Monday, December 23, 2013

After Migration to Exchange 2010, Client Can't Open Mailbox!

I've been moving mailboxes from Exchange 2007 to Exchange 2010 for about a year now and this is the first time this issue has come up. Of the 50,000 mailboxes moved so far, 90% of them had no issues at all. 9% had minor client issues (lost permissions to distribution list, or can't access resource calendar). 0.9% of those had slightly more aggravating issues like OST files being corrupted or local OAB needing to be downloaded again. That leaves these 40 mailboxes.

In addition to hosting mailboxes, we sync our GAL with another 80,000 mailboxes hosted at Microsoft's O365 environment. 0365 provides email services for another dozen remote offices. This sync process creates mailforest contacts for each of these objects in our GAL. The O365 process has the local office, create an account in their AD, it syncs to O365 with all the properties, permissions and email addresses they apply to them. The sync process adds x500 addresses to the objects to make the process seamless to the end user.

So, immediately after moving the mailboxes to our Exchange 2010 environment, these clients could no longer access email via Outlook (OWA worked). We had gone through all of the 'desktop' support questions and nothing was out of alignment (profile, permissions, db mounted, "On Fast Networks" was checked", move request completed cleanly).

Found this KB Article, so I decided to check into the RPC Client Access logs to see if it applied. These clients had attempted to connect but Exchange was denying them a connection. The logs mentioned that it could not determine the mailbox, because a duplicate entry existed (referencing their mailbox Legacy Exchange DN?!

get-mailbox -identity JSmith | %{get-recipient -identity $_.legacyExchangeDN}

Smith, John@HR
Smith, Joanne@O365

Interesting. Joanne has an x500 entry that matches John's legacy exchange dn perfectly. How can we fix this?
  1. Delete Joanne's x500 entry. Depending on where in her move to O365, it may cause mail delivery failures. 
  2. Modify John's mailbox alias and legacyExchangeDN values. This can cause email that had been sent to John prior, to now go to Joanne. 
  3. Microsoft solution as provided below. This was an option, but required a lot of coordination with each of the remote sites causing this problem. 
  4. Delete contact from our GAL, move my user to 2010 and create local contact for deleted entry. This is what we finally decided to do. 

Microsoft O365 did offer a solution. It required that the remote agency modify the objects in their AD so that the x500 entry was not automatically created. This would have been a two step process of manually adding the entry to the mailbox, then deleting the x500 entry from the mailbox on the next sync. There steps are:

  1. Find recipient in source AD. 
  2. Add the following source proxyAddress: "x500:/o=Shared/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=JSMITH"
  3. Wait at least one sync cycle
  4. Clear BOTH this x500 proxyAddress AND the source legacyExchangeDN
  5. Wait at least one sync cycle.

As I mentioned earlier, this was not done. The work had to be performed at the remote offices on their AD objects. According to MS, this should remove the x500 entry from the O365 hosted objects and allow me to successfully move my users to 2010.

No comments:

Post a Comment