Exchange 2003/2010 Co-Existence - Distribution Group Management
We're running both exchange 2010 and Exchange 2003. I have an issue where some distribution groups were upgraded to Exchange 2010 (v14.0.100) and the manager of those lists who are on Exchange 2003 can no longer modify members, they get the error:
"Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object".
We've already implemented the myDistributionGroupsManagement role with success to allow Exchange 2010 users to manage their own list without allowing them to create new ones.
http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
Trying to apply the "Default Role Policy Assignement" to the exchange 2003 users returns an error. Is there any way Exchange 2003 users can manage Exchange 2010 Distribution list they owned without being upgraded to Exchange 2010? If not, is
there any way to downgrade distribution group to Exchange 2003 once they've been upgraded?
Hi,
From my lab, legacy exchange user can manage the distribution group which has been upgrade to Exchange 2010.
Exchange 2010 sp2, Exchange 2003 with sp2.
I can add/remove member for distribution group from address book via outlook.
Xiu Zhang
TechNet Community Support
Similar Messages
-
Exchange 2003-2010 co-existence environment
i have exchange 2003 -2010 co-existence environment .
Everything works fine accept below;weird issue,i tried to re-create routing group connector but issue is same.
My issue is very simple,The mail flow as below:
exchange 2003 to outside............
exchange 2010 to outside ...........works
exchange 2010 to 2003 ...............works
exchange 2003 to 2010................is notHi Huzefa,
Can you try creating a new bidirectional RGConnector and check?
New-RoutingGroupConnector -Name "NameOfRG" -SourceTransportServers "Ex2010.contoso.com" -TargetTransportServers "Ex2003.contoso.com" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true
http://technet.microsoft.com/en-us/library/aa997292(v=exchg.141).aspx
Thanks, MAS
Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Exchange 2003 /2010 Co-existence plus 2010 migration to new hardware
Hi,
Here is our current scenario;
Exchange 2003/2010 co-existence. This has been running perfectly for a couple of months now.
Exchange 2003 - exch1.domain.lan
Exchange 2010 (SP3) - exch2.domain.lan (local domain name) / mail.domain.com.au (external domain name)
ActiveSync, autodiscover, legacy etc are all working. Our UAC certificate from GoDaddy has all the required names for exch2 - except it doesn't have the local domain name as they don't allow certificates with that anymore. I've configured all the required
services to be the external domain name and am running split DNS.
The first Exchange 2010 server I installed was lower spec'd and only has about 25 users on it. I now need to install a second Exchange 2010 server (exch3.domain.local), which is properly spec'd and will host the entire company. I won't be running DAG as
I need to repurpose the first Exchange 2010 server once it's removed.
My high level questions are;
1) Should I migrate everyone off Exchange 2003 onto Exchange 2010, decommission the 2003 server, and then install the second 2010 server? OR
2) Should I install the second Exchange 2010 server, migrate everyone from the first Exchange 2010 server, decommission that one, then do the migration from 2003 to 2010?
OR does it matter which way I do it?
I've read what I can find about installing the second Exchange 2010 server into the organisation. It seems to be pretty simple at first. Just install Exchange 2010 with HT, mailbox and CAS roles which will automatically configure it into the same Exchange
organisation.
1) Do I configure CAS to be externally facing right from the get go or do I do that later?
2) As soon as I install the second Exchange 2010 server, will I encounter any mail flow problems? Will mail be trying to flow out of the second Exchange 2010 server as well as the first?
In regards to SSL, so obviously the second Exchange 2010 server will have a different local domain name than the first, but ultimately, I want it to have the same external domain name, eg mail.domain.com.au. As my certificate doesn't contain any local domain
names, can I export the certificate from exch1 and import it into exch2, or should I just generate a new CSR from exch2 and get GoDaddy to reissue it?
OR should I look at creating a CAS Array from exch1 and adding exch2 to it. (I don't fully understand the workings of this at the moment).
Any guidance on the above is helpful.
Thanks.
SteveHi Steve I will try my best to answer each of these
My high level questions are;
1) Should I migrate everyone off Exchange 2003 onto Exchange 2010, decommission the 2003 server, and then install the second 2010 server? OR
2) Should I install the second Exchange 2010 server, migrate everyone from the first Exchange 2010 server, decommission that one, then do the migration from 2003 to 2010?
OR does it matter which way I do it?
doesn't matter at all. Since you want to move to a new hardware you can setup a new Server CASH/HUB/Mailbox. Once installed start migrating the mailboxes from Exchange 2003 to this mailbox server. This way you will not have to redo the migration from 2010
to new 2010 sever -- like you mentioned in 1) it will save you a lot of time and repeating procedure.
I've read what I can find about installing the second Exchange 2010 server into the organisation. It seems to be pretty simple at first. Just install Exchange 2010 with HT, mailbox and CAS roles which will automatically configure it into the same Exchange organisation.
1) Do I configure CAS to be externally facing right from the get go or do I do that later?
Keep your existing 2010 internet facing for now. Once you finished migrating the mailboxes then you will need to do it.
2) As soon as I install the second Exchange 2010 server, will I encounter any mail flow problems? Will mail be trying to flow out of the second Exchange 2010 server as well as the first?
Mail will not flow to 2ndry server unless you add that server as a source serve in the transport.
In regards to SSL, so obviously the second Exchange 2010 server will have a different local domain name than the first, but ultimately, I want it to have the same external domain name, eg mail.domain.com.au. As my certificate doesn't contain any local domain
names, can I export the certificate from exch1 and import it into exch2, or should I just generate a new CSR from exch2 and get GoDaddy to reissue it?
You can always export the certificate and then import it to the newly installed Exchange 2010.
OR should I look at creating a CAS Array from exch1 and adding exch2 to it. (I don't fully understand the workings of this at the moment).
You will only need to setup the CAS array if you are going to use both the server which can be done later.
Hope that help
Where Technology Meets Talent -
Exchange 2003 - 2010 Co-existence Migration Autodiscover & OAB Issue
Hi,
I am in the middle of a Ex2003 to Ex2010 Migration initially through co-existence. Everything has been working perfectly for the last couple of months.
The first Ex2010 server I installed (EX01.domain.local) was just a temporary server that hosted a handful of users that were imported from another company.
I have since installed a second Ex2010 server (EX02.domain.local), which will be the permanent 2010 server. The end result will be 1 Ex2010 server only, after I have migrated everyone off EX01 and the 2003 server.
EX01 and EX02 both have the Mailbox, CAS, & HT roles installed.
I created the mailbox and Public Folder databases on EX02. I have assigned the Public Folder database to the mailbox database.
I added EX02 as a Source Server within Hub Transport.
I've exported the UC/SAN certificate from EX01 and imported it into EX02 and assigned the SMTP, IIS, POP & IMAP services to it.
I setup the legacy URL for OWA.
I changed the relevant settings on EX02, eg OWA, ECP, ActiveSync, OAB, AutoDiscoverServiceInternalUri etc to be external domain name that is listed on the certificate, eg mail.domain.com.au. (The SSL certificate is through GoDaddy and they do not allow you
to put any internal domain names on the certificate).
So before I installed the second Ex2010 server, everything was working correctly.
After I installed the second Ex2010 server and performed the steps above, I have noticed a couple of things;
1) The Autodiscovery test within Outlook works for mailboxes that have been migrated to either of the Ex2010 servers, but fails for mailboxes that are still on the Ex2003 server. It finds the correct URL, https://mail.domain.com.au/Autodiscover/Autodiscover.xml,
and brings back an HTTP status of 200. However, it says it then fails with (0x800C8203). I tested with Outlook 2003 and 2010. They both fail.
2) OAB fails to download for clients whose mailbox is still on the Ex2003 server. It fails with (0x8004010F - The operation failed. An object cannot be found). It works for clients with mailboxes on either of the 2010 servers.
I'm going around in circles reading numerous articles on trying to fix autodiscover. Using Microsoft's MRCA site, autodiscovery works externally for clients on the Ex2010 servers, but not on the 2003 servers, (which I thought was how it worked anyway as
autodiscovery doesn't work on Ex2003).
Is this the same for internal users. I'm not sure if I'm chasing my tail by trying to fix something that doesn't need fixing, but obviously the OAB should work.
Any suggestions are grateful.
Thanks.
SteveOutput from get-webservicesvirtualdirectory | fl
RunspaceId
: 12158f4a-101e-45c7-b35a-02c6b5652e41
CertificateAuthentication :
InternalNLBBypassUrl
: https://ex01.domain.local/ews/exchange.asmx
GzipLevel
: High
MRSProxyEnabled
: False
MRSProxyMaxConnections : 100
Name
: EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication : False
WSSecurityAuthentication
: True
LiveIdBasicAuthentication : False
BasicAuthentication
: True
DigestAuthentication
: False
WindowsAuthentication
: True
MetabasePath
: IIS://EX01.domain.local/W3SVC/1/ROOT/EWS
Path
: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags
ExtendedProtectionSPNList : {}
Server
: EX01
InternalUrl
: https://mail.domain.com.au/ews/exchange.asmx
ExternalUrl
: https://mail.domain.com.au/EWS/Exchange.asmx
AdminDisplayName
ExchangeVersion
: 0.10 (14.0.100.0)
DistinguishedName
: CN=EWS (DefaultWebSite), CN=HTTP, CN=Protocols, CN=EX01, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups,CN=CompanyA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity
: EX01\EWS (Default Web Site)
Guid
: fd59fcca-87aa-4c7c-87d9-6ddeef4ca9e9
ObjectCategory
: next.lan/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass
: {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged
: 28/03/2014 11:25:50 AM
WhenCreated
: 29/12/2013 9:42:33 AM
WhenChangedUTC
: 28/03/2014 12:25:50 AM
WhenCreatedUTC
: 28/12/2013 10:42:33 PM
OrganizationId
OriginatingServer
: DC2.domain.local
IsValid
: True
RunspaceId
: 12158f4a-101e-45c7-b35a-02c6b5652e41
CertificateAuthentication :
InternalNLBBypassUrl
: https://ex02.domain.local/ews/exchange.asmx
GzipLevel
: High
MRSProxyEnabled
: False
MRSProxyMaxConnections : 100
Name
: EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication : False
WSSecurityAuthentication
: True
LiveIdBasicAuthentication : False
BasicAuthentication
: True
DigestAuthentication
: False
WindowsAuthentication
: True
MetabasePath
: IIS://EX02.domain.local/W3SVC/1/ROOT/EWS
Path
: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags
ExtendedProtectionSPNList : {}
Server
: EX02
InternalUrl
: https://mail.domain.com.au/EWS/Exchange.asmx
ExternalUrl
: https://mail.domain.com.au/ews/exchange.asmx
AdminDisplayName
ExchangeVersion
: 0.10 (14.0.100.0)
DistinguishedName
: CN=EWS (Default Web Site), CN=HTTP, CN=Protocols, CN=EX02, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups,CN=CompanyA,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity
: EX02\EWS (Default Web Site)
Guid
: e592adcd-18c2-4c4b-bd89-fca95e9e9622
ObjectCategory
: next.lan/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass
: {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged
: 28/03/2014 10:50:54 AM
WhenCreated
: 27/03/2014 10:34:27 AM
WhenChangedUTC
: 27/03/2014 11:50:54 PM
WhenCreatedUTC
: 26/03/2014 11:34:27 PM
OrganizationId
OriginatingServer
: DC2.domain.local
IsValid
: True -
2003/2010 co-existence - is it safe to create recipient policies under 2010?
I'm pretty sure this won't affect anything, but just want to be 100% sure.
Exchange 2003/2010 are in co-existence happily working away
The existing Exchange 2003 recipient policies are a real mess
To save having to fix them all up, the plan is to just create new ones under Exchange 2010 and scope them to apply for users on 2010
When all users are moved to 2010, the old ones can be removed which saves having to upgrade them to all to 2010 format which is another bonus
Will creating new recipient policies under 2010 apply to recipients on 2003 or force the 2003 policies to run again somehow against existing users, or can recipient policues under 2010 be set to only apply to users in 2010 using a custom attribute for example
and when users are moved to 2010 with the custom attribute the policy can be enforced at that time? All the current polices are set to applied = false under 2003.I have experience with messing up in this scenario :) in a 20,000 user environment.
E-Mail address policies are shared across the Exchange Organization so you will see ones created in 2010 in 2003, although you won't be able to edit those. Having the 2003 policies set to false means that they haven't been applied in some time and
its best not to touch during the migration. My first step here (after making a mistake) is to Disabled the Automatic Email Update for all mailboxes. I can look up how I did this on a mass scale a little later.
I then created the policies in 2010 to use a custom attribute, as you had suggested, and when mailboxes were migrated over, I made sure those accounts had the Attribute and then checked the box to auto apply the address policy.
Someone else may have a better answer for you, but this is how I saved my butt in a larger organization.
Jason Apt, Microsoft Certified Master | Exchange 2010
My Blog -
Exchange 2003 -2010 cross forest (NDR 5.4.6)
Hi.
Have: Exchange 2003+2010 in source forest. Exchange 2010 in target forest.
Successful migrate mailbox to target forest (in source forest this mailbox convert to mailuser).
When try send e-mail to this mailbox (it`s in target forest) from Exchange 2003 mailbox get this:
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.
If send from Exchange 2010 (source/target) - all mail ok.
If delete this mailuser (in source forest) - all set to ok.
x500?
Please, help.
Thanks.Hi,
In the error event, 5.4.6 means "Routing loop detected" (RFC1893).
This issue occurs if the source Exchange organization is authoritative for the target domain. Because the source Exchange organization is responsible for mail delivery to target, the categorizer tries to find locally a recipient for
that message. The categorizer does not succeed, and then you receive the NDR.
More details in the following KB:
You receive an NDR with a 5.4.6 status code when you send a message to a specific domain in Exchange
http://support.microsoft.com/kb/324732/en-us
Hope it is the solution.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Exchange 2010 Mail Enabled Distribution Group Won't Receive from External Address
Let me pre-empt the usual first response: yes, I've unchecked "require that all senders are authenticated" on the Message delivery Restrictions properties of Message Delivery Restrictions. I cannot get a message from an external mail server to
send to an internal mail-enable distribution group. It's working internally. I've checked our ironport and the message is being sent to exchange (at least I think it is).
How can I troubleshoot this?!
tfgeorgeIronport is definitely sending this email to exchange. Please read:
06 Jun 2011 08:53:20 (GMT -05:00)
Protocol SMTP interface Main Interface (IP Gateway IP) on incoming connection (ICID 17720578) from sender IP 65.54.190.154. Reverse DNS host bay0-omc3-s16.bay0.hotmail.com verified yes.
06 Jun 2011 08:53:20 (GMT -05:00)
(ICID 17720578) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:6.0] SBRS 3.0
06 Jun 2011 08:53:20 (GMT -05:00)
Start message 2136865 on incoming connection (ICID 17720578).
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 enqueued on incoming connection (ICID 17720578) from
[email protected].
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 on incoming connection (ICID 17720578) added recipient ([email protected]).
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 contains message ID header '<[email protected]>'.
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 original subject on injection: TEST
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 (1471 bytes) from
[email protected] ready.
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 matched per-recipient policy DEFAULT for inbound mail policies.
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 scanned by Anti-Spam engine: CASE. Final verdict: Negative
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 scanned by Anti-Virus engine. Final verdict: Negative
06 Jun 2011 08:53:20 (GMT -05:00)
Message 2136865 queued for delivery.
06 Jun 2011 08:53:20 (GMT -05:00)
SMTP delivery connection (DCID 1658840) opened from IronPort interface 100.100.100.100 to IP address 100.100.100.100 on port 25.
06 Jun 2011 08:53:20 (GMT -05:00)
(DCID 1658840) Delivery started for message 2136865 to
[email protected].
06 Jun 2011 08:53:21 (GMT -05:00)
(DCID 1658840) Delivery details: Message 2136865 sent to
[email protected]
06 Jun 2011 08:53:21 (GMT -05:00)
Message 2136865 to
[email protected] received remote SMTP response '2.6.0 <[email protected]> [InternalId=919833] Queued mail for delivery'.
tfgeorge -
Distribution Group manager can't modify group
Setup
MS Exchange 2010 version 14.3 (Build 123.4)
Distribution Group is a Mail Universal Distribution which has less than 20 members total
There are three managers in the "Managed By" listing. Of these two can modify the list, the third cannot. When the third manager tries to modify the list they get the following error:
The Public Group cannot be displayed. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
Note: The user is connected to the Exchange environment as evidenced by the "Connected to Microsoft Exchange" in the lower right portion of his Outlook 2010 window. He is also hardwired into the network,
ie no wireless connection. He tried the going in through OWA and got the same error as above.
Any ideas on what I can check to see why this manager cannot modify the list whereas the other two can?
ncHi ncouch55,
If there are multiple GCs in organization, We could refer to the following link to choose the closest GC for the specific user:
1). Click Start, and then click Run.
2). In the Open box, type regedit.exe, and then click OK.
3). Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
Note You may have to create the registry path.
4). On the Edit menu, click Add Value, and then add the following registry value:
Value name: GC Server
Data type: REG_SZ (string)
Value data: the FQDN of the closest GC server
5). Quit Registry Editor.
If the issue persist, we could clear manager on distribution group and re-grant permission to three manager.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim -
Giving Permissions to specific Distribution Group management for deparment secrety
Dear ALL
In our exchange 2010 environment we have multiple departmental distribution group.
We plan to give management of these distribution group members to each departmental secretary.
How can achieve this?
Kindly help
AshrafAll very valid points!
The one thing I'd ask you to think about is whether or not you should change the default role assignment policy. If this is for a handful of users, create a new Role Assignment policy, tweak that (using the steps below) and then assign your new one
to these users that need to manage the DGs.
http://blogs.technet.com/b/rmilne/archive/2013/08/09/allow-users-to-manage-distribution-groups-without-creating-new-ones.aspx
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Custom Distribution Group management role (manager excpeiton)
My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
sufficient permissions. this operation can only be performed by a manger of the group”.
New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
Below confirms by scope.
Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
Name DisplayName SamAccountName GroupType
distro1 distro1 distro1 Universal, SecurityEnabled
distro2 distro2 distro2 Universal, SecurityEnabled
distro3 distro3 distro3 Universal, SecurityEnabled
On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
Name
Add-DistributionGroupMember
Disable-DistributionGroup
Enable-DistributionGroup
Get-ADServerSettings
Get-AcceptedDomain
Get-DistributionGroup
Get-DistributionGroupMember
Get-DomainController
Get-DynamicDistributionGroup
Get-Group
Get-MailUser
Get-Mailbox
Get-OrganizationalUnit
Get-Recipient
Get-ResourceConfig
Get-User
New-DistributionGroup
New-DynamicDistributionGroup
Remove-DistributionGroup
Remove-DistributionGroupMember
Remove-DynamicDistributionGroup
Set-ADServerSettings
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Group
Set-OrganizationConfig
Update-DistributionGroupMember
Write-AdminAuditLogHello,
I understand that you have create custom management scope for each group and assigned a custom role to it.
But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
Check below link. http://exchange2010cmd.blogspot.de/
You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
You can either use existing default policy or create new policy and assign this management role to it.
Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
NOTE: If you are creating new policy , place that name instead of default policy name".
I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
Now, regarding your second concern, that your custon role has to many role entries.
You can remove unwanted role entries.
Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
Before linking management role to email policy, remove unwanted role entry from role.
I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer. -
Exchange 2003 - 2010 Local Mail box move Error
Hey everyone,
I have just finished a transition from Microsoft Exchange 2003 to 2010, and I am having problem with moving the Legacy mailboxes over.
I have managed to move all the mail boxes over bar 2, using the " New local move Request".
So the problem is just these 2 mail boxes with the same error as below.
Any Advice?
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:39
Sifiso Mguni
Failed
Error:
Service 'net.tcp://tvt-exchange.vtrust.local/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=-2147221231)
Diagnostic context:
Lid: 18969 EcDoRpcExt2 called [length=131]
Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=48][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropLogon [254]
Lid: 17082 ROP Error: 0x80040111
Lid: 26937
Lid: 21921 StoreEc: 0x80040111
Lid: 31418 --- ROP Parse Done ---
Lid: 22753
Lid: 21817 ROP Failure: 0x80040111
Lid: 26297
Lid: 16585 StoreEc: 0x80040111
Lid: 32441
Lid: 1706 StoreEc: 0x80040111
Lid: 24761
Lid: 20665 StoreEc: 0x80040111
Lid: 25785
Lid: 29881 StoreEc: 0x80040111
Exception details: MapiExceptionLogonFailed (80040111): MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=-2147221231)
Diagnostic context:
Lid: 18969 EcDoRpcExt2 called [length=131]
Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=48][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropLogon [254]
Lid: 17082 ROP Error: 0x80040111
Lid: 26937
Lid: 21921 StoreEc: 0x80040111
Lid: 31418 --- ROP Parse Done ---
Lid: 22753
Lid: 21817 ROP Failure: 0x80040111
Lid: 26297
Lid: 16585 StoreEc: 0x80040111
Lid: 32441
Lid: 1706 StoreEc: 0x80040111
Lid: 24761
Lid: 20665 StoreEc: 0x80040111
Lid: 25785
Lid: 29881 StoreEc: 0x80040111
Exchange Management Shell command attempted:
'vtrust.local/Valley Trust Users/Users/Staff/Sifiso Mguni' | New-MoveRequest -TargetDatabase 'Mailbox Database 0271422377'
Elapsed Time: 00:00:39HI. I had the same problem while trying to migrate a user from Exchange 2003 to 2010. And the same error as you have appeared. I tried to skip more e-mails in case some fails but couldn't get successful.
Check if the user have accessed the mail at all on Exchange 2003 because if the user didn't accessed it it may contain many mails and when we try to migrate the mailbox, the mailbox size on Exchange 2003 may be grater than on the 2010.
On my case after many reading we just see that the user didn't access the mail at all on our Exchange 2003. (Let me know if you need to know how you can check if the user accessed the mail or not or you can just google it). So what we have done is we just
reset the user password on Active Directory. Because as you can see the error is related with Logon Failure.
This solved the issue for me. Can you check this way
Thanks -
Exchange 2003/2010 Coexistance - User login Issue
Hello
We have deployed Exchange 2010 SP3 in coexistance with 2003 and created connectors.
2003/2010 both Users are not able to login on 2010 OWA and error showing that username/PW is wrong although they are working on OWA 2003 perfectly.
When i add the same user to the local admin group on the Ex2010 server, it works fine with email send/receive. i am confused please suggest what i am missing....Regards
WaseemHello
This is the error that occured during that time.
SACL Watcher servicelet encountered an error while monitoring SACL change.
Got error 1722 opening group policy on system SERVER.DOMAIN in domain MYDOMAIN.
Event ID 6003
Source : MSExchange SACL Watcher
i am not sure if its related to this problem.
Secondly i have also tested to run the "Microsoft Exchange Active Directory Topology Service" with a new user having all the rights of exchange & AD groups but its showing giving the error that it cant run the dependency
services. currently this service is running with the local account rights.
I just add the test users (moved from 2003 and new user created in 2010) to the local admin group and it works fine, please give any idea what may be the problem in rights or something else ??
Regards
Waseem -
Providing voicemail in a trusted-domain Exchange 2003 - 2010 upgrade
As a result of a merger, we are upgrading from Exchange 2003 in the same domain as a Unity 5.0 server to an Exchange 2010 server in a trusted domain in a different forest. The Exchange 2003 server is still up, but mailboxes are being moved to the 2010 server. The goal of getting Unity to somehow deliver voicemail to the users who have been moved to the 2010 server in the other domain is only temporary, as we will be replacing our on-premesis system with a hosted solution in a couple of months. So I'm looking for something quick, but it doesn't have to be elegant or permanent.
As Unity cannot connect to a partner Exchange server in a different forest, I see the most likely options as:
Move Unity to the new domain. Wanted to see how easy it would be to do this, as Cisco recommends that the same version of Unity be installed on a server in the new domain as is currently running the server in the old domain. I believe I have the original install disks, but can't speak to whether or not upgrades have been applied to the current (old) server since it went in 5 years ago.
Convert current subscribers into "Internet Subscribers" - This is not currently working, I believe, because Unity's partner server is the 2003 server, which lives in the same domain as the Unity server, but is also a part of the same Exchange group as the 2010 server in the new domain. When I create an "internet subscriber", I'm creating a contact with an email address that already exists in the domain.
For 1., Cisco says I have to install the same version of Unity in the new domain and then restore the database to it. Would I need to roll back items like the Engineering Special that I just installed? As long as the install disk is for 5.0(1) and the server's currently running 5.0(1), am I OK?
For 2., Is it possible to do anything with Internet subscribers? This seems like it would be easier, but also seems like it's not working because of the fact that the partner server is not recognizing addresses for the Internet subscribers as external.
Any assistance or insights would be greatly appreciated.
KevinHi,
We can move the mailbox from Exchange 2003 to Exchange 2010 as a linked mailbox in Exchange 2010. The moved mailbox would be a disabled User Object which is linked to a separate enabled user object in an Account Forest (Exchange 2003 forest).
We can use the Prepare-MoveRequest.ps1 script in the Shell to prepare the cross-forest mailbox moves:
https://technet.microsoft.com/en-us/library/ee861103(v=exchg.141).aspx
Then we can create a remote legacy move request to move mailbox:
https://technet.microsoft.com/en-us/library/dd876952(v=exchg.141).aspx
Additionally, for more information about migration from Exchange 2003 to Exchange 2010, please read:
http://blogs.technet.com/b/schadinio/archive/2010/08/11/exchange-2010-cross-forest-mailbox-moves.aspx
Regards,
Winnie Liang
TechNet Community Support -
Exchange 2003 - 2010. Moving public folders one at a time
Hi all,
I'm in the process of decomisioning our old Exchange 2003 server (long overdue after what has been a relativly smooth and trouble free transition to 2010). As the first step in the decomisioning process, I'm looking to move the public folders from the 2003
box to the 2010 box. From my understanding there are a couple of ways to achieve this (please correct me if I'm wrong). The first is to add the Exchange 2010 server as a new replication partner, allow for replication of the PFs to occur, and then remove the
2003 partner from the replication partnership. The other option is to use MoveAllReplicas.ps1.
I opted for the first option, but the problem I have is that the initial replication process started to generate a very large number of transaction logs on the Exchange 2010 server, to the point I was slightly conccerned I was going to run out of space on
the volume (our server is backed up nightly at which point the transaction logs are normally flushed).Whilst I know I could potentially increase the size of the volume or turn on cicular logging for the duration of the migration (neither of which is appealing
as it will involve down time), I was wondering if there was a way to move a smaller set of Public folders one at a time with a powershell command, or is it an all or nothing operation? My other option may be to replicate a small subset of folders everyday,
but that just a little painful as there are a large number of child folders with in the structure. Any other suggestions welcome!
Many thanks,
RobHi,
If your Public Folder Database is large, you can use tool like Exfolders or ESM to add replica folder by folder.
A related article for your reference.
http://careexchange.in/moving-public-folders-from-exchange-2003-to-exchange-2010/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or
suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
And it is recommended to replicate public folders off business hours.
Best regards,
Belinda Ma
TechNet Community Support -
Namespace for Exchange 2003 == 2010 == 2013 Migration
Hi
Hope someone can help. I am working on an Exchange 2003 to 2010 migration, which will then quickly move onto a 2010 to 2013 migration and need some clarification on the namespaces to use. I am aware that if I do not do this right at the 2003
to 2010 migration, this will cause a headache at the 2010 to 2013 migration.
Some background:
2003 Functional Level Domain - 2 x 2008 DC's
Currently users are on a 2003 exchange cluster with a mix of RPC (internal users) and RPC over HTTP connections (roaming users)
We will be installing Exchange 2010 on a single server, with CAS, HUB and Mailbox roles and no load balancer, as we will be moving quickly to 2013.
We have two Kemp load balancers ready for Exchange 2013.
Exchange 2010 is installed on a single server (exh2010.domain.local) and configured with an CAS array name (exh-cas.domain.local) which is resolvable internally only.
Currently we have multiple smtp namespaces e.g. @company.com, @company2.com.
Our main website etc is www.company.com
Our public facing services are at https://service.mycompany.com
Our 2003 RPC address is https://webmail.mycompany.com
I understand that the 2010 RPC CAS array name should be separated from the Outlook Anywhere (RPC over HTTPS) address so that when 2013 takes over the HTTPS address, the RPC connections are not broken.
Two Questions:
Do we have to use the HTTPS same namespace for 2013 as we do in 2010? Its just I would want to test the Kemp load balancers before making them live (slow careful transition), and giving them a different namespace, e.g.
https://mail.mycompany.com would allow a migration, rather then a cutover.
Can we use the *.mycompany.com address rather then the company.com address, even though we have no SMTP addresses at mycompany.com? Can autodiscover still work?
Thanks in advance for any guidance
Cheers
Steve1. No, but you can. Exchange 2013 will proxy all services for Exchange 2010, so if you set up everything right, you should be able to simply swing the name from Exchange 2010 to 2013.
2. Your web services can be published with any domain as long as the hostname is in the certificate. Only Autodiscover needs to match the e-mail domain(s). So in your example, you could publish OWA, ECP, ActiveSync, Web Services and OAB
at owa.mycompany.com. You would need autodiscover.company.com, autodiscover.company2.com, etc., but if you don't have e-mail addresses with mycompany.com, you don't need autodiscover.mycompany.com. If all users have a company.com e-mail address,
the you only need autodiscover.company.com as long as users know to enter that e-mail address when configuring profiles on PCs or devices. If you're going to have to have Autodiscover for multiple domains, then you might consider using an SRV record
instead because it can greatly simplify your certificate requirements.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Maybe you are looking for
-
Explain plan before and after ??
is there a way to find out what sql plan was before and what sqlp plan is right now ? i know we can look at dba_hist_sql_plan but not sure how to put it all togeather... i am on 10.2.0.3 i have a sql that running slow right now, i have the sql_id for
-
I need to run in parallel 4 packages (and interfaces) in order to load 4 separate tables driven by a variable so a main package will call those 4 (sub) packages. 1) Should I set up the variable as "Not persistent"? I just want to make sure it won't i
-
I am trying to update a custom table in BW with the following statement. UPDATE customtable FROM TABLE ITAB1. itab1 has entries but the customtable is not getting updated do i need to use any commit statement for that.
-
User field in goods entry form
Is it possible to create a user field in goods entry form production? I tried but It's possible only to fill the order production. thanks
-
On several Solaris 10 08/07 boxes following ipfilter rules do not work: pass out all keep state pass in quick proto icmp all icmp-type echo pass in quick proto tcp from any to any port = ssh keep state block in log all ssh goes through, but there is