to some kind of AD rights for the user.

    My question, more than anything, that Microsoft cannot answer is this:

    What rights --- exactly --- are required to do a New-MailboxExportRequest?

    Assume that we have disabled / denied ALL rights across the board. Which would have to be set to Allow for this cmdlet to function? For the user & Exchange Trusted Subsystem (and whatever other account requires rights for this)?

    Thanks!


    • Edited by Mr. Cross Thursday, July 10, 2014 2:20 PM
    Thursday, July 10, 2014 1:47 PM

Answers

  • I found the solution to this. Read access is required by user to the MESO OU in AD, and create child objects was required in the Configuration under Exchange / Databases / Replication Service.
    • Marked as answer by Mr. Cross Wednesday, July 23, 2014 8:48 PM
    Wednesday, July 23, 2014 8:48 PM

All replies

  • I've made a little progress here.

    I've given the user account I am using to do this export Full Access to the AD object (and all child objects):

    CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com

    Now I'm getting this:

    ...VERBOSE: [19:38:08.262 GMT] New-MailboxExportRequest : [DEBUG] MRSClient: attempting to connect to

    SERVER1.DOMAIN.COM

    VERBOSE: [19:38:29.668 GMT] New-MailboxExportRequest : [WARNING] Attempt to connect to CAS Server

    SERVER1.DOMAIN.COM failed with error: The call to

    'net.tcp://SERVER1.DOMAIN.COM/Microsoft.Exchange.MailboxReplicationService' failed.

    Error details: Access is denied.. --> Access is denied.

    VERBOSE: [19:38:29.684 GMT] New-MailboxExportRequest : [DEBUG] MRSClient: attempting to connect to

    SERVER2.DOMAIN.COM

    VERBOSE: [19:38:32.606 GMT] New-MailboxExportRequest : [WARNING] Attempt to connect to CAS Server

    SERVER2.DOMAIN.COM failed with error: The call to

    'net.tcp://SERVER2.DOMAIN.COM/Microsoft.Exchange.MailboxReplicationService' failed.

    Error details: Access is denied.. --> Access is denied.

    VERBOSE: [19:38:32.621 GMT] New-MailboxExportRequest : There are no available servers running the Microsoft Exchange

    Mailbox Replication service.

    New-MailboxExportRequest : There are no available servers running the Microsoft Exchange Mailbox Replication service.

    At line:1 char:25

    + new-mailboxexportrequest <<<<  -mailbox mailboxname -excludedumpster -filepath "\\server\file101.pst" -verb

        + CategoryInfo          : NotSpecified: (0:Int32) [New-MailboxExportRequest], NoMRSAvailableTransientException

        + FullyQualifiedErrorId : FDCC07AE,Microsoft.Exchange.Management.RecipientTasks.NewMailboxExportRequest

     

    VERBOSE: [19:38:32.668 GMT] New-MailboxExportRequest : Ending processing new-mailboxexportrequest

     

    It seems to me that there's another piece of AD permissions that I'm missing with this user account --- permissions to the CAS servers...

    Any suggestions where that might be?

    Thursday, July 10, 2014 8:06 PM
  • Hi,

    About error "There are no available servers running the Microsoft Exchange Mailbox Replication service.", I recommend you test the MRS health to make sure that the MRS is running and that it responds to a RPC ping check. You can use the following cmdlet to check it:

    Get-ClientAccessServer | Test-MRSHealth

    Here is a thread for your reference:

    Test Mailbox Replication Service Health

    http://technet.microsoft.com/en-us/library/ee732396(v=exchg.141).aspx

    Hope it helps.

    Best regards,


    Amy Wang
    TechNet Community Support

    Friday, July 11, 2014 9:43 AM
  • I found the solution to this. Read access is required by user to the MESO OU in AD, and create child objects was required in the Configuration under Exchange / Databases / Replication Service.
    • Marked as answer by Mr. Cross Wednesday, July 23, 2014 8:48 PM
    Wednesday, July 23, 2014 8:48 PM
  • hello, I have the same problem and I added the read access on the MESO OU.The error change from "couldn't find system mailbox" to "failed to communicate with the mailbox database".I don't understand the second step.What do you mean by "create child objects was required in the Configuration under Exchange / Databases / Replication Service" ? Where I find "Exchange / Databases / Replication Service" ? Thank you :)
    Thursday, January 24, 2019 12:48 PM
  • Hello there,
    I have the same issue. I just added the read access permission on the MESO OU.
    Now I'm facing the same problem. I can't find a way to perform the listed step: "Create child objects in the Configuration under Exchane / Databases / Replication Service".
    In Exchange Admin Center I don't have the option.

    Did you find a solution to fix this problem?


    Kind Regards
    Monday, March 11, 2019 9:51 AM
  • Open ADSIEdit and connect to Configuration, then you can browse to that location.
    Monday, March 11, 2019 12:09 PM
  • Thank you for your quick reply. Unfortunately I can't find the listed path "Exchange/ Databases/ Replication Service" in my ADSI Edit.
    How does your exact path look like?

    My Connection path looks like this:

    Configuration:
    CN=Connection,DC=root,DC=name
    >CN=DisplaySpecifiers
    >CN=Extended-Rights
    >CN=ForestUpdates
    >CN=LostAndFoundConfig
    >CN=NTDS Quotas
    >CN=Partitions
    >CN=Physical Locations
    >CN=Services
    >>CN=AuthN Policy Configuration
    >>CN=Claims Configuration
    >>CN=Group Key Distribution Service
    >>CN=Microsoft Exchange
    >>>CN=ExchangeOrganisationName
    >>>>CN=Address Lists Container
    >>>>CN=AddressBook Mailbox Policies
    >>>>CN=Addressing
    >>>>CN=Administrative Groups
    >>>>CN=Approval Applications
    >>>>CN=Auth Configuration
    >>>>CN=Availability Configuration
    >>>>CN=Client Access
    >>>>CN=Connections
    >>>>CN=ELC Folders Container
    >>>>CN=ELC Mailbox Policies
    >>>>CN=ExchangeAssistance
    >>>>CN=Federation
    >>>>CN=Federation Trusts
    >>>>CN=Global Settings
    >>>>CN=Hybrid Configuration
    >>>>CN=Mailbox Replication
    >>>>>CN=MailboxExportRequests
    >>>>>CN=MailboxImportRequests
    >>>>CN=Mailbox ReplicationCNF:2c67553c-481e-46c7-ae77-48b476fd9393
    >>>>CN=Mobile Mailbox Policies
    >>>>CN=Mobile Mailbox Settings
    >>>>CN=Monitoring Settings
    >>>>CN=OWA Mailbox Policies
    >>>>CN=Provisioning Policy Container
    >>>>CN=Push Notifications Settings
    >>>>CN=RBAC
    >>>>CN=Recipient Policies
    >>>>CN=Remote Accounts Policies Container
    >>>>CN=Retention Policies Container
    >>>>CN=Retention Policy Tag Container
    >>>>CN=ServiceEndpoints
    >>>>CN=System Policies
    >>>>CN=Team Mailbox Provisioning Policies
    >>>>CN=Transport Settings
    >>>>CN=UM AutoAttendant Container
    >>>>CN=UM DialPlan Container
    >>>>CN=UM IPGateway Container
    >>>>CN=UM Mailbox Policies
    >>>>CN=Workload Management Settings
    >>>CN=Microsoft Exchange Autodiscover
    >>>>CN=Microsoft Exchange Online
    >>>CN=Microsoft SPP
    >>>CN=MsmqServices
    >>>CN=NetServices
    >>>CN=Public Key Services
    >>>CN=RRAS
    >>>CN=Shadow Principal Configuration
    >>>CN=Windows NT
    >CN=Sites
    >>CN=Default-First-Site-Name
    >>CN=Inter-Site Transports
    >>CN=Subnets
    >CN=WellKnown Security Principals

    Monday, March 11, 2019 1:35 PM
  • Sorry this was almost 5 years ago at another company, I don't know what the structure looked like at the time :(
    Monday, March 11, 2019 1:49 PM