Exchange 2010 Resource '(Mdb)MailboxDatabase001' is unhealthy and shouldn't be accessed.
Hi Everyone
We are getting the below error on all 3 of our mailbox databases when the msexchange assistant runs, we do have retention policies in place but everything in EMC says that all databases are healthy but this event says otherwise.
Service MSExchangeMailboxAssistants. 'Managed Folder Mailbox Assistant' failed to process mailbox john smith(58d9d22a-8b87-45cf-9f77-9c009a675575). The following exception caused the failure: Microsoft.Exchange.Assistants.TransientMailboxException --->
Microsoft.Exchange.Data.Directory.ResourceHealth.ResourceUnhealthyException: Resource '(Mdb)MailboxDatabase001' is unhealthy and shouldn't be accessed.
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.ELCHealthMonitor.InternalThrottleStoreCall(MdbResourceHealthMonitorKey optionalAlternateDatabase)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.ElcSubAssistant.ThrottleStoreCallAndCheckForShutdown(ExchangePrincipal mailboxOwner, MdbResourceHealthMonitorKey archiveKey)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.MailboxExpirationEnforcer.ProcessFolderContents(StoreId folderId, ItemQueryType itemQueryType)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.MailboxExpirationEnforcer.CollectItemsToExpireInNonIpm()
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.SysCleanupEnforcerBase.CollectItemsToExpire()
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.MailboxExpirationEnforcer.Invoke()
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.SysCleanupEnforcerManager.Invoke(MailboxDataForTags mailboxDataForTags, ElcParameters parameters)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.SysCleanupSubAssistant.Invoke(MailboxSession mailboxSession, MailboxDataForTags& mailboxDataForTags, ElcParameters parameters)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.ELCAssistant.<>c__DisplayClass6.<InvokeInternal>b__0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
at Microsoft.Exchange.MailboxAssistants.Assistants.ELC.ELCAssistant.InvokeInternal(InvokeArgs invokeArgs)
at Microsoft.Exchange.MailboxAssistants.Assistants.TimeBasedAssistant.Invoke(InvokeArgs invokeArgs)
at Microsoft.Exchange.Assistants.TimeBasedDatabaseJob.<>c__DisplayClass5.<ProcessMailboxUnderPoisonControl>b__3()
at Microsoft.Exchange.Assistants.Util.<>c__DisplayClass1.<CoreCatchMeIfYouCan>b__0()
--- End of inner exception stack trace ---
at Microsoft.Exchange.Assistants.Util.TraceAndThrow(CatchMe function, AIException aiException)
at Microsoft.Exchange.Assistants.Util.CatchMeIfYouCan(CatchMe function)
at Microsoft.Exchange.Assistants.Base.CatchMeIfYouCan(CatchMe function)
at Microsoft.Exchange.Assistants.TimeBasedDatabaseJob.ProcessMailboxUnderPoisonControl(MailboxData mailbox, EmergencyKit kit)
Please help...
Hi,
From your description, I recommend you restart the Microsoft Exchange Mailbox Assistants service and check the result. If the issue persists, you need to re-configure the managed folder mailbox policy for the mailbox and then restart the Microsoft Exchange
Mailbox Assistants service.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support
Similar Messages
-
Can't move Exchange 2003 mailbox to Exchange 2010 Resource forest (Linked Mailbox)
Problem Description:
Can’t move Exchange 2003 mailbox to Exchange 2010 resource forest
Error message:
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials.
Source Environment Configuration:
Active Directory
FQDN: umfolozi.local
Domain name (pre-Windows 2000): UMFOLOZI
Domain Function Level: Windows Server 2003
Domain Controllers:
Hostname
OS
Operation Master
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Schema Master, Domain Naming, RID, PDC
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Infrastructure
Exchange
Version: Microsoft Exchange 2003 Standard SP2 Build 7638.2
Server Information:
Hostname
OS
TUSKUMFMAIL.umfolozi.local
Windows Server 2003 R2 SP2
DNS Zones
Zone Name
Zone Type
Domain Controllers
umfolozi.local
Active Directory-Integrated (Primary)
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
peermont.com
Secondary
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
Trusts
Domain Name
Trust Type
Transitive
Validated
peermont.com
Forest
Yes
Yes
Target Environment Configuration:
Active Directory
FQDN: peermont.com
Domain name (pre-Windows 2000): PG
Domain Functional Level: Windows Server 2008 R2
Domain Controllers:
Hostname
OS
Operation Master
SRVPGVMDC01.peermont.com
Windows Server 2008 R2 Std SP1
SRVPGVMDC02.peermont.com
Windows Server 2008 R2 Std SP1
Domain naming, RID, PDC, Infrastructure, Schema Master
Exchange
Resource Exchange Forest
Server Information:
Hostname
OS
Role
Version
Client Access Array
SRVPGVMEXCH01.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
SRVPGVMEXCH02.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
Hostname
OS
Role
Version
Database Availibility Group
SRVPGVMEXCH03.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
SRVPGVMEXCH04.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
DNS Zones
Zone Name
Zone Type
Domain Controllers
peermont.com
Active Directory-Integrated (Primary)
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
umfolozi.local
Secondary
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
Trusts
Domain Name
Trust Type
Transitive
Validated
umfolozi.local
Forest
Yes
Yes
Migration Process
Task
Description
Successful/Error
1
SYNC AD Domain account from source forest (umfolozi.local) to target forest (peermont.com) using BinaryTree SMART Directory Sync (ADMT can be used as alternative)
Successful
2
Create mailed enabled user
Successful
3
Run Prepare-MoveRepuest with –OverWriteLocalObject
Command Example:
.\Prepare-MoveRequest.ps1 -Identity [email protected] -RemoteForestDomainController SRVUMVMDC01.umfolozi.local
-RemoteForestCredential $RemoteCredentials -UseLocalObject -LocalForestDomainController SRVPGVMDC01.peermont.com -LocalForestCredential $LocalCredentials -OverWriteLocalObject
Successful
4
Submit mailbox request
Command Example:
New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeliveryDomain
"internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Credential "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True
Error
All the standard migration task works as expected until the mailbox migration move request is submitted. See move request verbose detail below:
[PS] C:\Windows\system32>New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeli
veryDomain "internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Crede
ntial "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True -Verbose
VERBOSE: [11:34:27.346 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire
Forest: 'False', Default Scope: 'peermont.com', Configuration Domain Controller: 'SRVPGVMDC02.peermont.com', Preferred
Global Catalog: 'SRVPGVMDC02.peermont.com', Preferred Domain Controllers: '{ SRVPGVMDC02.peermont.com }'
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Runspace context: Executing user: peermont.com/Admin/Users/Admin
Accounts/Information Technology/SoarSoft/Johann Van Schalkwyk, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin
Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such
items to the destination mailbox. At move completion, these corrupted items won't be available in the destination
mailbox.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Searching objects "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" of type
"MailboxDatabase" under the root "$null".
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s):
{}, Exclusive Configuration Scope(s): {} }
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Searching objects "0fa7d17e-3637-4708-a51b-f14eaae17968" of type "ADUser"
under the root "$null".
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] No RequestJob messages found.
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MDB c5d6ea95-07b3-4a52-9868-e41e808a76fe found to belong to Site:
peermont.com/Configuration/Sites/Peermont
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MRSClient: attempting to connect to 'SRVPGVMEXCH02.peermont.com'
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] MRSClient: connected to 'SRVPGVMEXCH02.peermont.com', version
14.3.178.0 caps:07
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] Loading source mailbox info
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Failed to reconnect to Active Directory server
SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials. --> A
local error occurred.
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that
you have used the correct credentials.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : F48FD74B,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : srvpgvmexch02.peermont.com
VERBOSE: [11:34:28.859 GMT] New-MoveRequest : Ending processing &
Troubleshooting Performed
1. When submitting mailbox move request tried the following credential inputs:
1.1. DOMAIN\Username
1.2. FQDN\Username
1.3. userPrincipalName
2. Confirmed domain trust between source and target domain is in place and validated.
3. Confirmed name resolution in source and target domain is functioning as expected.
4. Confirmed network connectivity between source and target domain controllers as well as source and target exchange servers.
5. Tried to create new Linked Mailbox to account in source forest, can’t select Global Catologue via the wizard;
Tried to specify the credentials for the account forest and got the following error when tried to select Global Catalog from wizard:The error talk about the credential. Did you check the credential
Did you tried this command?
New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "Target
domain name"
http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
How can i get the following done:
Exchange 2010 disconnect AD user from mailbox and reconnect the mailbox to a new copy of the same user with a different username?
i nmust do this for 16 users TODAY, SO PLEASE HELP ME OUT HERE.
Thanks in advance!!
kind regards,
Rene Veldman
System Administrator Teidem bv, The Netherlands.Rene,
Why are you not changing the username of the existing account, instead of deleting the existing one and creating a new one?
If you truly need to delete and create new, you can save the GUID for the mailbox (Get-MailboxStatistics <mailbox alias> | Fl MailboxGuid), mail disable the existing account (Disable-Mailbox <mailbox alias>
will work), clean the mailbox database it was hosted on (Clean-MailboxDatabase
<database name>), then create your new account and recover the existing mailbox to that new account (Connect-Mailbox -Identity <Guid from before> -Database <Database name> -User <SAM account name of new account> -Alias
<what you wish to set the alias to>). In PowerShell, for all steps, you would do the following:
$MbxAlias = <mailbox alias>
$NewMbxAcct = <SAM Account Name for new account>
$NewMbxAlias = <new alias for mailbox>
$DomCtrl = (dir env:\LOGONSERVER).Value.Substring(2)
$MbxGuid = (Get-MailboxStatistics $MbxAlias -DomainController $DomCtrl).MailboxGuid
$MbxDb = (Get-Mailbox $MbxAlias -DomainController $DomCtrl).Database
Disable-Mailbox $MbxAlias
Clean-MailboxDatabase $MbxDb
Connect-Mailbox -Identity $MbxGuid -Database $MbxDb -User $NewMbxAcct -Alias $NewMbxAlias -DomainController $DomCtrl
You will need to supply the information in bold in the above commands, and you will need to create the new account before you run the above commands. I include direct use of a specific domain controller so you won't need to worry about replication.
If you are changing the account from one domain to another, this will not help, and you will need to wait for replication throughout the process, running the commands individually. -
Exchange 2010 - Resource Mailbox won't send external notification email
Exchange 2010 with SP1. These mailboxes used to respond to outside booking requests, when we were running Exchange 2007. I've verified that -ProcessExternalMeetingMessages is set to $true. The mailbox responds to internal requests with an email.
All users are allowed to make "Resource In-Policy Requests".
I've tried booking from an email address that was setup as a Contact in Exchange - still no luck.
Any ideas?
Thanks.Martin
Agency
Could you share what settings did you use for SMTP connectors?
I have tried:
Authentication – Externally Secured
Permission Group – Exchange Servers
I can send emails via these connectors, but Room Mailbox still deletes requests from external sender.
Both organizations have Exch 2010 sp3 RU6, and AD forest 2008R2 level. -
Exchange 2010 Resource Forest - Autodiscover
Environment:
Account Forest (No Exchange server installed)
Resource Forest (Exchange 2010 SP3)
I understand that a SCP record can be created in the account forest using the following command: Export-AutoDiscoverConfig -DomainController <FQDN> -TargetForestDomainController <String> -TargetForestCredential $a -MultipleExchangeDeployments
$true
Questions:
1. Do I need to prep the schema in the Account Forest to create the relevant Exchange configuration before running Export-AutoDiscoverConfig?
2. Is the switch MultipleExchangeDeployments $true needed? Technet states that it's only needed if both forests contain Exchange but also states it's needed for
multiple accepted email domains? (which we do have)
http://technet.microsoft.com/en-us/library/aa998832(v=exchg.141).aspx3.
3. Can this change be backed out. i.e. can the SCP record be removed by using ADSI edit.
Thanks in advanceHi,
Here are my answers you can refer to:
1. It depends.
If Exchange deployment has two or more trusted forests, you must update Active Directory so that Outlook users in one forest can access the CAS servers in the remote (or target) forest to use the Autodiscover service. To do this, we must extend the schema in
the user forest by running Exchange 2010 Setup with the /PrepareAD or /PrepareSchema switch, and then run the Export-AutodiscoverConfig cmdlet in the resource forest that contains the Client Access servers that provide the Autodiscover service against the
target forests.
If you do not want to extend the schema in the user forest, you can update DNS in the user forest with a host record that points to the internal IP address of the Client Access server in the resource forest where Autodiscover is hosted.
For more information, you can refer to the following article:
http://www.testlabs.se/blog/2010/11/06/configuring-the-autodiscover-service-for-multiple-forests/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
2. It doesn’t need in your environment.
When the parameter MultipleExchangeDeployments is set to TRUE you will tell the forests that you have multiple Exchange forests. The parameter will also export the accepted domains which are defined in the Exchange environment.
3. SCP record can be removed by using ADSI edit:
On your account domain, open adsiedit.msc, locate the SCP records in
CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
For more information, you can refer to the following thread:
http://social.technet.microsoft.com/Forums/exchange/en-US/a06686ec-f1dc-4738-b4c5-76c41088e145/configuring-autodiscover-in-resource-forest?forum=exchangesvrdeploylegacy
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Exchange 2010: Resource mailbox not sending conflict notification
Hi,
I configured meeting room mailbox on exchange 2010, and I configured it to not allow conflict reservation.
I tried to sent two meeting requests in same time and it accepted both.
please advice.I have the same issue as above "Resource mailbox not sending conflict notifications and ran the command as suggested but no luck.
Set-CalendarProcessing -Identity "Conf 212" -AutomateProcessing AutoAccept
Here are the mailroom settings:
AutomateProcessing : AutoAccept
AllowConflicts : False
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : True
RemovePrivateProperty : True
DeleteSubject : False
AddOrganizerToSubject : False
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
AllBookInPolicy : False
RequestInPolicy : {}
AllRequestInPolicy : True
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
RemoveForwardedMeetingNotifications : False
Any help would be greatly appreciated.
Thai -
Exchange 2010 add new email address space and additional smtp address to all recipients
HI
Our company is being bought and we need to change the email address for every recipient within the business group/user.
I have added the new domain to the Accepted Domains and have confirmed that if I manually change a users smtp address that mail flow works and the postmaster account receives email.
looking in the E-mail address policies section within the EMC we currently have 2 polices one for the current company policy call company.co.uk with a priority 1 and one called Default policy.
when I try to edit these I get a warning message which states that this policy was created with an earlier version of exchange I have looked on our exchange 2003 environment and have found the polices and can edit them.
Now my questions are
1. should I create the policy on the exchange 2003 environment or 2010
2. if I create a new policy on the exchange 2010 environment what will happen to the old addresses?
3. I must be able to preserve the old addresses and must make the new address space the primary address?
if anyone could help with the steps required or if there are any gotcha to avoid.
thanks1. should I create the policy on the exchange 2003 environment or 2010
You have to create in Exchange2010
2. if I create a new policy on the exchange 2010 environment what will happen to the old addresses?
Email address policy will change the email address if applied immediately except for the users which has "Automatically update email addresses based on e-mail address policy" option turned on
You will get the list of users with "Automatically update email addresses based on e-mail address policy" option turned off by the below command.
Get-Mailbox -ResultSize Unlimited | Where {$_.EmailAddressPolicyEnabled -eq $False}
3. I must be able to preserve the old addresses and must make the new address space the primary address?
Yes but you can keep only one as replying address.
Please keep both address in the email address policy to preserve old email address to the users.
If you want an autoreply, then use a hub transport rule in Exchange an Outlook rule and allow auto-replies to the internet. (auto-replies to the outside network is not a good idea)
Here is a similar case
http://exchangeserverpro.com/email-address-policies-in-mixed-exchange-20032007-organisations/
Thanks, MAS
Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Same CAS Array Exchange 2010 (HLB), with OS Windows 2008R2 and Windows 2012.
Hello,
We have a 10 node DAG (Exchange 2010 SP3, Windows 2008 R2), with 2 CasArray.
We are planning to add news (multirole) servers and create a new DAG (Exchange 2010 SP3, Windows 2012) in this infra, in the same AD site, to migrate all mailbox from the other DAG (Migration from virtual servers to physical servers).
So we use the same CasArray (HLB, with F5) with différent OS version, during the migration time (1 month or more). I haven't found anything that say it's not supported or can be problematic.
Have you feedback or advice?
Thanks,
SébastienHi,
Based on my knowledge, there is no need to deploy a CAS array with CAS servers running on the same Window version. The version can be different.
After a Client Access server array is defined within an Active Directory site, all Client Access servers within that Active Directory site are automatically part of the Client Access server array.
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
When we have a new employee transfer to us from another department, their email is created and hidden until they actually make the transfer so they don't have two different email addresses in our global address list. When the transfer is made, the
email address is unhidden, but then we are unable to send emails to them from sharepoint 2010 without doing an IISReset. We are using Exchange 2010. Does anyone have suggestions on how to alleviate this issue?Hi,
I have done a test, no matter the email address is hidden or not, we can both send email to the email address in the same domain.
How was the new employee from another department transferred to your department?
Whether sending emails to them need do an IIS Reset everytime.
Here is a similar post, you can take a look at:
https://social.technet.microsoft.com/forums/sharepoint/en-US/6a9043bb-2055-46a9-8e76-8b2698c1dbe5/user-not-receiving-sharepoint-emails
Best Regards,
Lisa Chen -
ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem
Hi
I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
The clients have an IPSEC policy pushed to them via GPO. The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why. I cant get the Oakley log to work and I cant see any traffic on the ISA.
I am wondering if I need to publish the CRL's externally? Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
public certificates).
I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
Any advice would be appreciated.
StevenHi,
Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
In addition,
While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
Please also make sure that you have selected the
External interface for the web listener to listen on.
Besides, the link below would be helpful to you:
OWA publishing using Kerberos Constrained Delegation
method for authentication delegation
Best regards,
Susie -
Exchange 2010, Outlook Anywhere, Autodiscover, SAN Certs and ISA 2004
Hi
Everything I have read says that SAN certs do not work with ISA 2004. However I have read through the "White Paper: Understanding the Exchange 2010 Autodiscover Service" document to understand my options (url below) and notice that the SAN
cert option in the "Summary of supported scenarios for connecting to the Autodiscover service from the Internet" section implies that ISA 2004 may be able to work:
"Requires additional configuration if used together with either ISA Server 2004 or ISA Server 2006"
http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
Does anyone know if there is a supported ISA 2004 scenario where SAN certs can work?
Thanks!It's highly doubtful, since ISA 2004 has been in extended support for two years. See
http://blogs.technet.com/b/isablog/archive/2009/10/05/mainstream-support-ending-for-isa-server-2004-standard-edition-sp3.aspx for details about ISA 2004 support - it goes totally out of support next year. -
Exchange 2010 - All users can delete scheduled and accepted meetings in a room mailbox
Hello Everyone,
I have a strange situation. I created 4 conference room "room" mailboxes for calendaring of the conference rooms. We tested to see if user A booked a meeting in room 1 - that user B could not go delete or change
that meeting if it was accepted.
Now - for some reason - user B (or any other user on Exchange) can now go delete any meeting made by anyone and has been accepted on the calendar. I cannot figure out what has happened to my permissions that is letting this
happen. As far as I know - we have not made any changes to these room mailboxes. We are Exchange 2010 version 14.01.0355.002.Hi
Have a try with the steps on this thread
http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/ed89d6ac-0c48-43a8-8ed4-3d4f5d441737
1. Create a test mailbox as a new room mailbox, remove all permission on the Properties of “Mailbox” and “Calendar”
Notes: Confirm the permission under “Default” and “Anonymous” account is “None”
2. Use “Delegate” function in “Tools” menu to share calendar for “TESTALL” group as “Author”
3. Go to the Properties of calendar in room mailbox, confirm “Author” permission
4. In User C’s outlook, see if you still can delete the calendar item that User A created
Cheers
Zi Feng
TechNet Community Support -
Hi,
We would like to configure Opportunistic TLS between our Exchange 2010 SP3 On Premise Systems (with Edge) and EOP.
I can see that Opportunist TLS is enabled on both the send and receive connectors in EOP. SO I think no change required here.
The On premise Send Connector (Configured by EdgeSync) does not have the option for Opportunistic TLS. Under "Configure Smart Host Authentication Settings" it is currently set to "None". I have the option for "Basic Authentication
over TLS" but this requires a Username and Password. No option for Opportunistic TLS. When I look at the properties of the send connector (get-sendconnector "sendconnector_name" | fl) I
can see that the IgnoreSTARTTLS parameter is set to FALSE - so I think that means it is enabled. So I think no changes required here- right?
The receive connector on the Edge Server has the TLS option on the Authentication tab - so I guess I just check that option right?
The Edge servers also run TMG and the two are integrated. I don't think this changes anything but thought I would include it in case it does.
Anything I have missed?
Thanks very much.
Geoff
ilmuro69Hi,
We would like to configure Opportunistic TLS between our Exchange 2010 SP3 On Premise Systems (with Edge) and EOP.
I can see that Opportunist TLS is enabled on both the send and receive connectors in EOP. SO I think no change required here.
The On premise Send Connector (Configured by EdgeSync) does not have the option for Opportunistic TLS. Under "Configure Smart Host Authentication Settings" it is currently set to "None". I have the option for "Basic Authentication
over TLS" but this requires a Username and Password. No option for Opportunistic TLS. When I look at the properties of the send connector (get-sendconnector "sendconnector_name" | fl) I
can see that the IgnoreSTARTTLS parameter is set to FALSE - so I think that means it is enabled. So I think no changes required here- right?
The receive connector on the Edge Server has the TLS option on the Authentication tab - so I guess I just check that option right?
The Edge servers also run TMG and the two are integrated. I don't think this changes anything but thought I would include it in case it does.
Anything I have missed?
Thanks very much.
Geoff
ilmuro69 -
Exchange 2010 Email not Syncing, but Contacts and Calendar do???
Anyone have any feedback on this? I have tried deleting and readding my Exchange 2010 account several times and same result.
No emails are displaying at all. However, all of my contacts are appearing in the contacts app and so are calendar entries. Also, when I go into the settings and choose which folders to have push email, I see a list of all of my exchange folders, so I know it is seeing the server.
Any idea why the emails are not appearing? I have tried all combinations of different settings and can't get them to appear.
ThanksAre either of you part of protected groups in active directory/exchange? Such as the built ins. i.e Domain Admin/Account Operator etc?
-
Exchange 2010 Mailboxes - Can't search delegate's subfolders without full access permission?
Has anyone run into this situation? Might be straightforward but I'm not running into a solution..
I have two users on an Exchange 2010 server, accessing through Outlook 2010. One is a delegate of the other's mailbox, and has owner permissions to see all the mail, subfolders, send on their behalf, etc...but when they go to search for an email
(control-shift-F, then click on browse, find a folder that has subfolders...and select it), they don't have access to "include subfolders". It's grayed out.
If I go to the main mailbox and grant full mailbox permissions to the other user, they CAN search and "include subfolders" isn't grayed out, all works properly...but obviously is a bit overkill permission-wise.
...question is, what permission would be allowing a delegate to send on behalf, delete, read, list, etc. another person's email, but not letting the search be more than one folder level deep?
Thanks in advanace
PeteHi,
First please try to tick “Enable indexing of online delegate mailboxes”
via the steps below:
1.Please run gpedit.msc from a command prompt.
2. Expand Computer Configuration ->Administrator templates->windows components->click “Search”
3. Double Click on “Enable indexing of online delegate mailboxes” option
4. Select “Enabled” and click “ok” to close “Local Group Policy Editor”
5. After that please run “gpupdate /force”
6. Restart Microsoft Outlook
Also please add the following registry key to the user computer to enable index in delegate mailboxes.
Key: HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windows search
DWORD: EnableIndexingDelegateMailboxes
Value: 1
Note: Indexing the contents of delegate mailbox folder. Using this method we can search through the delegate mailbox folders but we have to specify the folder in which one wants to search an
Outlook items.
After that, please rebuild the indexing with
ResetSearchIndex.ps1
How to Rebuild the Full-Text Index Catalog
http://technet.microsoft.com/en-us/library/aa995966(v=exchg.80).aspx
Please test the issue via outlook online mode after you have rebuild the indexing.
Xiu Zhang
TechNet Community Support
Maybe you are looking for
-
Windows Vista Aero theme - incompatible with iTunes?
Whenever I boot up my laptop I get an error saying iTunes is stopping my Vista Aero theme from showing. When I go to task manager and end the ituneshelper.exe module process, the Aero theme is then accessible. I know the ituneshelper.exe is an import
-
TDS deducted on advance get reversed when we clear advance with invoive. but how the system should work in case there is a change in the rates of tds deducted between the two. For example, Advance made in march for Rs 10000, tds deducted @ 10 % 1000.
-
Sales Order Updation when the delivery changed
Hello Experts, I am working an object where I need to update the sales order when the delivery changed. Actually when the remote system rejected the delivery an IDOC will come to R/3 Sooner the delivery
-
My SIM card is not provisioned in my new iphone 4S. All my info transferred from the 3S, but the new one says no service and the SIM card is not provisioned. Any ideas to fix this?
-
Java.io.FilePermission weirdness
Hi; I have set java.policy as: permission java.io.FilePermission "/windows/fonts/*", "read"; permission java.io.FilePermission "\\windows\\fonts\\*", "read"; permission java.io.FilePermission "c:/windows/fonts/*", "read"; permissi