Recently I posted about one cause of Outlook Web Access errors that users may experience after their mailbox is migrated from Exchange 2003 to Exchange 2007.  Users are presented with a browser error containing the message:

Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

In addition to that common cause I outlined previously there is another cause of this issue that can arise.  This usually occurs if an administrator uses the legacy Exchange System Manager tools (eg as part of the Active Directory Users & Computers new account wizard) to create a user mailbox on an Exchange 2007 mailbox server.  The legacy tools assign an incorrect attribute to the user account, which is explained further in this Microsoft support article:

This issue occurs when the msExchVersion attribute is not set correctly on the user object in the Active Directory.

Exchange 2007 uses the msExchVersion attribute to determine the version of Exchange that user objects are associated with. If the version value is less than 0.1, Exchange 2007 considers the object “read-only” and cannot write changes to the object.

Note The msExchVersion attribute may not set correctly if you created the user’s mailbox by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in instead of by using the Exchange 2007 Management Console.

To resolve the issue you can use the following Exchange Management Shell cmdlet:

Set-Mailbox User_Name -ApplyMandatoryProperties

To check a user for the correct attribute use the Get-Mailbox cmdlet.  In my example here you can see both the correct and incorrect attributes displayed.

[PS] C:\>get-mailbox User1 | fl ExchangeVersion

ExchangeVersion : 0.1 (8.0.535.0)

[PS] C:\>get-mailbox User2 | fl ExchangeVersion

ExchangeVersion : 0.0 (6.5.6500.0)

If you have several mailboxes affected by this issue you can find them with this command:

[PS] C:\>get-mailbox | where {$_.ExchangeVersion -like "0.0*" -and $_.ServerName
 -eq "exchange2007"}

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       ---------------
User2                     User2                exchange2007     unlimited

Similarly you can use this command to correct multiple mailboxes at once:

[PS] C:\>get-mailbox | where {$_.ExchangeVersion -like "0.0*" -and $_.ServerName
 -eq "exchange2007"} | Set-Mailbox -ApplyMandatoryProperties

Links:

• Error message when users try to log on to Outlook Web Access in Exchange 2007: “A problem occurred while trying to use your mailbox”

During Exchange Server 2007 schema extension you may encounter a security descriptor error which will cause setup to fail.  The error may occur specifically during the “setup /PrepareAD” stage.

>setup /preparead

Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check

    Organization Checks              ......................... COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation         ......................... FAILED
     You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.

The Exchange Server Setup operation did not complete. For more information,visit
http://support.microsoft.com and enter the Error ID.

Exchange Server setup encountered an error.

To resolve this issue use the following steps:

1. Download and install the ADAM tools from Microsoft.
2. Go to Start -> Programs -> ADAM and launch ADAM Tools Command Prompt.
3. In the command prompt, run the following command (substitute your domain name where appropriate):

   C:\WINDOWS\ADAM>dsacls "CN=Deleted Objects,DC=domain,DC=com,dc=au" /takeownership
   Owner: DOMAIN\Domain Admins
   Group: NT AUTHORITY\SYSTEM
   
   Access list:
   {This object is protected from inheriting permissions from the parent}
   Allow BUILTIN\Administrators  SPECIAL ACCESS
                                 LIST CONTENTS
                                 READ PROPERTY
   Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                 DELETE
                                 READ PERMISSONS
                                 WRITE PERMISSIONS
                                 CHANGE OWNERSHIP
                                 CREATE CHILD
                                 DELETE CHILD
                                 LIST CONTENTS
                                 WRITE SELF
                                 WRITE PROPERTY
                                 READ PROPERTY
   
   The command completed successfully

4. Re-run Exchange setup.  It should now successfully extend the schema.

Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806

Some users may report that they are not able to access OWA after their mailbox has been moved to the Exchange Server 2007 server.

Check the properties of the account in Active Directory Users & Computers and verify that in the Security tab the account is configured to inherit permissions.  If the tick box is cleared you should tick it and apply the change.

On a larger scale this can be quite problematic.  If you find you need to apply this change to a lot of user accounts you can do it with a few quick command lines.

First use DSQuery to dump out a list of user accounts in an OU into an text file.

C:\>dsquery user ou=network users,dc=test,dc=local -scope subtree -limit 0 >users.txt

Using -scope subtree means DSQuery will enumerate the user accounts for all sub-OUs as well.  Using -limit 0 ensures that the results will not be cut off by the default limit of 100.

You can now use a For loop to process each user account with DSACLs.

C:\>for /F "delims=" %i in (users.txt) do (dsacls %i /P:N)

Be sure to set “delims=” as shown so that the spaces in the distinguished names of the users don’t get treated as delimiters.

It can be tempting to dump out the user list of the entire domain and apply this fix, but before you go down that path make sure you read and understand this article published by Microsoft.

Project Coconut entries:

• Project Coconut: Introduction
• Project Coconut: Part 1 - Getting the environment up to scratch
• Project Coconut: Part 2 - Sizing the Exchange Server 2007 servers
• Project Coconut: Part 3 - Deploying the first Exchange Server 2007 server
• Project Coconut: Part 4 - Configuring Standby Continuous Replication
• Project Coconut: Part 5 - Its mailbox migration time!
• Project Coconut: Part 6 - Finishing the job

The mailboxes have all been moved and the new Exchange Server 2007 system is bedding in.  During and after your mailbox migration you may find one or two issues appear with some users’ mailbox access.

Classfactory error when moving mailbox to Exchange Server 2007

Some mailboxes may be reported as failed in your mailbox move report, with the following error information:

Error occurred in the step: Opening source mailbox. Failed to open mailbox with error: ClassFactory cannot supply requested class, error code: -1056749262.

Check the properties of the account in Active Directory Users & Computers and you should find that the account is disabled.  Exchange will not move a mailbox for a disabled user account.  Your options here are to enable the account temporarily while you move the mailbox, or just delete the mailbox from your legacy Exchange server.

Users unable to access Outlook Web Access after mailbox moves

Some users may report that they are not able to access OWA after their mailbox has been moved to the Exchange Server 2007 server.

Check the properties of the account in Active Directory Users & Computers and verify that in the Security tab the account is configured to inherit permissions.  If the tick box is cleared you should tick it and apply the change.

Removing legacy Exchange servers from the organisation

Microsoft has published some good guidance on removing your legacy servers from the Exchange organisation here on Technet.  Lets go through the steps here.

1. Move all mailboxes to an Exchange Server 2007 server in the organisation.  I’ve already covered that in the last part of this series.

2. Move all content from the public folder database on the legacy server to a public folder database on an Exchange 2007 server in the organization.

Exchange 2003 permits you to do this via the Exchange System Manager console.  Navigate to your legacy Exchange server and drill down to the Public Folder store.  Right click and select “Move all replicas”.

This operation can take some time for large public folder trees.  The move may also generate a lot of transaction logging and therefore a lot of disk IO on both the source and target server.  If the public folder databases are sharing disk with other databases or mail queues then you may want to consider doing this outside of business hours.

3. Move the OAB generation to the Exchange Server 2007 server.  A simple way of moving all OABs to the Exchange Server 2007 server is using the Exchange Management Console with the Get-OfflineAddressBook and Move-OfflineAddressBook cmdlets.

[PS] C:\>Get-OfflineAddressBook | Move-OfflineAddressBook -Server LABEX2 -confir
m:$false
WARNING: Do not turn off public folder publishing for offline address book
(OAB) "\Default Offline Address List" before it is generated on the target
server "LABEX2". If you turn off public folder publishing prematurely, the
entire OAB will be downloaded for all users who are associated with this OAB.

4. Remove public folder and mailbox stores.  You can do this by simply right-clicking and deleting the databases in Exchange System Manager.  However, Exchange will not permit you to delete a public folder store that still contains replicas, nor a mailbox store that still contains mailboxes.  System Manager will display an error that one or more users currently use this mailbox store (ID no: c1034a7f).

You can locate these stragglers using Active Directory Users & Computers.  Right-click the root of the domain and start a search.  Leave the first criteria blank and click on the Exchange tab.  Tick “Show only Exchange recipients” and “Users with Exchange mailbox”.  Click Find Now, and then add the Exchange Home Server column using the View menu.  Sort by this column and you should quickly see which users Exchange still thinks have mailboxes on the legacy server.

If the users don’t really have a mailbox you can right-click and remove their Exchange attributes.

5. Verify that internet mail is configured to route through your Exchange Server 2007 servers.  You can configure your Hub Transport server to send and receive internet mail using the instructions here.

6. Verify inbound protocol services point to an Exchange Server 2007 Client Access Server.  You can read about publishing Exchange 2007 with ISA Server 2006 here.

7. Delete the routing group connectors that connect the Exchange 2003 or Exchange 2000 routing groups and the Exchange 2007 routing group.  You can do this quickly and easily using the Get-RoutingGroupConnector and Remove-RoutingGroupConnector cmdlets.

[PS] C:\>Get-RoutingGroupConnector | Remove-RoutingGroupConnector -confirm:$fals
e

8. Remove Exchange 2003 or Exchange 2000 recipient policies that are only Mailbox Manager policies.

9. If you have Exchange 2003 or Exchange 2000 policies that are both E-mail Addresses and Mailbox Manager policies, remove the Mailbox Manager part of the policy.

10. Move the Public Folder hierarchy from the legacy Exchange admin group to the Exchange Server 2007 admin group.  To do this in Exchange System Manager right click the Exchange 2007 admin group and create a new Public Folders container.

 Then, drag the Public Folder tree from the legacy admin group to the Public Folder container you just created.

11. Delete the Recipient Update Services.  You can delete the domain RUS via Exchange System Manager, but the Enterprise RUS must be deleted via ADSIEdit.msc.  So you may as well use ADSIEdit.msc to delete them all.

12. Uninstall Exchange 2000/2003 from the server.  If any of the above steps have not been completed properly Exchange will not allow you to uninstall it via Add/Remove Programs.  However, if you are able to set the action to Remove then all requirements have been met and Exchange will uninstall.  You will often need your Exchange media available for the uninstallation.

So, what next?

I’ve now completed the minimum steps required to transition the Exchange 2003 organisation to Exchange 2007, however there are still tasks that should be performed on the Exchange 2007 server to finish the job.  You should consider upgrading your Email Address Policies and your Address List objects to Exchange 2007.  Though this is not strictly required, it pays to get it out of the way so you don’t run in to problems later on when you want to edit them

The Microsoft Exchange Team Blog has a great writeup of how to go about doing this here.

Uprading Email Address Policies

To find any legacy EAPs in the organisation you can run a filtered Get-EmailAddressPolicy command.

[PS] C:\>Get-EmailAddressPolicy | where { $_.RecipientFilterType -eq "Legacy" }
| Format-List Name,*RecipientFilter*,ExchangeVersion

Name                       : Default Policy
RecipientFilter            :
LdapRecipientFilter        : (mailnickname=*)
LastUpdatedRecipientFilter :
RecipientFilterApplied     : False
RecipientFilterType        : Legacy
ExchangeVersion            : 0.0 (6.5.6500.0)

This will reveal all “Legacy” EAPs and their RecipientFilter details.  To upgrade the Default Policy with its simple filter you can run the following Set-EmailAddressPolicy command.

[PS] C:\>Set-EmailAddressPolicy "Default Policy" -IncludedRecipients AllRecipients
Confirm
To save changes on object "Default Policy", the object must be upgraded to the
current Exchange version. After the upgrade, this object cannot be managed by a
 previous version of Exchange System Manager. Do you want to continue to
upgrade and save the object?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Upgrading Address List Objects

Legacy Address Lists can be located using a filtered Get-AddressList cmdlet.

[PS] C:\>Get-AddressList | where {$_.RecipientFilterType -eq "Legacy"} | Format-
List Name,*RecipientFilter*,ExchangeVersion

Name                       : All Users
RecipientFilter            :
LdapRecipientFilter        : (& (mailnickname=*) (| (&(objectCategory=person)(o
                             bjectClass=user)(!(homeMDB=*))(!(msExchHomeServerN
                             ame=*)))(&(objectCategory=person)(objectClass=user
                             )(|(homeMDB=*)(msExchHomeServerName=*))) ))
LastUpdatedRecipientFilter :
RecipientFilterApplied     : False
RecipientFilterType        : Legacy
ExchangeVersion            : 0.0 (6.5.6500.0)

Name                       : All Groups
RecipientFilter            :
LdapRecipientFilter        : (& (mailnickname=*) (| (objectCategory=group) ))
LastUpdatedRecipientFilter :
RecipientFilterApplied     : False
RecipientFilterType        : Legacy
ExchangeVersion            : 0.0 (6.5.6500.0)

Name                       : All Contacts
RecipientFilter            :
LdapRecipientFilter        : (& (mailnickname=*) (| (&(objectCategory=person)(o
                             bjectClass=contact)) ))
LastUpdatedRecipientFilter :
RecipientFilterApplied     : False
RecipientFilterType        : Legacy
ExchangeVersion            : 0.0 (6.5.6500.0)

Name                       : Public Folders
RecipientFilter            :
LdapRecipientFilter        : (& (mailnickname=*) (| (objectCategory=publicFolde
                             r) ))
LastUpdatedRecipientFilter :
RecipientFilterApplied     : False
RecipientFilterType        : Legacy
ExchangeVersion            : 0.0 (6.5.6500.0)

These Address Lists can be upgraded using the Set-AddressList cmdlet.

[PS] C:\>Set-AddressList "All Users" -IncludedRecipients MailboxUsers

[PS] C:\>Set-AddressList "All Groups" -IncludedRecipients MailGroups

[PS] C:\>Set-AddressList "All Contacts" -IncludedRecipients MailContacts

[PS] C:\>Set-AddressList "Public Folders" -RecipientFilter { RecipientType -eq '
PublicFolder' }

The default Global Address List can also be upgraded using the Set-GlobalAddressList cmdlet.

[PS] C:\>Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(
Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or O
bjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistribut
ionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Confirm
To save changes on object "Default Global Address List", the object must be
upgraded to the current Exchange version. After the upgrade, this object cannot
 be managed by a previous version of Exchange System Manager. Do you want to
continue to upgrade and save the object?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

For non-default Address List and Global Address List objects some analysis of the custom LDAP filters will be required to determine how to go about upgrading them.  You can refer to the Evan Dodd’s blog post here for more details.

Is that it?

That is all for this Project Coconut series of posts, however there is a lot more to talk about with Exchange Server 2007 which I look forward to writing about.

Project complete.

Before deploying your first Exchange Server 2007 server you must apply the Exchange Server 2007 schema extensions.  Though you can allow Exchange to do this automatically during setup there are some scenarios where you may wish to do it as a separate process, such as applying the extensions in advance of the first installation, or using a different account for the schema extension than for the Exchange installation so as to perform each task with the minimum required privileges.

If you wish to apply the Exchange Server 2007 schema extension on a 32-bit domain controller that is the Schema Master there are first some pre-requisites that must be installed.  Note: for Exchange Server 2007 compatibility the Schema Master must be at least Windows Server 2003 with Service Pack 1 or Windows Server 2003 R2.

• .NET 2.0 with Service Pack 1
• MMC 3.0 (if the Schema Master is not running Windows Server 2003 R2)
• PowerShell

You will also need the 32-bit version of Exchange Server 2007 RTM or Exchange Server 2007 SP1.

Extending the Active Directory Schema for Exchange Server 2007

To extend your AD schema for Exchange Server 2007 follow these steps:

1. Log on to the Schema Master with an account that has Schema Admins and Enterprise Admins permissions.

   How To Find Servers That Hold Flexible Single Master Operations Roles
   

2. Verify that Schema updates have been enabled.

   Schema Updates Require Write Access to Schema in Active Directory
   

3. Perform a System State backup of the Schema Master.
4. Disabled outbound replication on the Schema Master.

   repadmin /options servername +DISABLE_OUTBOUND_REPL

5. Extract the Exchange setup files to a temporary location, and open a command prompt in that folder.
6. Prepare the legacy Exchange permissions.

   C:\temp\Exchange\setup.com /PrepareLegacyExchangePermissions

7. Prepare the Schema.

   C:\temp\Exchange\setup.com /PrepareSchema

8. Prepare the Forest.

   C:\temp\Exchange\setup.com /PrepareAD

9. Prepare the Domain.  Each domain that will hold Exchange servers or Exchange recipients must be prepared.

   C:\temp\Exchange\setup.com /PrepareDomain

   To prepare all Domains in the Forest in one action use the following.

   C:\temp\Exchange\setup.com /PrepareAllDomains

10. If the commands have run without error and you are satisfied with the health of your Schema Master you can re-enable outbound replication.

    C:\temp\Exchange\repadmin /options servername -DISABLE_OUTBOUND_REPL

Your Active Directory is now ready for the first Exchange Server 2007 installation.