Preserve mailbox permissions after converting to linked mailboxes

Hello,
I am converting normal user mailboxes to linked mailboxes in Exchange 2007 SP3. After a pilot, we found that the linked accounts no longer had access to shared mailboxes (the share mailboxes will NOT be converted into linked accounts). The Full Access
ACL references the OLDOMIAN\username AD account. Manually adding NEWDOMAIN\username to the ACL fixes things. Is there an easy way to export the Full Access and Send As permissions for the shared mailboxes and switch them to NEWDOMAIN\username with
PowerShell? I have a feeling this will involve a lot data manipulation with Excel. Too bad there is no ADMT style security translation tool for Exchange mailboxes!

It's definetly possible to do this entire task via powershell script but need to spend some time to write it... ;)
But well, here is another quick way I can suggest it's two step process...
1. Export Full Access and Send-As to csv files seperately by following this Exchange Powershell Tip #09
2. Now you have two files, replace the domain name in exported csv files.
3. Import the permission back using this...
$FullAccess = import-csv mailboxaccess.csv
$FullAccess | %{Add-MailboxPermission -Identity $_.Identity -User $_.user -AccessRights $_."Access Rights"}
$SendAs = import-csv sendas.csv
$SendAs | %{Add-ADPermission -Identity $_.identity -User $_.user -AccessRights Extended -ExtendedRights $_."Access Rights"}
Blog |
Get Your Exchange Powershell Tip of the Day from here

Similar Messages

Cannot link mailbox to user in accounts forest

original forest is a single domain configuration named mydomain.com. A new accounts forest was created named ad.mydomain.com. This domain is *not* a subdomain of the original domain, but a separate domain in a separate forest. This forest
also uses a single domain design. (It's a long story) All mailboxes reside in a single mailbox database on an Exchange 2010 server running on Windows Server 2008 R2. I've used the ADMT to migrate some test accounts to the accounts forest.
The migration works and the account appears functional, i.e., SID history migrated and the account can still get to shares and files on machines located in the resource forest.
I then use the disable-mailbox and connect-mailbox commands to setup the linked mailbox. My test account is user Joe Doakes (as listed in Get-MailboxStatistics), username is jdoakes, mailnickname is jdoakes and SMTP address is [email protected]
Here is the exact command I am using:
Connect-Mailbox -Identity "Joe Doakes" -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com
-LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred
to which the command shell replies-
Confirm
Do you want to connect this mailbox to user "mydomain.com/Testing/Joe Doakes" with the alias "JoeDoakes"?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):
I've re-entered the credentials for the accounts forest twice. The canonical name above is the name of the now disabled account in the resource forest. If I select Y here, it reconnects to the old account and changes the alias from jdoakes
to JoeDoakes. This behavior is very strange. I have confirmed the distinguished name used is correct. Can anyone point out what I am doing wrong?
TIA
Tom

I wanted to update this post in case anyone else runs into this problem. I wound up opening
a support ticket and spent a day and a half on the phone with Microsoft.
This issue was the result of several chance problems and my misinterpretation
of the command's results. To start off, when the command comes back to
say that it wants to connect the mailbox to "mydomain.com/Testing/Joe Doakes", it
really means that it is the disabled account in the Exchange (source) forest to which the
mailbox will be connected. It will be "linked" to the account in the accounts forest, but the command does not say that. This behavior is by design. We also found that I have to specify the alias in the command or a new alias is created that
concatenates the target account's first
and last names. Last, we found that running a number of
clean-mailboxdatabase commands was the trick that finally made things
work. To recap, the procedure that worked for me was:
1. Disable-mailbox to disconnect the user in the source forest
2. Verify the mailbox is actually disconnected. If it does not show up in the
Disconnected Mailbox node in the EMC, run the clean-mailboxdatabase "<database
name>" command
3. Disable the source forest user account.
4. Enter the account forest credential ($cred = get-credential)
5. Connect the mailbox to the linked account. This is the command that worked for me:
Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes
-Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential
$cred
6. The new account may not be able to get to the mailbox without running another clean-mailboxdatabase.
I hope this saves someone else a call to Microsoft.

Converting User Mailboxes to Linked Mailboxes

We're going to be moving users to a new, trusted domain and want to keep our Exchange 2013 server in the old domain. It looks like the best strategy for us is to convert our user mailboxes to linked mailboxes for users who will log into the new domain.
There's quite a bit out on the web on doing this in Exchange 2010 but I don't see anything specific to Exchange 2013. Is the procedure basically the same? This is what users seem to be doing from PowerShell:
Set-User <userID> -LinkedMasterAccount AccountDomain\UserID -LinkedDomainController AccountDomainControllerFQDN
Orange County District Attorney

Hi,
If you want to convert the existing mailbox to a linked mailbox, we can do the following steps:
1.To disconnect the mailbox object in the Exchange store from the user object in Active Directory, for example.
Disable-Mailbox -Identity User1
2.To create a credential object, run the following command.
$cred = Get-Credential
You will be prompted for credentials. Specify an account that has permissions to access the domain controller in the forest where the user account resides. Use the LinkedDomainController parameter to specify the domain controller. This domain
controller obtains security information for the account to which you are linking the mailbox object.
3.To reconnect the mailbox object in the Exchange store to an external user object, use this example.
Connect-Mailbox -Identity User1 -Database "Mailbox Database" -LinkedDomainController FabrikamDC01 -LinkedMasterAccount [email protected] -LinkedCredential $cred
For more information about converting linked mailbox, please refer to:
https://technet.microsoft.com/en-us/library/bb201694%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support

Need help on Cross Forest Exchange 2007 - 2013 with Linked Mailboxes

Hey all,
So I'm in a bit of a pickle with my Exchange design and am trying to figure out if there's a way to migrate mailboxes across forests where Linked mailboxes are being used. I've done a bit of reading and have noted stuff like preparing the move request in
AD, etc. But I'm wondering if someone can break it down for me.
http://1drv.ms/1lWjLqG
The above is a OneNote diagram of how we have moved over time. Please forgive my sloppy handwriting but I hope it gets the point across. I will text it out here as well:
Original Design
The original design of the domains when I joined the company were fabrikam and contoso. Contoso is a domain that sits entirely in the "DMZ". Fabrikam was the internal AD forest where most services and users authenticated to. In Contoso, there
are 2 domain controllers, the "Front End" Exchange Server (Edge Transport), and the "Back End" server, which is CAS/Mailbox.
There is a forest trust between contoso and fabrikam where "Linked Mailboxes" are created in Contoso, and then the LinkedMasterAccount is set to Fabrikam.
Migration/Hybrid Design
Due to the fact that these two domains were configured massively inappropriately, riddled with security holes as well as strange permissions configurations, the decision was made to create a new internal AD domain. In my OneNote, I've labeled this 'specialbank.com'.
A long while ago we migrated users from Fabrikam to SpecialBank via trusts. To facilitate access to Exchange, a new trust was created between Contoso and SpecialBank to allow us to update the LinkedMasterAccount parameter to the new Specialbank domain.
We have most of our users authenticating to their mailboxes via SpecialBank, while the mailboxes still reside in Contoso.
Migration from Exchange 2007 to Exchange 2013
I am attempting to now figure out the best way to migrate the mailboxes from Contoso to a new set of Mailbox servers in SpecialBank. This will also be an upgrade from Exchange 2007 (Current) to an Exchange 2013 installation.
The latest Service Packs and CUs are installed in both.
What would be the best procedure to move these mailboxes? To my knowledge, the current best practice/recommended way is to perform a user/SID migration from Contoso to SpecialBank. But I already have accounts in
SpecialBank that users are actively using.
I'm not opposed to doing a simple PST export from Contoso to SpecialBank, but we're looking at around 120 mailboxes. So I'm trying to make my life a little easier instead of spending a weekend here.
If I try to do it in batches, I need to figure out how to handle autodiscover and CAS. Since I'm creating an entirely new Exchange environment, I'm trying to limit what I place in the existing configuration. But I'm not opposed to setting up something temporarily
if I need to in order to make the migration transparent to users.
Can anyone help?

Hi ,
From you description i came to know contoso is the resource forest and special bank is the account forest .
You just wanted to migrate the linked mailboxes from resource forest to account forest and also you would want the migrated mailboxes to get merged to the respective user accounts in the account forest to become as a normal user mailbox.Am i right ?
Please correct me if i am wrong . I have found some blogs in internet please have a look in to that especially the first one.
http://www.outlookforums.com/threads/60210-cross-forest-mailbox-move-and-linked-mailbox/
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27974905.html
Regards
S.Nithyanandham
Thanks S.Nithyanandham

Setting EX2007 mailbox permissions with Exchange Management Shell not reflected in Exchange Management Console

Hello,
I'm trying to use PowerShell to script some mailbox permissions. The mailbox permissions I set in the shell are not displaying in the EMC. The command I'm using is:
add-MailboxPermission -accessrights fullaccess -identity $username -user MYDOMAIN\$supervisor -confirm:$false
I get confirmation from the shell:
Identity             User                 AccessRights
IsInherited Deny
MyDomain.net/Separa... MYDOMAIN\mysupervisor    {FullAccess}
False       False
Afterwards, when I look in the Exchange Management Console for this user (Right click, Manage Full Access), even after allowing time for replication, I don't see this new permission reflected there. But If I use Get-MailboxPermission
$username, the permissions show up:
Identity             User                 AccessRights
IsInherited Deny
MyDomain.net/Separa... MYDOMAIN\mysupervisor    {FullAccess}
False       False
Why is this addition not being reflected in the shell?

Hi,
The cmdlet you use to grant full access permission is right. If your case, please let "mysupervisor" access to this user's mailbox and verify if he/she can access it. Maybe Exchange Management Console has not been updated well.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support

Removing mailbox (Remove-Mailbox) right after mail export to PST request (New-MailboxExportRequest)

Hi all,
I have a PowerShell script for archiving employee mailboxes after they leave the company. The script uses WinRM to connect to Exchange CAS where it:
exports user mailbox to PST files (New-MailboxExportRequest -Mailbox $user -FilePath $USER_ARCH\mail\MAIL_$user.pst)
export user archive mailbox to PST file (New-MailboxExportRequest -Mailbox $user -isarchive -FilePath $USER_ARCH\mail\Archive_$user.ps)
delete user mailbox (Remove-Mailbox $user
These 3 steps are executed one after another. Since New-MailboxExportRequest is asynchronous (only creates requests and exists), the
Remove-Mailbox is triggered right after the request is submitted. Since PST file is not created or is truncated, I believe
Remove-Mailbox actually removes mailbox even though there is active request for that mailbox. Logically the mailbox with bound active requests should not be removed and there should be warning.
I know there are many possible workarounds. Just want to know if this is by design or am I missing an option to above commands?
Best regards,
Blaz

The same happens in Exchange 2010 making this seem like it is by design. I can find no reference as to how to avoid this other than by changing your script.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Outlook Password prompt for Linked Mailboxes from certain Domain

Hello,
As part of a migration project, I'm trying to connect Outlook with Linked Mailboxes from users in a trusted domain.
I'm able to create the linked mailbox on the Exchange 2013 (CU7) server without any issue, but when I try to configure Outlook for these mailboxes, it is prompting for credentials permanently and won't start. Log on to OWA with the same user from the trusted
domain is working fine.
I'm able to configure Linked mailboxes from another trusted domain without any problems.
I've already recreated the trust between these two domains (validation tells everything is ok)
DNS is configured with conditional forwarders in both domains and name resolution looks ok to me (ping and nslookup)
When I look at the LinkedMasterAccount of the mailboxes from this domain, I can see that there is only the SID (S-1-5-21-4033829......). The other linked mailboxes (from the other domain where it's working) are showing the Account name (domain\user)
Internal and External ClientAuthenticationMethod of OutlookAnywhere is set to NTLM
Infos:
DomainA: Domainlevel 2012 - Exchange 2013 - Forest trust to Domain B and C
DomainB: Domainlevel 2008 - Exchange 2010 - Forest trust to Domain A - Outlook for linked Mailboxes of DomainA works fine
DomainC: Domainlevel 2008 - Forest trust to Domain A --> can't connect Outlook to LinkedMailboxes of this domain.
Is there anything else I can check?

Hi,
Please check whether the server is configured to only accept NTLM version 2 and reject NTLM and LM, and the Outlook client computer is not configured with the same LAN Mananger authentication level.
Check DC, Start -> Programs -> Administrative Tools -> Security Options -> Note the LAN Manager authentication level.
Check DC's policies, Start -> Programs -> Administrative Tools -> expand Security Settings\Local Policies -> Security Options -> Note the Lan Manager authentication level.
IMPORTANT： You may also have to check policies that are linked at the site/domain/organizational unit levels to determine where the LAN Manager authentication level must be configured. Configure the LAN Manager authentication level to "Send
NTLMv2 response only". If you want to implement NTLM version 2 in your network, make sure that all computers in the domain are set to use this authentication level.
Thanks
Mavis Huang
TechNet Community Support

Remove mailbox permissions - exchange 2010

What is it you are trying to achieve by removing permissions = are you talking users having permissions on other accounts or including system accounts - as some are a requirement.

Hi Guys,I need some professional help from you guys being really expert in exchange ! I have exchange 2010 at my organization (recently joined). I had to figure out permissions for each mailbox in my exchange organization. So I executed the following script which ran like a charm with a full list of mailbox, user having permission on that mailbox and type of permission as well.Get-Mailbox -resultsize unlimited| Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF"} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation C:\script\mailboxperm1.csvNow the issue is, These permissions in this list are not visible in GUI of EMC. If I try to remove them using Exchange power shell, sometimes they are removed and sometimes I get this warning and...
This topic first appeared in the Spiceworks Community

Can't move Exchange 2003 mailbox to Exchange 2010 Resource forest (Linked Mailbox)

Problem Description:
Can’t move Exchange 2003 mailbox to Exchange 2010 resource forest
Error message:
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials.
Source Environment Configuration:
Active Directory
FQDN: umfolozi.local
Domain name (pre-Windows 2000): UMFOLOZI
Domain Function Level: Windows Server 2003
Domain Controllers:
Hostname
OS
Operation Master
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Schema Master, Domain Naming, RID, PDC
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Infrastructure
Exchange
Version: Microsoft Exchange 2003 Standard SP2 Build 7638.2
Server Information:
Hostname
OS
TUSKUMFMAIL.umfolozi.local
Windows Server 2003 R2 SP2
DNS Zones
Zone Name
Zone Type
Domain Controllers
umfolozi.local
Active Directory-Integrated (Primary)
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
peermont.com
Secondary
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
Trusts
Domain Name
Trust Type
Transitive
Validated
peermont.com
Forest
Yes
Yes
Target Environment Configuration:
Active Directory
FQDN: peermont.com
Domain name (pre-Windows 2000): PG
Domain Functional Level: Windows Server 2008 R2
Domain Controllers:
Hostname
OS
Operation Master
SRVPGVMDC01.peermont.com
Windows Server 2008 R2 Std SP1
SRVPGVMDC02.peermont.com
Windows Server 2008 R2 Std SP1
Domain naming, RID, PDC, Infrastructure, Schema Master
Exchange
Resource Exchange Forest
Server Information:
Hostname
OS
Role
Version
Client Access Array
SRVPGVMEXCH01.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
SRVPGVMEXCH02.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
Hostname
OS
Role
Version
Database Availibility Group
SRVPGVMEXCH03.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
SRVPGVMEXCH04.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
DNS Zones
Zone Name
Zone Type
Domain Controllers
peermont.com
Active Directory-Integrated (Primary)
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
umfolozi.local
Secondary
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
Trusts
Domain Name
Trust Type
Transitive
Validated
umfolozi.local
Forest
Yes
Yes
Migration Process
Task
Description
Successful/Error
1
SYNC AD Domain account from source forest (umfolozi.local) to target forest (peermont.com) using BinaryTree SMART Directory Sync (ADMT can be used as alternative)
Successful
2
Create mailed enabled user
Successful
3
Run Prepare-MoveRepuest with –OverWriteLocalObject
Command Example:
.\Prepare-MoveRequest.ps1 -Identity [email protected] -RemoteForestDomainController SRVUMVMDC01.umfolozi.local
-RemoteForestCredential $RemoteCredentials -UseLocalObject -LocalForestDomainController SRVPGVMDC01.peermont.com -LocalForestCredential $LocalCredentials -OverWriteLocalObject
Successful
4
Submit mailbox request
Command Example:
New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeliveryDomain
"internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Credential "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True
Error
All the standard migration task works as expected until the mailbox migration move request is submitted. See move request verbose detail below:
[PS] C:\Windows\system32>New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeli
veryDomain "internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Crede
ntial "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True -Verbose
VERBOSE: [11:34:27.346 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire
Forest: 'False', Default Scope: 'peermont.com', Configuration Domain Controller: 'SRVPGVMDC02.peermont.com', Preferred
Global Catalog: 'SRVPGVMDC02.peermont.com', Preferred Domain Controllers: '{ SRVPGVMDC02.peermont.com }'
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Runspace context: Executing user: peermont.com/Admin/Users/Admin
Accounts/Information Technology/SoarSoft/Johann Van Schalkwyk, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin
Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such
items to the destination mailbox. At move completion, these corrupted items won't be available in the destination
mailbox.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Searching objects "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" of type
"MailboxDatabase" under the root "$null".
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s):
{}, Exclusive Configuration Scope(s): {} }
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Searching objects "0fa7d17e-3637-4708-a51b-f14eaae17968" of type "ADUser"
under the root "$null".
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] No RequestJob messages found.
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MDB c5d6ea95-07b3-4a52-9868-e41e808a76fe found to belong to Site:
peermont.com/Configuration/Sites/Peermont
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MRSClient: attempting to connect to 'SRVPGVMEXCH02.peermont.com'
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] MRSClient: connected to 'SRVPGVMEXCH02.peermont.com', version
14.3.178.0 caps:07
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] Loading source mailbox info
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Failed to reconnect to Active Directory server
SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials. --> A
local error occurred.
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that
you have used the correct credentials.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : F48FD74B,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : srvpgvmexch02.peermont.com
VERBOSE: [11:34:28.859 GMT] New-MoveRequest : Ending processing &
Troubleshooting Performed
1. When submitting mailbox move request tried the following credential inputs:
1.1. DOMAIN\Username
1.2. FQDN\Username
1.3. userPrincipalName
2. Confirmed domain trust between source and target domain is in place and validated.
3. Confirmed name resolution in source and target domain is functioning as expected.
4. Confirmed network connectivity between source and target domain controllers as well as source and target exchange servers.
5. Tried to create new Linked Mailbox to account in source forest, can’t select Global Catologue via the wizard;
Tried to specify the credentials for the account forest and got the following error when tried to select Global Catalog from wizard:

The error talk about the credential. Did you check the credential
Did you tried this command?
New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "Target
domain name"
http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com    Twitter:
  LinkedIn:
   Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

After installing SP2, reconnected mailbox take 24+ hours to become available

The other day, we install SP2 on our 1 back-end and 2 front-end Exchange 2010 servers. All are on 2008 R2. After SP2 was installed, if we want to reconnect a deleted/disconnected mailbox, it lets us without issue. However, when we try to
access that mailbox in OWA, we get: "Your account has been disabled." Additionally, when opening the account (or any reconnected account) in EMC, everything looks perfect except that we cannot click on the Calendar Settings tab. If we do,
we get an error saying "cannot open mailbox "Full DN of the System Attendant" when running the command "get-calendarprocessing..." Please note that we can create new accounts/mailboxes without issue and the reconnected mailboxes seem to begin working
after a full day. Any help would be greatly appreciated!

Hi Tom,
Base on my test, this is common behavior.
After restart Exchange Server you can use that mailbox or wait for a while.
Thanks.
Rowen
TechNet Community Support

Using security groups to grant Full Mailbox Permissions

Hi, I've of course found several articles discussing granting full mailbox permissions to universal security groups in Exchange 2010, however, most of them are outdated and provide contradicting information.
So I figured I'd ask here to generate a more 'current' discussion of this and get the real answers.
If I do the following:
1. Create a shared mailbox
2. Create a Universal Security group (USG)
3. Add User X to the USG
4. Grant the USG Full Access Permissions to the shared mailbox
Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24 hours
before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
So what is the real truth here when using USGs to grant Full Access?
https://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy
Thanks,

Hi squishmike,
Thank you for your question.
Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
A: By my testing, we still go through the ‘open addition mailbox’ setting in outlook when we open outlook with new profile.
Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24
hours before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
So what is the real truth here when using USGs to grant Full Access?
A: Question 1 has been answered it. It will show share mailbox by ‘open additional mailbox’, we will add shared mailbox manually.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim

Beware of Linked Mailbox status - Moving Unity_server mailboxes to Exchange 2010

Hi all -
Here is a problem I encountered that I want to pass along to you:
When partnering Unity to Exchange 2010, the Unity_servername, USBMS_servername, EAdmin, and unitymsgstoresvc inboxes are moved from the old Exchange to the new 2010 server. Using the Exchange Management Console, the users should show up as User Mailboxes, not Linked Mailbox. A Linked mailbox in Exchange 2010 is an external account, i.e. an account in another forest. If this occurs for the Unity_servername mailbox, external caller voice messages remain in UMR (UnityMTA) and you will see many application event log errors. In EMC you will observe the account mailboxes show in Disconnected status.
If this happens to you, here is the fix:
Disable the Account from EMC in Exchange 2010. Note you will get a prompt that the Exchange properties are being removed but the email inbox is NOT deleted.
Re-enable the account from ADUC.
In EMC, go to Disconnected Mailboxes, select the Unity mailbox and select Connect. In the Connect wizard, re-associate with the existing account. Re-enter the user alias and complete the wizard.
Restart AvUMRSynchSvr service on Unity.
Hope this helps someone in the future!
Sincerely, Ginger

Thanks Brad :-) I forgot to mention I discovered a number of Internet hits that say this can happen with Move Mailbox. Here's the link I used to begin researching the problem (hint: go all the way to the bottom of the web page - http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26308671.html). Got to give kudo's to this most excellent Exchange resource - has helped me a bunch over the years!

Linked mailbox credential prompt.

We have setup a link mailbox between to different domain all is ok..
just want to clarify if it is normal that every time i open the outlook client of the linked mailbox it will prompt for its credetials? even if the domain account login is the link mailbox account also?
if it is not please let me know what authentication method i should change ot this is normal for a link mailbox??
thanks in advance!!

Hi,
To understand more about the issue, I’d like to confirm the following information:
1. Check the authentication method in the tab named Exchange proxy settings.
2. Is there firewall between the two domans?
3. Does the credential accept password of keep prompting?
4. Cancel the credential prompt and then run "Test Email AutoConfiguration" to see if there is any error return.
5. Does the credential appear if you run Outlook with online mode?
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

Linked Mailboxes

Hi,
I have two domains, domain a and domain b. In domain a I have an Exchange 2010 server and would like to setup mailboxes for some users who have active directory accounts in domain b. I created Link mailboxes in exchange and all worked fine for
a number of days. Came in today and the users are being prompted for passwords when they open outlook and their own domain b\ username and password are not working. They can however use outlook web access.
Any ideas?
Cheers

Hi,
Did we change anything else?
Please run Outlook under safe mode to avoid some AVs, add-ins and firewall.
Please re-create a new profile to refresh the caches.
Please delete the credential, steps as below:
1. Control Panel-->User Accounts-->click Manage your credentials in the left pane
2. Click the vault that contains the credential that we want to remove.
3. Click the credential that we want to remove, and then click Remove from vault.
Please verify our Exchange Proxy Settings via Outlook.
Steps as below:
OutlookàToolsàAccount
SettingsàE-mailàclick
the Exchange accountàChangeàMore
SettingsàConnectionàExchange
Proxy Settings
Outlook Anywhere option
Description
On a fast network, connect using HTTP first, then connect using TCP/IP.
By default on a fast network, Outlook attempts to connect by using the LAN connection first. This option is cleared by default.
On a slow network, connect using HTTP first, then connect using TCP/IP.
By default, on a slow network, Outlook attempts to connect by using HTTP first. This option is set by default.
Password Authentication (NTLM).
The default authentication method. We recommend that you specify this option together with
Connect with SSL only and Mutually authenticate the session when connecting with SSL.
Basic Password Authentication.
With this option, users are prompted for a password each time a connection is made to the Exchange server. In addition, if users are not using Secure Sockets
Layer (SSL), the password is sent in clear text. This can pose a security risk.
If we are in the "Basic Password Authentication", please change to the "NTLM" for testing.
If still not working unfortunately, please verify our SSL principal name. Steps as below:
1. Please determine the FQDN that the client uses to access the resource. Steps as below:
OutlookàToolsàAccount
SettingsàE-mailàclick
the Exchange accountàChangeàMore
SettingsàConnectionàExchange
Proxy Settingsànote the FQND that list in the
Only connect to proxy servers that have this principal name in their certificate box.
2. Please using EMS to determine the value for the CerPrincipalName attribute: Get-OutlookProvider
This command returns the result for the EXPR name.
3. Please re-setting the CertPrincipalName attribute to match the FQDN via following command:
Set-OutlookProvider EXPR –CertPrincipalName: “msstd:<FQDN the certificate
is issued to>”
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support

Exchange 2013 linked mailbox

I am administering Exchange 2013 in organization where we have two separate forests witch two separate Exchange 2013 servers. There is AD trust between forests. Each user has two mailboxes connected in Outlook, one from forest A and one from forest B. Let's
say [email protected] and [email protected] There is a plan that users from forest A will use and have only one mailbox connected in Outlook and get all emails data on Exchange server within forest A. What is a best approach
to do it smoothly? We do not want to remove the email addresses from forest B because a lot of people outside the company know only this email address as a contact point.
I am thinking about creating linked mailboxes. Any other ideas or advice's?

Hi ,
just remove the email address (i.e
[email protected])
from the mailbox in forest B and add it as an secondary smtp address on the mailbox residing on the mailbox in forest A.
In case if you don want the mailbox for user 1 in forest B you can simply delete it instead of removing the email address.
Note : Simply you cannot remove the email address (i.e
[email protected])
from the Mailbox of the user 1 in forest B is set as primary smtp address. So on such case just make some dummy email address as primary smtp address and simply remove
the address [email protected]
and add as an secondary smtp address on user 1 mailbox in forest A .
Please feel free to reply me if you have any queries.
Thanks & Regards S.Nithyanandham

Preserve mailbox permissions after converting to linked mailboxes

Similar Messages

Maybe you are looking for