Exchange 2003/2010 Co-Existence - Distribution Group Management

Similar Messages

• Exchange 2003-2010 co-existence environment

  i have exchange 2003 -2010 co-existence environment .
  Everything works fine accept below;weird issue,i tried to re-create routing group connector but issue is same.
  My issue is very simple,The mail flow as below:
  exchange 2003 to outside............
  exchange 2010 to outside ...........works
  exchange 2010 to 2003 ...............works
  exchange 2003 to 2010................is not 

  Hi Huzefa,
  Can you try creating a new bidirectional RGConnector and check?
  New-RoutingGroupConnector -Name "NameOfRG" -SourceTransportServers "Ex2010.contoso.com" -TargetTransportServers "Ex2003.contoso.com" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true
  http://technet.microsoft.com/en-us/library/aa997292(v=exchg.141).aspx
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Exchange 2003 /2010 Co-existence plus 2010 migration to new hardware

  Hi,
  Here is our current scenario;
  Exchange 2003/2010 co-existence. This has been running perfectly for a couple of months now.
  Exchange 2003 - exch1.domain.lan
  Exchange 2010 (SP3) - exch2.domain.lan (local domain name)  /  mail.domain.com.au (external domain name)
  ActiveSync, autodiscover, legacy etc are all working. Our UAC certificate from GoDaddy has all the required names for exch2 - except it doesn't have the local domain name as they don't allow certificates with that anymore. I've configured all the required
  services to be the external domain name and am running split DNS.
  The first Exchange 2010 server I installed was lower spec'd and only has about 25 users on it. I now need to install a second Exchange 2010 server (exch3.domain.local), which is properly spec'd and will host the entire company. I won't be running DAG as
  I need to repurpose the first Exchange 2010 server once it's removed.
  My high level questions are;
  1) Should I migrate everyone off Exchange 2003 onto Exchange 2010, decommission the 2003 server, and then install the second 2010 server? OR
  2) Should I install the second Exchange 2010 server, migrate everyone from the first Exchange 2010 server, decommission that one, then do the migration from 2003 to 2010?
  OR does it matter which way I do it?
  I've read what I can find about installing the second Exchange 2010 server into the organisation. It seems to be pretty simple at first. Just install Exchange 2010 with HT, mailbox and CAS roles which will automatically configure it into the same Exchange
  organisation.
  1) Do I configure CAS to be externally facing right from the get go or do I do that later?
  2) As soon as I install the second Exchange 2010 server, will I encounter any mail flow problems? Will mail be trying to flow out of the second Exchange 2010 server as well as the first?
  In regards to SSL, so obviously the second Exchange 2010 server will have a different local domain name than the first, but ultimately, I want it to have the same external domain name, eg mail.domain.com.au. As my certificate doesn't contain any local domain
  names, can I export the certificate from exch1 and import it into exch2, or should I just generate a new CSR from exch2 and get GoDaddy to reissue it?
  OR should I look at creating a CAS Array from exch1 and adding exch2 to it. (I don't fully understand the workings of this at the moment).
  Any guidance on the above is helpful.
  Thanks.
  Steve

  Hi Steve I will try my best to answer each of these 
  My high level questions are;
  1) Should I migrate everyone off Exchange 2003 onto Exchange 2010, decommission the 2003 server, and then install the second 2010 server? OR
  2) Should I install the second Exchange 2010 server, migrate everyone from the first Exchange 2010 server, decommission that one, then do the migration from 2003 to 2010?
  OR does it matter which way I do it?
  doesn't matter at all. Since you want to move to a new hardware you can setup a new Server CASH/HUB/Mailbox. Once installed start migrating the mailboxes from Exchange 2003 to this mailbox server. This way you will not have to redo the migration from 2010
  to new 2010 sever -- like you mentioned in 1) it will save you a lot of time and repeating procedure. 
  I've read what I can find about installing the second Exchange 2010 server into the organisation. It seems to be pretty simple at first. Just install Exchange 2010 with HT, mailbox and CAS roles which will automatically configure it into the same Exchange organisation.
  1) Do I configure CAS to be externally facing right from the get go or do I do that later?
  Keep your existing 2010 internet facing for now. Once you finished migrating the mailboxes then you will need to do it.
  2) As soon as I install the second Exchange 2010 server, will I encounter any mail flow problems? Will mail be trying to flow out of the second Exchange 2010 server as well as the first?
  Mail will not flow to 2ndry server unless you add that server as a source serve in the transport.
  In regards to SSL, so obviously the second Exchange 2010 server will have a different local domain name than the first, but ultimately, I want it to have the same external domain name, eg mail.domain.com.au. As my certificate doesn't contain any local domain
  names, can I export the certificate from exch1 and import it into exch2, or should I just generate a new CSR from exch2 and get GoDaddy to reissue it?
  You  can always export the certificate and then import it to the newly installed Exchange 2010.
  OR should I look at creating a CAS Array from exch1 and adding exch2 to it. (I don't fully understand the workings of this at the moment).
  You will only need to setup the CAS array if you are going to use both the server which can be done later.
  Hope that help
  Where Technology Meets Talent

• Exchange 2003 - 2010 Co-existence Migration Autodiscover & OAB Issue

  Hi,
  I am in the middle of a Ex2003 to Ex2010 Migration initially through co-existence. Everything has been working perfectly for the last couple of months.
  The first Ex2010 server I installed (EX01.domain.local) was just a temporary server that hosted a handful of users that were imported from another company.
  I have since installed a second Ex2010 server (EX02.domain.local), which will be the permanent 2010 server. The end result will be 1 Ex2010 server only, after I have migrated everyone off EX01 and the 2003 server.
  EX01 and EX02 both have the Mailbox, CAS, & HT roles installed.
  I created the mailbox and Public Folder databases on EX02. I have assigned the Public Folder database to the mailbox database.
  I added EX02 as a Source Server within Hub Transport.
  I've exported the UC/SAN certificate from EX01 and imported it into EX02 and assigned the SMTP, IIS, POP & IMAP services to it.
  I setup the legacy URL for OWA.
  I changed the relevant settings on EX02, eg OWA, ECP, ActiveSync, OAB, AutoDiscoverServiceInternalUri etc to be external domain name that is listed on the certificate, eg mail.domain.com.au. (The SSL certificate is through GoDaddy and they do not allow you
  to put any internal domain names on the certificate).
  So before I installed the second Ex2010 server, everything was working correctly.
  After I installed the second Ex2010 server and performed the steps above, I have noticed a couple of things;
  1) The Autodiscovery test within Outlook works for mailboxes that have been migrated to either of the Ex2010 servers, but fails for mailboxes that are still on the Ex2003 server. It finds the correct URL, https://mail.domain.com.au/Autodiscover/Autodiscover.xml,
  and brings back an HTTP status of 200. However, it says it then fails with (0x800C8203). I tested with Outlook 2003 and 2010. They both fail.
  2) OAB fails to download for clients whose mailbox is still on the Ex2003 server. It fails with (0x8004010F - The operation failed. An object cannot be found). It works for clients with mailboxes on either of the 2010 servers.
  I'm going around in circles reading numerous articles on trying to fix autodiscover. Using Microsoft's MRCA site, autodiscovery works externally for clients on the Ex2010 servers, but not on the 2003 servers, (which I thought was how it worked anyway as
  autodiscovery doesn't work on Ex2003).
  Is this the same for internal users. I'm not sure if I'm chasing my tail by trying to fix something that doesn't need fixing, but obviously the OAB should work.
  Any suggestions are grateful.
  Thanks.
  Steve

  Output from get-webservicesvirtualdirectory | fl
  RunspaceId                      
  : 12158f4a-101e-45c7-b35a-02c6b5652e41
  CertificateAuthentication       :
  InternalNLBBypassUrl            
  : https://ex01.domain.local/ews/exchange.asmx
  GzipLevel                      
  : High
  MRSProxyEnabled                
  : False
  MRSProxyMaxConnections         : 100
  Name                            
  : EWS (Default Web Site)
  InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
  ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
  LiveIdSpNegoAuthentication     : False
  WSSecurityAuthentication        
  : True
  LiveIdBasicAuthentication       : False
  BasicAuthentication            
  : True
  DigestAuthentication            
  : False
  WindowsAuthentication          
  : True
  MetabasePath                    
  : IIS://EX01.domain.local/W3SVC/1/ROOT/EWS
  Path                            
  : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
  ExtendedProtectionTokenChecking : None
  ExtendedProtectionFlags        
  ExtendedProtectionSPNList       : {}
  Server                          
  : EX01
  InternalUrl                    
  : https://mail.domain.com.au/ews/exchange.asmx
  ExternalUrl                    
  : https://mail.domain.com.au/EWS/Exchange.asmx
  AdminDisplayName                
  ExchangeVersion                
  : 0.10 (14.0.100.0)
  DistinguishedName              
  : CN=EWS (DefaultWebSite), CN=HTTP, CN=Protocols, CN=EX01, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups,CN=CompanyA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
  Identity                        
  : EX01\EWS (Default Web Site)
  Guid                            
  : fd59fcca-87aa-4c7c-87d9-6ddeef4ca9e9
  ObjectCategory                  
  : next.lan/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
  ObjectClass                    
  : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
  WhenChanged                    
  : 28/03/2014 11:25:50 AM
  WhenCreated                    
  : 29/12/2013 9:42:33 AM
  WhenChangedUTC                  
  : 28/03/2014 12:25:50 AM
  WhenCreatedUTC                  
  : 28/12/2013 10:42:33 PM
  OrganizationId                  
  OriginatingServer              
  : DC2.domain.local
  IsValid                        
  : True
  RunspaceId                      
  : 12158f4a-101e-45c7-b35a-02c6b5652e41
  CertificateAuthentication       :
  InternalNLBBypassUrl            
  : https://ex02.domain.local/ews/exchange.asmx
  GzipLevel                      
  : High
  MRSProxyEnabled                
  : False
  MRSProxyMaxConnections         : 100
  Name                            
  : EWS (Default Web Site)
  InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
  ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
  LiveIdSpNegoAuthentication     : False
  WSSecurityAuthentication        
  : True
  LiveIdBasicAuthentication       : False
  BasicAuthentication            
  : True
  DigestAuthentication            
  : False
  WindowsAuthentication          
  : True
  MetabasePath                    
  : IIS://EX02.domain.local/W3SVC/1/ROOT/EWS
  Path                            
  : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
  ExtendedProtectionTokenChecking : None
  ExtendedProtectionFlags        
  ExtendedProtectionSPNList       : {}
  Server                          
  : EX02
  InternalUrl                    
  : https://mail.domain.com.au/EWS/Exchange.asmx
  ExternalUrl                    
  : https://mail.domain.com.au/ews/exchange.asmx
  AdminDisplayName                
  ExchangeVersion                
  : 0.10 (14.0.100.0)
  DistinguishedName              
  : CN=EWS (Default Web Site), CN=HTTP, CN=Protocols, CN=EX02, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups,CN=CompanyA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
  Identity                        
  : EX02\EWS (Default Web Site)
  Guid                            
  : e592adcd-18c2-4c4b-bd89-fca95e9e9622
  ObjectCategory                  
  : next.lan/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
  ObjectClass                    
  : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
  WhenChanged                    
  : 28/03/2014 10:50:54 AM
  WhenCreated                    
  : 27/03/2014 10:34:27 AM
  WhenChangedUTC                  
  : 27/03/2014 11:50:54 PM
  WhenCreatedUTC                  
  : 26/03/2014 11:34:27 PM
  OrganizationId                  
  OriginatingServer              
  : DC2.domain.local
  IsValid                        
  : True

• 2003/2010 co-existence - is it safe to create recipient policies under 2010?

  I'm pretty sure this won't affect anything, but just want to be 100% sure.
  Exchange 2003/2010 are in co-existence happily working away
  The existing Exchange 2003 recipient policies are a real mess
  To save having to fix them all up, the plan is to just create new ones under Exchange 2010 and scope them to apply for users on 2010
  When all users are moved to 2010, the old ones can be removed which saves having to upgrade them to all to 2010 format which is another bonus
  Will creating new recipient policies under 2010 apply to recipients on 2003 or force the 2003 policies to run again somehow against existing users, or can recipient policues under 2010 be set to only apply to users in 2010 using a custom attribute for example
  and when users are moved to 2010 with the custom attribute the policy can be enforced at that time?  All the current polices are set to applied = false under 2003.

  I have experience with messing up in this scenario :) in a 20,000 user environment.
  E-Mail address policies are shared across the Exchange Organization so you will see ones created in 2010 in 2003, although you won't be able to edit those.  Having the 2003 policies set to false means that they haven't been applied in some time and
  its best not to touch during the migration.  My first step here (after making a mistake) is to Disabled the Automatic Email Update for all mailboxes.  I can look up how I did this on a mass scale a little later.
  I then created the policies in 2010 to use a custom attribute, as you had suggested, and when mailboxes were migrated over, I made sure those accounts had the Attribute and then checked the box to auto apply the address policy.
  Someone else may have a better answer for you, but this is how I saved my butt in a larger organization.
  Jason Apt, Microsoft Certified Master | Exchange 2010
  My Blog

• Exchange 2003 -2010 cross forest (NDR 5.4.6)

  Hi.
  Have: Exchange 2003+2010 in source forest. Exchange 2010 in target forest.
  Successful migrate mailbox to target forest (in source forest this mailbox convert to mailuser).
  When try send e-mail to this mailbox (it`s in target forest) from Exchange 2003 mailbox get this:
  A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.
  If send from Exchange 2010 (source/target) - all mail ok.
  If delete this mailuser (in source forest) - all set to ok.
  x500?
  Please, help.
  Thanks.

  Hi,
  In the error event, 5.4.6 means "Routing loop detected" (RFC1893).
  This issue occurs if the source Exchange organization is authoritative for the target domain. Because the source Exchange organization is responsible for mail delivery to target, the categorizer tries to find locally a recipient for
  that message. The categorizer does not succeed, and then you receive the NDR.
  More details in the following KB:
  You receive an NDR with a 5.4.6 status code when you send a message to a specific domain in Exchange
  http://support.microsoft.com/kb/324732/en-us
  Hope it is the solution.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Exchange 2010 Mail Enabled Distribution Group Won't Receive from External Address

  Let me pre-empt the usual first response: yes, I've unchecked "require that all senders are authenticated" on the Message delivery Restrictions properties of Message Delivery Restrictions. I cannot get a message from an external mail server to
  send to an internal mail-enable distribution group. It's working internally. I've checked our ironport and the message is being sent to exchange (at least I think it is).
  How can I troubleshoot this?!
  tfgeorge

  Ironport is definitely sending this email to exchange. Please read:
  06 Jun 2011 08:53:20 (GMT -05:00)
  Protocol SMTP interface Main Interface (IP Gateway IP) on incoming connection (ICID 17720578) from sender IP 65.54.190.154. Reverse DNS host bay0-omc3-s16.bay0.hotmail.com verified yes.
  06 Jun 2011 08:53:20 (GMT -05:00)
  (ICID 17720578) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:6.0] SBRS 3.0
  06 Jun 2011 08:53:20 (GMT -05:00)
  Start message 2136865 on incoming connection (ICID 17720578).
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 enqueued on incoming connection (ICID 17720578) from
  [email protected].
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 on incoming connection (ICID 17720578) added recipient ([email protected]).
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 contains message ID header '<[email protected]>'.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 original subject on injection: TEST
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 (1471 bytes) from
  [email protected] ready.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 matched per-recipient policy DEFAULT for inbound mail policies.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine: CASE. Final verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Virus engine. Final verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 queued for delivery.
  06 Jun 2011 08:53:20 (GMT -05:00)
  SMTP delivery connection (DCID 1658840) opened from IronPort interface 100.100.100.100 to IP address 100.100.100.100 on port 25.
  06 Jun 2011 08:53:20 (GMT -05:00)
  (DCID 1658840) Delivery started for message 2136865 to
  [email protected].
  06 Jun 2011 08:53:21 (GMT -05:00)
  (DCID 1658840) Delivery details: Message 2136865 sent to
  [email protected]
  06 Jun 2011 08:53:21 (GMT -05:00)
  Message 2136865 to
  [email protected] received remote SMTP response '2.6.0 <[email protected]> [InternalId=919833] Queued mail for delivery'.
  tfgeorge

• Distribution Group manager can't modify group

  Setup
  MS Exchange 2010 version 14.3 (Build 123.4)
  Distribution Group is a Mail Universal Distribution which has less than 20 members total
  There are three managers in the "Managed By" listing.  Of these two can modify the list, the third cannot.  When the third manager tries to modify the list they get the following error:
  The Public Group cannot be displayed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action.
  Note: The user is connected to the Exchange environment as evidenced by the "Connected to Microsoft Exchange" in the lower right portion of his Outlook 2010 window.  He is also hardwired into the network,
  ie no wireless connection.  He tried the going in through OWA and got the same error as above.  
  Any ideas on what I can check to see why this manager cannot modify the list whereas the other two can? 
  nc

  Hi ncouch55,
  If there are multiple GCs in organization, We could refer to the following link to choose the closest GC for the specific user:
  1). Click Start, and then click Run.
  2). In the Open box, type regedit.exe, and then click OK.
  3). Locate and then click the following key in the registry:
  HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
  Note You may have to create the registry path.
  4). On the Edit menu, click Add Value, and then add the following registry value:
  Value name: GC Server
  Data type: REG_SZ (string)
  Value data: the FQDN of the closest GC server
  5). Quit Registry Editor.
  If the issue persist, we could clear manager on distribution group and re-grant permission to three manager.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim

• Giving Permissions to specific Distribution Group management for deparment secrety

  Dear ALL
  In our exchange 2010 environment we have multiple departmental distribution group.
  We plan to give management of these distribution group members to each departmental secretary.
  How can achieve this?
  Kindly help
  Ashraf

  All very valid points! 
  The one thing I'd ask you to think about is whether or not you should change the default role assignment policy.  If this is for a handful of users, create a new Role Assignment policy, tweak that (using the steps below) and then assign your new one
  to these users that need to manage the DGs.
  http://blogs.technet.com/b/rmilne/archive/2013/08/09/allow-users-to-manage-distribution-groups-without-creating-new-ones.aspx
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Exchange 2003 - 2010 Local Mail box move Error

  Hey everyone,
  I have just finished a transition from Microsoft Exchange 2003 to 2010, and I am having problem with moving the Legacy mailboxes over.
  I have managed to move all the mail boxes over bar 2, using the " New local move Request".
  So the problem is just these 2 mail boxes with the same error as below.
  Any Advice?
  Summary: 1 item(s). 0 succeeded, 1 failed.
  Elapsed time: 00:00:39
  Sifiso Mguni
  Failed
  Error:
  Service 'net.tcp://tvt-exchange.vtrust.local/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=-2147221231)
  Diagnostic context:
      Lid: 18969   EcDoRpcExt2 called [length=131]
      Lid: 27161   EcDoRpcExt2 returned [ec=0x0][length=48][latency=0]
      Lid: 23226   --- ROP Parse Start ---
      Lid: 27962   ROP: ropLogon [254]
      Lid: 17082   ROP Error: 0x80040111
      Lid: 26937 
      Lid: 21921   StoreEc: 0x80040111
      Lid: 31418   --- ROP Parse Done ---
      Lid: 22753 
      Lid: 21817   ROP Failure: 0x80040111
      Lid: 26297 
      Lid: 16585   StoreEc: 0x80040111
      Lid: 32441 
      Lid: 1706    StoreEc: 0x80040111
      Lid: 24761 
      Lid: 20665   StoreEc: 0x80040111
      Lid: 25785 
      Lid: 29881   StoreEc: 0x80040111
  Exception details: MapiExceptionLogonFailed (80040111): MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=-2147221231)
  Diagnostic context:
      Lid: 18969   EcDoRpcExt2 called [length=131]
      Lid: 27161   EcDoRpcExt2 returned [ec=0x0][length=48][latency=0]
      Lid: 23226   --- ROP Parse Start ---
      Lid: 27962   ROP: ropLogon [254]
      Lid: 17082   ROP Error: 0x80040111
      Lid: 26937 
      Lid: 21921   StoreEc: 0x80040111
      Lid: 31418   --- ROP Parse Done ---
      Lid: 22753 
      Lid: 21817   ROP Failure: 0x80040111
      Lid: 26297 
      Lid: 16585   StoreEc: 0x80040111
      Lid: 32441 
      Lid: 1706    StoreEc: 0x80040111
      Lid: 24761 
      Lid: 20665   StoreEc: 0x80040111
      Lid: 25785 
      Lid: 29881   StoreEc: 0x80040111
  Exchange Management Shell command attempted:
  'vtrust.local/Valley Trust Users/Users/Staff/Sifiso Mguni' | New-MoveRequest -TargetDatabase 'Mailbox Database 0271422377'
  Elapsed Time: 00:00:39

  HI. I had the same problem while trying to migrate a user from Exchange 2003 to 2010. And the same error as you have appeared. I tried to skip more e-mails in case some fails but couldn't get successful.
  Check if the user have accessed the mail at all on Exchange 2003 because if the user didn't accessed it it may contain many mails and when we try to migrate the mailbox, the mailbox size on Exchange 2003 may be grater than on the 2010.
  On my case after many reading we just see that the user didn't access the mail at all on our Exchange 2003. (Let me know if you need to know how you can check if the user accessed the mail or not or you can just google it). So what we have done is we just
  reset the user password on Active Directory. Because as you can see the error is related with Logon Failure.
  This solved the issue for me. Can you check this way
  Thanks

• Exchange 2003/2010 Coexistance - User login Issue

  Hello
  We have deployed Exchange 2010 SP3 in coexistance with 2003 and created connectors.
  2003/2010 both Users are not able to login on 2010 OWA and error showing that username/PW is wrong although they are working on OWA 2003 perfectly.
  When i add the same user to the local admin group on the Ex2010 server, it works fine with email send/receive. i am confused please suggest what i am missing....Regards
  Waseem

  Hello
  This is the error that occured during that time.
  SACL Watcher servicelet encountered an error while monitoring SACL change.
  Got error 1722 opening group policy on system SERVER.DOMAIN in domain MYDOMAIN.
  Event ID 6003
  Source : MSExchange SACL Watcher
  i am not sure if its related to this problem.
  Secondly i have also tested to run the "Microsoft Exchange Active Directory Topology Service" with a new user having all the rights of exchange & AD groups but its showing giving the error that it cant run the dependency
  services. currently this service is running with the local account rights.
  I just add the test users (moved from 2003 and new user created in 2010) to the local admin group and it works fine, please give any idea what may be the problem in rights or something else ??
  Regards
  Waseem

• Providing voicemail in a trusted-domain Exchange 2003 - 2010 upgrade

  As a result of a merger, we are upgrading from Exchange 2003 in the same domain as a Unity 5.0 server to an Exchange 2010 server in a trusted domain in a different forest.  The Exchange 2003 server is still up, but mailboxes are being moved to the 2010 server.  The goal of getting Unity to somehow deliver voicemail to the users who have been moved to the 2010 server in the other domain is only temporary, as we will be replacing our on-premesis system with a hosted solution in a couple of months.  So I'm looking for something quick, but it doesn't have to be elegant or permanent.
  As Unity cannot connect to a partner Exchange server in a different forest, I see the most likely options as:
  Move Unity to the new domain.  Wanted to see how easy it would be to do this, as Cisco recommends that the same version of Unity be installed on a server in the new domain as is currently running the server in the old domain.  I believe I have the original install disks, but can't speak to whether or not upgrades have been applied to the current (old) server since it went in 5 years ago.
  Convert current subscribers into "Internet Subscribers" - This is not currently working, I believe, because Unity's partner server is the 2003 server, which lives in the same domain as the Unity server, but is also a part of the same Exchange group as the 2010 server in the new domain.  When I create an "internet subscriber", I'm creating a contact with an email address that already exists in the domain.
  For 1., Cisco says I have to install the same version of Unity in the new domain and then restore the database to it.  Would I need to roll back items like the Engineering Special that I just installed?  As long as the install disk is for 5.0(1) and the server's currently running 5.0(1), am I OK?
  For 2., Is it possible to do anything with Internet subscribers?  This seems like it would be easier, but also seems like it's not working because of the fact that the partner server is not recognizing addresses for the Internet subscribers as external.
  Any assistance or insights would be greatly appreciated.
  Kevin

  Hi,
  We can move the mailbox from Exchange 2003 to Exchange 2010 as a linked mailbox in Exchange 2010. The moved mailbox would be a disabled User Object which is linked to a separate enabled user object in an Account Forest (Exchange 2003 forest).
  We can use the Prepare-MoveRequest.ps1 script in the Shell to prepare the cross-forest mailbox moves:
  https://technet.microsoft.com/en-us/library/ee861103(v=exchg.141).aspx
  Then we can create a remote legacy move request to move mailbox:
  https://technet.microsoft.com/en-us/library/dd876952(v=exchg.141).aspx
  Additionally, for more information about migration from Exchange 2003 to Exchange 2010, please read:
  http://blogs.technet.com/b/schadinio/archive/2010/08/11/exchange-2010-cross-forest-mailbox-moves.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Exchange 2003 - 2010. Moving public folders one at a time

  Hi all,
  I'm in the process of decomisioning our old Exchange 2003 server (long overdue after what has been a relativly smooth and trouble free transition to 2010). As the first step in the decomisioning process, I'm looking to move the public folders from the 2003
  box to the 2010 box. From my understanding there are a couple of ways to achieve this (please correct me if I'm wrong). The first is to add the Exchange 2010 server as a new replication partner, allow for replication of the PFs to occur, and then remove the
  2003 partner from the replication partnership. The other option is to use MoveAllReplicas.ps1.
  I opted for the first option, but the problem I have is that the initial replication process started to generate a very large number of transaction logs on the Exchange 2010 server, to the point I was slightly conccerned I was going to run out of space on
  the volume (our server is backed up nightly at which point the transaction logs are normally flushed).Whilst I know I could potentially increase the size of the volume or turn on cicular logging for the duration of the migration (neither of which is appealing
  as it will involve down time), I was wondering if there was a way to move a smaller set of Public folders one at a time with a powershell command, or is it an all or nothing operation? My other option may be to replicate a small subset of folders everyday,
  but that just a little painful as there are a large number of child folders with in the structure. Any other suggestions welcome!
  Many thanks,
  Rob

  Hi,
  If your Public Folder Database is large, you can use tool like Exfolders or ESM to add replica folder by folder.
  A related article for your reference.
  http://careexchange.in/moving-public-folders-from-exchange-2003-to-exchange-2010/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or
  suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  And it is recommended to replicate public folders off business hours.
  Best regards,
  Belinda Ma
  TechNet Community Support

• Namespace for Exchange 2003 == 2010 == 2013 Migration

  Hi
  Hope someone can help.  I am working on an Exchange 2003 to 2010 migration, which will then quickly move onto a 2010 to 2013 migration and need some clarification on the namespaces to use.  I am aware that if I do not do this right at the 2003
  to 2010 migration, this will cause a headache at the 2010 to 2013 migration.
  Some background:
  2003 Functional Level Domain - 2 x 2008 DC's
  Currently users are on a 2003 exchange cluster with a mix of RPC (internal users) and RPC over HTTP connections (roaming users)
  We will be installing Exchange 2010 on a single server, with CAS, HUB and Mailbox roles and no load balancer, as we will be moving quickly to 2013.
  We have two Kemp load balancers ready for Exchange 2013.
  Exchange 2010 is installed on a single server (exh2010.domain.local) and configured with an CAS array name (exh-cas.domain.local) which is resolvable internally only.
  Currently we have multiple smtp namespaces e.g. @company.com, @company2.com.
  Our main website etc is www.company.com
  Our public facing services are at https://service.mycompany.com
  Our 2003 RPC address is https://webmail.mycompany.com
  I understand that the 2010 RPC CAS array name should be separated from the Outlook Anywhere (RPC over HTTPS) address so that when 2013 takes over the HTTPS address, the RPC connections are not broken.
  Two Questions:
  Do we have to use the HTTPS same namespace for 2013 as we do in 2010?  Its just I would want to test the Kemp load balancers before making them live (slow careful transition), and giving them a different namespace, e.g.
  https://mail.mycompany.com would allow a migration, rather then a cutover.
  Can we use the *.mycompany.com address rather then the company.com address, even though we have no SMTP addresses at mycompany.com?  Can autodiscover still work?
  Thanks in advance for any guidance
  Cheers
  Steve

  1. No, but you can.  Exchange 2013 will proxy all services for Exchange 2010, so if you set up everything right, you should be able to simply swing the name from Exchange 2010 to 2013.
  2.  Your web services can be published with any domain as long as the hostname is in the certificate.  Only Autodiscover needs to match the e-mail domain(s).  So in your example, you could publish OWA, ECP, ActiveSync, Web Services and OAB
  at owa.mycompany.com.  You would need autodiscover.company.com, autodiscover.company2.com, etc., but if you don't have e-mail addresses with mycompany.com, you don't need autodiscover.mycompany.com.  If all users have a company.com e-mail address,
  the you only need autodiscover.company.com as long as users know to enter that e-mail address when configuring profiles on PCs or devices.  If you're going to have to have Autodiscover for multiple domains, then you might consider using an SRV record
  instead because it can greatly simplify your certificate requirements.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."