RE: [ActiveDir] Exchange and AD E-mails

[joe]

Err let me restate that. Would the ACLs on msExchSecurityDescriptor be enough to prevent instantiation of the store object for a mailbox when an email is inbound to that mailbox? My understanding of the ACLing is that the AD SD for Exchange is more of a guideline versus a rule for the initial instantiation permissions but at no point is it really considered authoritative before or after store object instantiation so would Exchange look at that and make a determination that a mailbox shouldn't receive email?   And if so, is there some logging that would show that to be the case or would it simply fire back a simple mailbox doesn't exist NDR and be done with it? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 2:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails I've got to back off the drinking apparently ;)   ACL's very well can prevent mail delivery.    Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 02, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails homeMDB is there...   >homeMDB: CN=Mailbox Store (AUSTIN),CN=First Storage Group,CN=InformationStore,C N=AUSTIN,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Re ndition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com   the permissions idea is an interesting one though... There could be a crapped out ACL I guess. That is the one thing that isn't really enumerated in the ADFIND output. Could that prevent email being received though?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 1:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails I notice you have no homeMDB attrib.  That would explain the Outlook and ESM failure to open the mailbox store.    If you have auditing enabled, check the event log for errors during the time you try to log in with the user account.  Compare that with an attempt from yourself (administrator) logging in to the same mailbox.  Until an entry is created for the user object in the store, you won't get to deliver mail and you won't be able to log on.  If you can log on with administrator, but can't deliver mail to it (system privileges for that) then you have may want to look at the permissions for that store object.   Just a random thought. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 02, 2004 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Yeah, I don't think this is an AD issue unless it is replication and the Exchange Server is pointing at a domain controller that doesn't have the information due to replication issues. I would verify that the DC it is using is indeed all up to date and happy and if so, start digging into Exchange Specific troubleshooting.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Monday, August 02, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Error when moving Mailbox:   Results:   Error: Opening source mailbox. CN=1234,OU=Test Accounts,DC=renditionnetworks,DC=com: The information store could not be opened. The MAPI provider failed. MAPI 1.0   There is a MS Q article on this but the attributes it says o check to already exist for eh user...??   Mike     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 01, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails   What is the error you get when trying to move the mailboxes into the old store? Can you move mailboxes out of that store?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Sunday, August 01, 2004 3:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails No error logs on teh exchange server, and yes the NDR is that the mailbox doesn't exist. I created another mailbox store on the same server and I can create mailbox's there and send and recieve mail. Although I am unable to move mailboxes between the mail stores.   thanks   Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe Sent: Sunday, August 01, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Scary, the AD object seems ok, the only thing that sort of sticks out is in your textOREncodedAddress and proxyAddresses and that is:   >textEncodedORAddress: c=us;a= ;p=Rendition Networ;o=Exchange;s=1234; >proxyAddresses: X400:c=us;a= ;p=Rendition Networ;o=Exchange;s=1234; where the Rendition Networds is chopped off. I would simply verify that is the same on your other mailbox enabled objects. I haven't had an Org that long of a name that I have seen before so possibly they chop it on purpose. Anyone else see something like that?   Do you have errors in your exchange logs?     What is the NDR that you are getting? Mailbox doesn't exist?     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Friday, July 30, 2004 5:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Yes I mean mailbox enabled (My bad) I cannot send mail to the account and the mailbox does not show up in ESM. Although when I delete the account it has a mailbox associated with it. I have run a rebuild of the RUS.     Here is the Dump:   dn:CN=1234,OU=Test Accounts,DC=renditionnetworks,DC=com >homeMDB: CN=Mailbox Store (AUSTIN),CN=First Storage Group,CN=InformationStore,C N=AUSTIN,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Re ndition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com >cn: 1234 >displayName: 1234 >mail: [EMAIL PROTECTED] >givenName: 1234 >instanceType: 4 >legacyExchangeDN: /o=Rendition Networks/ou=First Administrative Group/cn=Recipi ents/cn=1234 >distinguishedName: CN=1234,OU=Test Accounts,DC=renditionnetworks,DC=com >objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=renditionnetworks,DC=co m >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: user >objectGUID: {2B7934AB-63B3-4976-88BE-EF5FE99E9DAB} >objectSid: S-1-5-21-2068531175-665650586-2065370986-1723 >primaryGroupID: 513 >proxyAddresses: smtp:[EMAIL PROTECTED] >proxyAddresses: X400:c=us;a= ;p=Rendition Networ;o=Exchange;s=1234; >proxyAddresses: SMTP:[EMAIL PROTECTED] >name: 1234 >sAMAccountName: 1234 >sAMAccountType: 805306368 >showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,C N=Address Lists Container,CN=Rendition Networks,CN=Microsoft Exchange,CN=Service s,CN=Configuration,DC=renditionnetworks,DC=com >showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Container ,CN=Rendition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ren ditionnetworks,DC=com >textEncodedORAddress: c=us;a= ;p=Rendition Networ;o=Exchange;s=1234; >userAccountControl: 512 >userPrincipalName: [EMAIL PROTECTED] >uSNChanged: 2567831 >uSNCreated: 2567823 >whenChanged: 20040730203736.0Z >whenCreated: 20040730203626.0Z >homeMTA: CN=Microsoft MTA,CN=AUSTIN,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Rendition Networks,CN=Microsoft   xchange,CN=Services,CN=Configuration,DC=renditionnetworks,DC=com >msExchHomeServerName: /o=Rendition Networks/ou=First Administrative Group/cn=Co nfiguration/cn=Servers/cn=AUSTIN >msExchMailboxGuid: {B695A373-868A-4C2D-BE9E-54DA145A7F7C} >msExchMailboxSecurityDescriptor: {Security Descriptor} >mailNickname: 1234 >mDBUseDefaults: TRUE >msExchUserAccountControl: 0     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 30, 2004 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails   My first question is probably not needed but I want to clear the terminology...   When you say mail enabled do you really mean mailbox enabled? Mail enabled means the user object has an external (to Exchange) email address sort of like a contact. A mailbox enabled user is a user with a mailbox in the forest's Exchange Org.   If the ID is truly mailbox enabled, can you send email to it? Do you get an NDR or does it appear to get delivered? When you look at the store through the ESM do you see the mailbox?   A dump of the user object would be nice as that will show up any issues on the AD Object itself   adfind -gc -b "" -f samaccountname=userid   should be sufficient.       joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Friday, July 30, 2004 1:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange and AD E-mails Not sure this is the correct forum for this but here goes. I have a WIN 2k single domain running Exchange 2K.   Everything's has been running fine until a few days ago. Now when I create a new mail enables user in AD. And try to log onto the account to setup the mapi mail profiles I get "cannot connect to the information Store" but when log on as myself or any other user that was already in the domain I have no problems connecting and viewing e-mail. (The only change was the Exchange SP3 security roll-up patch was applied a few weeks ago) I've checked the replication between the DC's and Exchange, no problems, RPC is running and no other mapi problems show up with any other accounts only new accounts are having problems. My current Info store is about 19 GB in size. I did create an additional store with in my First storage group and I can create a mail enabled account and connect using that store. I'm concerned the Problem is with AD... ANY advice would be greatly appreciated.   Thanks in advance. Mike