Exchange / Active Directory Problems (admin group incorrect for certain users)
We have an additional domain within our AD forest which also has an Exchange server in its own admin group.
It appears that a number of user accounts in this domain are displaying the wrong admin group when checking "Exchange
advanced" and "admin group" on AD accounts. The problem first came to light when a number of Blackberry users reported problems. The mailboxes have never moved and are still visible in the correct exchange admin group. However, AD continues
to specify the default admin group, which is used for the forest domain exchange server.
I've created a new test user account with mailbox on that server and the correct admin group is displayed.
I don't want to have to start creating user accounts for the 200+ user. It doesn't affect all users on this domain / exchange server. Very strange!
I've been trying to find out exactly how this has happened and how I can make sure that the user account specifies
the correct admin group.
Any help would be greatly appreciated.
Many Thanks
February 16th, 2011 9:51am
On Wed, 16 Feb 2011 14:40:34 +0000, Hozzie wrote:
>
>
>We have an additional domain within our AD forest which also has an Exchange server in its own admin group.
>
>It appears that a number of user accounts in this domain are displaying the wrong admin group when checking "Exchange advanced" and "admin group" on AD accounts. The problem first came to light when a number of Blackberry users reported problems. The
mailboxes have never moved and are still visible in the correct exchange admin group. However, AD continues to specify the default admin group, which is used for the forest domain exchange server.
>
>I've created a new test user account with mailbox on that server and the correct admin group is displayed. I don't want to have to start creating user accounts for the 200+ user. It doesn't affect all users on this domain / exchange server. Very strange!
>
>I've been trying to find out exactly how this has happened and how I can make sure that the user account specifies the correct admin group.
>
>Any help would be greatly appreciated.
You're referring to the legacyExchangeDN property value assigned to a
user? The names in that property stopped being significant in Exchange
2000 (well, at least in terms of "which directory owns the writable
copy of the mailbox").
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2011 10:10pm
Hi Rich,
Yes, I think that's the value. It's causing problems with our Blackberry users. The BES server thinks that the mailbox is in that admin group even though it's definately visible in another admin group. Problem only came to light because
the Blackberry problems.
The only fix I've got at the moment is exmerge mailbox to *.pst, delete existing mailbox then create new mailbox and import the *.pst using exmerge.
Is it possible to edit this value in adsiedit for the users having the problems?
February 17th, 2011 6:51am
I found the legacyExchangeDN field in adsiedit and managed to change the admin group to the correct one.
Removed / added problem users from Blackberry Enterprise Manager and all appears to be working.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 12:27pm
On Thu, 17 Feb 2011 17:17:56 +0000, Hozzie wrote:
>I found the legacyExchangeDN field in adsiedit and managed to change the admin group to the correct one.
>
>Removed / added problem users from Blackberry Enterprise Manager and all appears to be working.
Well, that's a blackberry problem, then. The legacyExchangeDN *used*
to be significant but it no longer is. It's still used by Exchange
though so when you changed the value you ensured that any e-mail
previously sent by that mailbox will now return a NDR when anyone
insode your organization replies to the message -- unless you places
the original legacyExchangeDN value into a custom X500 address for the
user.
By changing the LDN you probably also broke any mailbox folder
permissions, access to calendar items, and other things. Let's just
say that changing the LDN is not something to be undertaken lightly
(if at all).
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 17th, 2011 4:47pm
I'll get a proper test of the accounts I've modified.
Fortunately, it's only around 6 Blackberry users. I've not changed any of the other users that appear to have the incorrect admin group.
So with exchange 2003 the LDN has no significance? The other forums I've read elsewhere online must relate to older versions. Everything else is working properly on the Blackberry server, so it must be a permissions issue between the 2 domains?
All besadmin permissions are correct and nothing has changed. As soon as I changed the LDN, the Blackberry Server was able to access the mailbox as that's the admin group it referenced against. The exchange that has users with issues also
has Blackberry users with no problems. These are ones listed against the correct admin group.
Thanks for your advice.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 5:37pm
On Thu, 17 Feb 2011 22:21:44 +0000, Hozzie wrote:
>
>
>I'll get a proper test of the accounts I've modified.
>
>Fortunately, it's only around 6 Blackberry users. I've not changed any of the other users that appear to have the incorrect admin group.
>
>So with exchange 2003 the LDN has no significance?
Only to uniquely identify the mailbox.
>The other forums I've read elsewhere online must relate to older versions.
Before Exchange 2000 each administrative group had it's own set of
users. You couldn't move a user from one administrative group to
another. Once you got rid of the old Exchange servers and switched the
organization to native mode operation that restriction disappeared. So
moving a user from one mailbox server in AG1 to another one in AG2 was
possible -- but the LDN value never changed. If Blackberry has a
problem with that then shame on them.
>Everything else is working properly on the Blackberry server,
.. . . and on the Exchange servers.
>so it must be a permissions issue between the 2 domains?
If that were true then changing the LDN wouldn't fix the problem. In
fact, changing the LDN should have broken the user in BES since its
the LDN that's used to ID the user.
>All besadmin permissions are correct and nothing has changed. As soon as I changed the LDN, the Blackberry Server was able to access the mailbox as that's the admin group it referenced against. The exchange that has users with issues also has Blackberry
users with no problems. These are ones listed against the correct admin group.
You might find better information about how BES used the
legacyExchangeDN value in their support site or forums.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 17th, 2011 11:51pm
I do find similar case that has been fixed by modifying the “LegacyExchangeDN” entry
Please run
ExBPA against exchange server for
health and permission check
James Luo
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 12:51am
On Fri, 18 Feb 2011 05:43:07 +0000, James-Luo wrote:
>I do find similar case that has been fixed by modifying the ?LegacyExchangeDN? entry
And I'm pretty sure you'll find cases that were caused by changing the
legacyExchangeDN as well. ;-)
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 18th, 2011 3:01pm