Exchange Server Remote Connectivity Analyzer released

Microsoft has release a tool/website for administrators to test remote connectivity to the published Exchange services. Currently this analyzer works for the following services:

• Exchange ActiveSync
  Windows Mobile 5, 3rd party devices
  Windows Mobile 6.1+ with AutoDiscover
• Outlook Anywhere (aka RPC/HTTP)
  Outlook 2003
  Outlook 2007 with AutoDiscover
• Inbound SMTP

For the complete story check out the Exchange Team Blog at http://msexchangeteam.com/archive/2009/03/25/450908.aspx

Exchange Mailbox Permissions Issue

A while back we came across a nice "hidden feature" of Exchange that occurs after migrating mailboxes cross Forest. Again, its been a while, but I thought I would blog about it anyway.

Here is the problem description:

A migration of user, group, contact, etc. took place by migrating these objects with ADMT 3.0 from one Forest (W2K03 Native) to a new Forest (also W2K03 Native), including SidHistory.

Directly after that, the mailboxes of the users were migrated from Exchange 2003 in the old Forest to Exchange 2007 in the new Forest using the Move-Mailbox CmdLet.

Everything seemed fine.... until an admin tried to remove some mailbox permissions from a mailbox using the Remove-Mailboxpermission CmdLet. He got the following error message:

"Remove-MailboxPermission : Cannot remove ACE on object "CN=Migrated Mailbox,OU=....." for account "New Domain\migrated user" because it is not present"

Hmmm... when looking at the permissions on the migrated mailbox (Get-Mailboxpermission) it clearly stated that the user that was specified in the Remove-Mailboxpermission CmdLet has rights. The user was displayed in the following format: New Domain\Username.

First we thought a type-o was made or someting in the CmLets, but after some investigation all seemed to be fine with that. So what was happening here then?


The Solution:

What is happening here is the following. The name that is displayed when doing a Get-Mailboxpermission is actually not correct. The reason why it states "New Domain\Username" is SidHistory. Under the hood, the "OLD Domain\Username" still has permissions. To be more specific, the permissions are still pointing to the OLD Domain Sid of the user.

When performing the Get-Mailboxpermission, Exchange translates this OLD Domain Sid to the "NEW Domain\Username" based on the SidHistory value in AD of the migrated user.

To test this we removed the SidHistory of the migrated user in the NEW Domain. Because at that moment the Trust between the Forests was still active, when doing a Get-Mailboxpermission you would now see the permissions in the form of "OLD Domain\Username". If the Trust would be gone, this would state the old Domain Sid of the user because it would not be able to resolve the account name anymore.

Now when performing the Remove-Mailboxpermission on the mailbox for the same user based on the syntax of "OLD Domain\Username", it worked without issues. Without a trust you could even use the old Domain Sid of the user to remove the permissions, same thing.

Because removing SidHistory could have a big impact, a call was logged with MS. After sending a lot of info about this to MS we ended up in a conference call with Redmond discussing this issue. Basically MS told us that this is by design, and if you would migrate between Forests using SidHistory, you would first need to "clean up" all mailbox permissions before doing a Move-Mailbox....... right.

To me a simple option to just add another parameter to the Move-Mailbox Cmdlet that would enable you to just choose if you want to translate the mailboxpermissions to the value or not, could just do it. But MS thought differently.....

Basically the only option to solve this issue after a migration, is to clean up SidHistory. Yes, I know, you should always do this to finish a migration clean. In small migrations this is maybe not a real issue, but in large scale, phased migrations this in general is an issue. Maybe not after all objects have been migrated, but you still have that time in between the start of the migration and the end, in which you will not be able to remove mailbox permissions. A not so nice alternative is to grant explicit Deny permissions to the user if the user should not have rights on the mailbox at all anymore. But if you just want to change the permissions, you will not be able to.

Wim.

Updates to the Mailbox Server Role Storage Requirements Calculator (Version 16.3)

The MS Exchange Team has posted an update to the "Exchange 2007 Mailbox Server Role Storage Requirements Calculator " yesterday.

Enhancements in this version:

• We added the calculated (or user defined) read/write ratio per mailbox tier into the Storage Requirements Results User Mailbox Configuration table.
• We added the server's calculated database read I/O percentage value into the Storage Requirements Results Disk Space & Performance Requirements table.
• Since the Recovery Point Objective input question only dealt with SCR, we moved that from the Log Replication section to the Standby Continuous Replication Configuration table.
• We added a new message profile, Extra Heavy. With this additional profile, we now have 5 available messaging profiles as defined

Bug Fixes:
In prior versions, when you selected to use SCR and wanted to match the source configuration design, the following tables did not accurately reflect the correct values for the given SCR configuration (in so far as by selecting to match a source CCR configuration that means there are 2 SCR targets for every active database instance, so if you had 2 CCR clusters then you would have at least 2 SCR targets per CCR cluster):

1. Disk Space & Performance Requirements - Total for all SCR Servers column, all rows.

2. LUN Configuration (per Server) - SCR Targets column, Total Recommended Exchange LUNs row.

3. Storage Configuration - Environment column, Total Number of SCR Disks Requirement row and Total Number of Disks Required row.

Source:

http://msexchangeteam.com/archive/2007/07/05/445802.aspx

Extra Network Name cluster resource causes Exchange issues

Last week I encountered a nice issue on an exchange 2007 SCC configuration at a customer. When opening the Exchange Management Console an error popped up saying:

"Cannot query cluster continuous replication status for a clustered mailbox server that is not local. server is not hosted on this cluster."















Additionally the cluster was not operating as you should expect from a cluster. When trying to take the Exchange resources offline using Powershell, the following error was displayed:

"Cluster Common Failure Exception : The cluster resource group for clustered mailbox server was not found."






And when trying to move the Exchange cluster group:

"Unable to communicate with the Cluster service on node ''. Please make sure the node is up, the Cluster service is running, and connectivity is operational."






The problem arrose when they wanted to do a restore using a RSG. After the restore was done, the store in the RSG wouldn't mount (another side affect).

After some troubleshooting we found out that an extra Network Name cluster resource was added to the Exchange Cluster Group. We had the feeling that this was causing the issue. We simulated the setup in a testlab and were able to reproduce the problems there. When deleting the additional Network Name resource, the problems went away. Just taking it offline doesn't do the trick. So lesson learned: Leave the Exchange cluster group alone!

Wim.