Casey Spiller's blog

Exchange 2003\Redbull Connector\Permissions not migrated when we migrate resource mailboxes

When attempting to migrate resource mailboxes across via the Exchange 2003 Lotus Notes Connector (Redbull) you may notice that permissions are not migrated correctly. This issue is by design, you will need to set these permissions manually at this time.

The server to which the application is connected cannot impersonate the requested user due to insufficient permission.

PROBLEM:  When running The Transporter for either Lotus Notes or IMAP migrations you may encounter the following error: 

 

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:01:00

email@address.com
Failed

Error:
Migration does not happen for the user (email@address.com) due to some errors. All the mailbox items belonging to this user will be ignored.

System.Web.Services.Protocols.SoapException: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
   at Microsoft.Exchange.Services.RequestSoapHeaderServiceExtension.ProcessSoapHeaders(SoapMessage message, Object responsibleObject)
   at Microsoft.Exchange.Services.RequestSoapHeaderServiceExtension.AfterDeserializeRequest(SoapMessage message)
   at Microsoft.Exchange.Services.ServiceExtensionManager.DoAfterDeserializeRequest(SoapMessage message)
   at Microsoft.Exchange.Services.ServiceExtensionManager.<>c__DisplayClass1.<ProcessMessage>b__0()
   at Microsoft.Exchange.Diagnostics.ExWatson.<>c__DisplayClass8.<SendReportOnUnhandledException>b__4()
   at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
   at Microsoft.Exchange.Diagnostics.ExWatson.SendReportOnUnhandledException(MethodDelegate methodDelegate, IsExceptionInteresting exceptionInteresting, Boolean terminating)
   at Microsoft.Exchange.Diagnostics.ExWatson.SendReportOnUnhandledException(MethodDelegate methodDelegate, IsExceptionInteresting exceptionInteresting)
   at Microsoft.Exchange.Services.Core.ServiceDiagnostics.TraceErrorOnUnhandledException(MethodDelegate methodDelegate)
   at Microsoft.Exchange.Services.ServiceExtensionManager.ProcessMessage(SoapMessage message)
   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)
   at System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance()
   at System.Web.Services.Protocols.WebServiceHandler.Invoke()
   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Warning:
Impersonation failed for the user (email@address.com) Error: (ErrorImpersonationDeniedThe server to which the application is connected cannot impersonate the requested user due to insufficient permission.).

 

RESOLUTION:

This error lets you know that you lack permissions to impersonate the user. The Active Directory user used to perform the migration must have the permission to impersonate the users to inject mail into their mailboxes.

This permission can be set using an Exchange Management Shell command:

This adds the permission to one CAS (Client Access Server):
Add-ADPermissions -Identity 'DN_of_ClientAccessServer' -User 'domain\username'  -ExtendedRights ms-Exch-EPI-Impersonation

This adds the permission to all CAS servers:
foreach ($exchangeServer in Get-ExchangeServer)
{
     if ($exchangeServer.ServerRole -match 'ClientAccess')
     {
          Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\user' -ExtendedRights ms-Exch-EPI-Impersonation
     }

}
   
Where domain\user is the user performing the migration.

A few quick questions about upgrading to a new version of the Transporter

 Everyone in awhile i get questions via email that arent well documented. I will try (when i have time) to post those here:

 

1.       Can we upgrade by installing the new release without issues, or will it wipe out existing settings?

• Uninstall/Reinstall the Transporter application but leave your connectors in place

2.    Do we also need to upgrade the Domino server with a new excalcon ?

• Yes, the reason you have to do it this time is due to a security change that was implemented for this release. (Generally you want to do this regardless of the release to be on the safe side)

New Transporter released today - things are getting busy

New build of the transporter shipped today, you can download it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=35fc4205-792b-4306-8e4b-0de9cce72172&DisplayLang=en

This is the transporter release that has been in the works for a while now. It includes new powershell commands to assist in migrating from any generic pop3 or imap server to Exchange 2007.

 A quick quote on that:

Key Features of POP/IMAP migration tools:
Tools are designed to enable an administrator to bulk migrate mailboxes from generic POP/IMAP servers to Exchange.
• General extraction of mailbox content from generic POP/IMAP servers
     o Test has migration of mailbox content from Exchange, Domino, GMAIL, AOL, Comcast, IMAP UW Server on Unix, Mail.RU,Communicate Pro
     o Extraction can use individual mailbox credentials or through an administrative credential
• Migration to Exchange 2007 using the Transporter Engine and Exchange Web Services
     o Migrates content into existing mailboxes using Exchange Web Services
     o Preserves all mail formatting, address headers and iCAL content
• Easy to use MMC Wizard GUI and PowerShell tasks
     o GUI can be used to load and track bulk lists of mailboxes to migrate
     o PowerShell can be used for automation/advanced migration

 

So here recently i've had a couple things i wanted to blog about, but we have been incredibly busy the last few weeks. Today i read an article that might explain why, and gives a little insight into how the next few months might go:

http://www.internetnews.com/ent-news/article.php/3722791

Specifically this section of the article which Justin pointed out to me this morning:

" 
That rhetoric is echoed by his boss. "In the last six months of 2007, in the enterprise customer segment alone, more than 300 firms representing 2.8 million people began the move to Exchange Server, Office SharePoint Server and the Office suite," Chris Capossela, corporate vice president in the Microsoft Business Division, said in a statement. "That’s a 164% increase over the same period in 2006 [and] we’re already on track to exceed these numbers in 2008," he added.
"

Busy times... busy times

Could not create one or more attachments for item \ The operation has timed out

PROBLEM:

When attempting to run move-dominomailbox you may receive the following error:

 

WARNING: Could not create one or more attachments for item (Subject of the message (message.mail)) for the user User@domain.com
The message was migrated without attachments. This error might be due to configuration limitation on the server.
Error details: The operation has timed out
Please refer to help for the configuration changes needed

 

RESOLUTION: 

This error is typical when we time out trying to send the SOAP message over HTTP and timing out due to IIS's timeout setting.

1. First lets look at the size of the message we are migrating across on Domino.
2. Look at the web.config for the EWS virtual directory to see what the maxRequestLength is set to. This needs to be higher than the size of the message we are trying to push across.
3. Look at the timeout setting in IIS Manager for the Website that EWS falls under
     a. Open IIS Manager
     b. Right click/Properties of the Website EWS is under
     c. On the Web Site tab, adjust the Connection timeout from 120 seconds upwards depending on how large the message is and how long it takes to send via SOAP

The request failed with HTTP status 401: Unauthorized \ Could not retrieve e12 webservice url

PROBLEM: 

When attempting to migrate a user with move-dominomailbox using the Transporter for Lotus Notes for Exchange 2007, you may receive the following error:

The request failed with HTTP status 401: Unauthorized
Could not retrieve e12 webservice url

 

When running the same command with a -debug at the end of it, you may receive the following error:

DEBUG: Pinging URL (https://server.domain.com/ews/exchange.asmx)
DEBUG: Request failed with the error message (The request failed with HTTP status 401: Unauthorized.).

RESOLUTION:

 If you run the Transporter for Lotus Notes on the CAS server that you have specified for the Availability Service URL, you will need to disable the loopback check (DisableLoopbackCheck) on this CAS server.

Method 1: Disable the loopback check

1. Click Start, click Run, type regedit , and then click OK.
2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck , and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1 , and then click OK.
7. Quit Registry Editor, and then restart your computer.

 

Method 2: Specify host names

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

1. Click Start, click Run, type regedit , and then click OK.
2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames , and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
7. Quit Registry Editor, and then restart the IISAdmin service.

 

 

 

MORE INFORMATION:

You can additionally test this by connecting to the same URL (https://server.domain.com/ews/exchange.asmx) from both the CAS server itself, and from a different machine on the same domain. The CAS server will be unable to login and reprompt for credentials. The other machine will be able to log in fine and display the XML fine. This is an issue with how we only allow connections to the FQDN of the machine name, the external name we have specified in the url does not match this.

ie. if the server name is server.internaldomainname.com and external to your company you specify it as server.domain.com.

 

Microsoft Operations Manager and Exchange 2007\How to determine the script running for a failed alert

Recently, i began working a bit with Microsoft Operations Manager on a few issues related to the Management Pack for Exchange Server 2007 for MOM 2005. One of the things that drove me crazy right off the bat was my inability to actually see what script it was running when an alert failed.

 Lets take a look at the following alert:

Type: Error
Description: One or more of the OWA Connectivity tests failed. Detailed Information:
-----------------------------------------------
Error: The test received an unexpected response to an OWA request.
URL: https://server.com/

In MOM 2005, you will see the alert like this. Pay close attention to the section that has been circled below:

This indicates exactly where we can find the rule that fired for a failed alert.

Next lets open up the MOM Administrators Console.
-Expand Management Packs\Rule Groups\Microsoft Exchange Server\Exchange 2007

Now you will use the Rule information gathered above to locate the Rule that failed:


Notice the path to the rule on the left, and the actual rule highlighted on the right.

Now double click on the Rule:

 

Click on the Response, and click Edit:

 

Select the cmdletCommand and click Edit Parameter:

 

Now copy the contents of the Value field and paste them into notepad or run them in a powershell window

 

 

Now you can work with the powershell command in powershell to determine why it failed

So from this i can tell the ExternalURL we are going to, is the wrong URL... (going to / instead of /owa)

 

First i list off the ExternalURL with "get-OWAVirtualDirectory "owa (default web site)" | fl *" and then set the ExternalURL to the correct value with set-OWAVirtualDirectory:

 

And then finally rerun the test to make sure the problem is fixed:

Success! Now I can resolve the MOM alert and were good to go.

Free/Busy information off (ahead) by one hour starting November 4th?

So some of you may have ran into this already, its a new problem we have been made aware of.

 Symptoms: Free/Busy information is one hour ahead for any meetings on or after November 4th.

This problem is only seen when the following conditions are met:
-Exchange 2007 is used
-Outlook 2007 is used to view "legacy" Free/Busy data
*or*
-From Outlook 2007 we are viewing Free/Busy data of Lotus Notes users across the Transporter.

note: 
-Outlook Web Access 2007 will not exhibit this problem
-Outlook Web Access 2003 will exhibit this problem

 The problem here has nothing to do with the Transporter. This problem is when viewing "legacy" free/busy data from either Outlook 2007 or Outlook Web Access 2003 on/after the date of November 4th. The Transporter is effected due to it storing Free/Busy data in a public folder and going across the Availability Service to get to it.

The cases behind this problem are ongoing, I will post an update here when I hear about a resolution.

3Ehh Schedule Object Doesn't Exist when trying to view a users Free/Busy information

When a Domino/Notes or Exchange user tries to view Free/Busy you may receive the
following error in the Domino Console:

Notes viewing Exchange Free/Busy:
ODSTree_HostToCanAppend> Creating schedule object for Address@Domain@NotesDomain,
error = 3EEh: schedule object doesn't exist

Exchange viewing Domino/Notes Free/Busy:
ODSTree_HostToCanAppend> Creating schedule object for Address@Domain, error = 3EEh:
schedule object doesn't exist

 ----------------------------------------------------------

 (There are three known reasons that cause this error)

1. This typically means that Domino was able to connect to Exchange to view
   free/busy data, but for some reason the users free/busy information was not in the
   Free/Busy public folder.
   
   This happens more often than not if we havent logged into the users mailbox or
   the user has never used their calendar. Attempt to view this users Free/Busy data
   from another Outlook client. If it does not show up there, thats a good place to
   start troubleshooting.
   
   However if you can see the data in Outlook but not in the Notes client and are
   recieving the above error, check the Administrative Group that we are viewing with
   notes. By default Free/Busy does not replicate between Administrative Groups and
   you will need to configure replicas.
   
   Note: Configuring replicas of Free/Busy information dramatically increases the
   time before a meeting is set and Free/Busy is able to be viewed remotely due to
   multiple layers of replication
   
   
2. We connect to the public folder database via http://server/public . By default
   on Exchange 2007 CAS, /public is set to REQUIRE SSL. This needs to be removed to
   not require SSL. SSL can not be enabled on this virtual directory or we will fail.
   
   
3. When a Exchange user tries to view a Domino/Notes users Free/Busy:
   
   Error:
   ODSTree_HostToCanAppend> Creating schedule object for Address@Domain, error = 3EEh:
   schedule object doesn't exist
   
   Make sure the Exchange user exists in Busytime on Domino/Notes
   

-CaseyS

Error 800706ba: The Active Directory synchronization agent could not be opened.

When running Directory Synchronization under Exchange 2007 with the Transporter Suite for Lotus Notes, you may encounter the following error:

Event Type: Error
Event Source: ExchangeDominoConnector
Event Category: Domino Directory Synchronization
Event ID: 8322
Description:
Error 800706ba: The Active Directory synchronization agent could not be opened.

Event Type: Error
Event Source: ExchangeDominoConnector
Event Category: Domino Directory Synchronization
Event ID: 511
Description:
Error {GRC:1404}: The application failed while processing.

 

 

When attempting to Sync users from Notes to Exchange, we need to generate addresses for contacts/users so that we can create them in Active Directory.

RPC connectivity is required from the Transporter server to the Mailbox server running the Recipient Update Service.

Attempt to open the event logs of the Mailbox Server from the Transporter server. If this fails, there is a firewall in place (hardware or software) that is preventing us from generating those addresses.

 

-CaseyS

Microsoft Transporter Suite End to End document released...

If you are going to be migrating with the Exchange 2007 Transporter Suite for Lotus Notes, you want this document.

This document not only has screenshots of how everything should be configured, there is an excellent troubleshooting section in it that fixes the bulk of the issues weve seen to date.

Microsoft Transporter Suite End to End document

 

-CaseyS

Missing headers when using the Exchange 2003 Lotus Notes Connector (Redbull)

Some of you may have already noticed this, but I wanted to put this out there in an attempt to document just about anything I come across that is known to us here at Microsoft.

 You may notice that if you bridgehead your mail on Notes and sit Exchange behind it that the message headers get stripped before it hits Exchange.

(Internet)-----(Domino/Notes)-----(Exchange)

 This is known and by design. The "Received" headers are not copied to PR_TRANSPORT_HEADERS during conversion. This means that the only headers Exchange users will see are Exchange headers.

The only work around? Use SMTP for mailflow.

-CaseyS

An item with the same key has already been added when using the Transporter for Lotus Notes

When migrating domino mailboxes using the Lotus Notes Transporter for Exchange 2007, you may encounter the following error:

"An item with the same key has already been added."

From the Transport Powershell we see this error:
     Move-DominoMailbox : An item with the same key has already been added.

------------------------------------------------------------------------------------

 I have ran across this error a couple of times, i cant tell you exactly what seems to be causing it. It appears to be something inside of the nsf for the user so we will want to run the 3 step magic trick on it as follows:

Run the following Domino command line utilities on the Domino mail file; typically shortname.nsf. 

Note: You will be prompted for and must know the user.id and password for the Domino mail file.

In the following examples, replace shortname.nsf with the Domino mail file that failed during the migration attempt.

C:\Program Files\Lotus\Notes\nfixup shortname.nsf -f
C:\Program Files\Lotus\Notes\nupdall shortname.nsf -r
C:\Program Files\Lotus\Notes\ncompact.exe shortname.nsf

For more information visit http://www-304.ibm.com/jct09002c/isv/tech/faq/individual?oid=2:31420