Exchange 2003 Public Folder "Could not locate the root folder"

The difference in the path names is not the problem. The M: drive doesn't exist in Exchange 2003, so it uses the full address instead.

Are you using SSL on the new server? If so, make sure that you haven't required SSL on the /public virtual folder.

Simon.

When I go into the properties for the Public Folder virtual server it gives me an error of "the path does not exist or is not a directory" can anyone tell me the default path for MBX and Public folder folders if exchange 2003 was installed on a D: drive?

The path is as you would expect...

\\.\BackOfficeStorage\domain.co.uk\Public Folders
\\.\BackOfficeStorage\domain.co.uk\MBX

The physical location of the files doesn't really matter as Exchange manages all of that.

Simon.

Both paths are as you describe, but there are no physical folders/directories where these paths point to.

Would there be some security restrictions that would be affecting access then? If I try to open OWA on the server I get access denied, I also cannot move a mailbox from the 2000 server to the 2003 server?

They are virtual folders that connect in to the Exchange database. You cannot look at the content via those paths though.

If move mailbox doesn't work either and there are no mailboxes on this server then I think it is time to enact my "duff build" rule.

I have this rule that if a server starts playing up shortly after the initial build and/or before any data is copied across, then I dump the build and do it again.
Remove the replicas, remove Exchange from add/remove programs, drop the machine in to a workgroup, wipe and rebuild. If a machine is playing up this early in its life I don't want it in production.

Simon.

OK, after rebuilding the server I have the same problem. When I try and move a mailbox from the 2000 box to the 2003 box I get an error: Logon Failure on database "First Storage Group\Mailbox Store (EXCHSRV03)" - Windows 2000 account domain\domainadminacc; mailbox /o=oad/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=EXCHSRV03/cn=Microsoft System Attendant.
Error: -2147221233

I've checked the permissions on the DBs on the 2003 server which allow the everyone group full access, I have noticed that the domain admin account I am using has been denied the send as and receive as attributes, is this my problem?

You should be using THE administrator account. I have had problems using any other account. Try logging in to one of the Exchange servers with the administrator account and running move mailbox there.

Domain Admins are denied access by default - that is by design. However the administrator account can do a move mailbox - again that is by design.

Simon.

When I log on using the local administrator account and try to open ESM on the 2003 machine I get an error:

"The directory service is unavailable.
 Facility: Win32
 ID no: 8007200F
 Exchange System Manager

The local administrator account, the domain administrator:

username: administrator
password: <whatever>
DOMAIN: <your windows domain>

If it continues even when you login as the domain administrator, then it sounds like the Exchange server is having problems connecting to the domain controller.

Make sure that the domain controller is a global catalog. If Exchange is on a domain controller then it should be a global catalog.

Install the support tools and run dcdiag. It probably will not harm to run netdiag as well and see if there are any errors in there.

Simon.

Hi, I've ran DCDIAG and NETDIAG and both were successful, the server is a member server. I am definitely thinking there is a permissions issue, again the error I get when O try to move a mailbox is below:  


<?xml version="1.0" encoding="unicode" ?>
- <taskWizardRun taskName="Move Mailbox" dcName="OAD-DC2-INTRA" buildNumber="6944" runningAs="****admin@****.corp">
  <timespan startTime="2005-09-27 15:58:55.999" milliseconds="3578" />
- <moveMailbox mixedMode="false" maxBadItems="0">
- <destination>
  <database>/dc=corp/dc=****/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=oad/cn=Administrative Groups/cn=First Administrative Group/cn=Servers/cn=EXCHSRV03/cn=InformationStore/cn=First Storage Group/cn=Mailbox Store (EXCHSRV03)</database>
  </destination>
  </moveMailbox>
  <taskSummary errorCount="1" completedCount="0" warningCount="0" errorCode="0x00000000" />
- <items>
- <item adsPath="LDAP://****.corp/cn=Test2003,ou=IT,ou=Belfast,dc=oad,dc=corp" class="user">
  <progress code="0" milliseconds="3531">Connecting to destination server.</progress>
- <summary isWarning="false" errorCode="0xc1050000">
  The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000
- <details>
- <source>
  <database>/dc=corp/dc=****/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=oad/cn=Administrative Groups/cn=First Administrative Group/cn=Servers/cn=EXCHSRV01/cn=InformationStore/cn=First Storage Group/cn=Mailbox Store (EXCHSRV01)</database>
  </source>
  </details>
  </summary>
  </item>
  </items>
  </taskWizardRun>

I've already looked this up with no avail, microsoft say to check the store is mounted, which it is. I'm stumped on this one!

MAPI provider failed usually has one source - lack of permissions to open the mailbox.
If you are unable to use THE domain administrator account (not an equivalent account), then the account that you need to use must have full mailbox rights. Do not attempt to give permissions via Domain Admins or something like that as domain admins are denied access by default.

Simon.

I removed the default security settings on the First Storage Group and added my own account which also removed the domain admin account rights. My account has full permissions on the First Storage Group, I am a member of the Domain Admin group though, will this matter? I got the same error as above when I ran Move Mailbox.

The deny for domain admins is configured right at the top of the Exchange org - and I would strongly advise against fiddling around at that high level. Removing permissions is simply asking for trouble.

If you cannot use THE administrator account then I would create a special account for this purpose, don't add it to any groups other than the default "Domain Users" and then give it Full Mailbox on each mailbox in turn.

Simon.

I had something similar where I was able to rt. click on  PUBLIC FOLDERS in system manager, then select CONNECT TO-- the new exchange server

I have been using THE administrator account, it is a member of the Domain Admins and Schema Admins though. If I were to create a new account for Exchange 2003 administration only, what gruop membership should it belong to and what level of permissions are necessary for it to work prpoerly?

If you are using the administrator account then I do wonder if the permissions are set as default.

Try this..

Create a new account, but don't add it to any other groups or anything else. Make it a plain user.

Run the delegate control wizard and grant "Exchange Full Administrator" to this new account. (Right click on the org in ESM and choose "Delegate Control).

Next, take another test account and give this new user full mailbox rights ONLY to that mailbox - ie leave the default permissions in place.

Then try move mailbox.

Simon.

OK, I've tried what you suggested and I get exactly the same error no matter what. I did make the user a member of the local Administrators group though as is suggested when running through the delegate control wizard, if I run through the wizard I see "user (exchange full administrator) Inherited" Is the inherited there because of the local Administrators group membership? Also, would having Exchange installed on the D: drive be a factor at all, in the process of ESM trying to log onto the store? Just throwing that in the mix there!! It's only when logging onto the destination server that the process fails not the source and permissions are pretty much the same for both boxes.

Being a member of the local administrator's group will cause some inheritance.

I tempted to start suggesting some radical things.
For example something I would consider doing if sat in front of this environment would be to throw up a third Exchange server, standard out of the box build and see what happens then. If the problem follows then you have a domain issue. If the other box works correctly I would look at removing Exchange and rebuilding the problematic server.

This is saying permissions - that someone has changed the permissions, either on purpose or by accident. Possible reasons are to try and lock down the Exchange server and/or the Windows installation. You might be looking at some weird security settings that lock permissions to the original server.

It certainly is very odd - particularly worrying that the administrator account doesn't work.

Simon.

This might be a stupid question but does the windows 2000 server have to be a DC before installing Exchange on it?

Certainly not. It is actually best practise for the server NOT to be a domain controller. Exchange should ideally be on a dedicated member server.

Simon.

When I look at the mailbox store through ESM on the 2003 box, the SMTP(xxxxxxxxxxx), System Attendant and SystemMailbox are all showing "last Logged on by" NT AUTHORITY\System on my 2000 box  the same mailboxes are showing as "Last Logged on by" domainname\domainadministrator as are a large number of other mailboxes. Would this be caused by backup exec or symantec or would this point towards the reason why Move Mailbox fails with the access errors. Do I have to change permissions on the 2003 box to allow the domain\administrator account to log onto the mailboxes? Where would I check?

The depends on how you are doing your backups.

If you are doing mailbox level backups then that can cause the last logged on by message to be the account used for backing up. This is because mailbox level backups literally do login to each account and copy the content (which is why they are so slow).

When doing move mailbox it is important that you use THE administrator account, not an equivalent. I have had hit and miss success with equivalent accounts even when the permissions appear correct.

Simon.

I am using the domain administrator account, which is also the Exchange Full administrator, has been given full access permissions on both servers. In fact I have checked both sets of permissions against each other and they are identical but the process still fails when I run move mailbox, with the following error:

Logon Failure on databse "First Storage Group\Mailbox Store(Servername)". Windows 2000 account DOMAIN\ADMINISTRATOR: mailbox/0=DOMAIN/ou=First Administrative Group/cn= Configuration/cn=server/cn=SERVERNAME/cn=Microsoft System Attendant. Error -2147221233

From this error should I change the logon credentials for the System Attendant service to the Administrators account and try movemailbox again?

Another one for the melting pot as no one is biting on this one! Does MAPI rely on RPC? If so to what extent? Would an ISA 2004 server on the network cause a failure of the MAPI function logging into the Exchange 2003 server?

RPC and MAPI are two different things.

MAPI is the interface - RPC is the protocol. If you are blocking native RPC/NETBIOS traffic (135) with a firewall then the MAPI client (Outlook) will fail. Very unusual to be able to run native RPC over the Internet - you would normally use RPC over HTTPS.

Don't change the credentials of the service - that can cause problems.
Did you make any changes to the permissions of the administrator account - or is it set as "out of the box". The error message above means what it says - logon failure - usual cause incorrect permissions. Not necessarily not enough permissions - it is possible to give yourself too many permissions which locks you out of the account.

Simon.

When I am on the 2000 box I can connect to and browse all the directories on the 2003 box including MBDATA folder, the user account has full access to the 2003 box. I'm going to install another EX2000 server and see if I can move mailboxes between the two EX2000 boxes using the 2003 ESM, see what happens.

I've installed another exchange 2000 server into the first storage group. What I've noticed now is that when I attempt to create mailboxes on either of the two new servers in the group that 1: The create mailbox process appears to to go through ok. 2: The mailboxes do not appear on either server. It's like the first server is locked down somehow and won't allow any more servers to join the group. Any ideas? I think it might be AD related??

Mailboxes are not created until either someone logs in to it or a message is sent to that mailbox.
Does the account appear in the global address list?
If you send a message to the new account, does it bounce back?

Simon.

I sent messages to test accounts created on both servers, the messages have not been returned undelivered. The mailboxes have not shown up in ESM and when I try to open one of the test accounts mailboxes from Outlook I get "unable to display the folder. The information store could not be opened."

Are the messages sat in any of the queues?
If so, which one? Directory lookup?

Simon.

Yes, one message on each of the two new servers where the mailboxes are supposed to be in awaiting directory lookup queues.

Also, from ESM Tools Monitoring and Status the two additional servers are showing as unreachable,

Oh... thats not good.

Anything between the servers?
How is DNS configured? You are using domain controllers ONLY for DNS?

Simon.

Yes, I can ping all of the servers by name  from each other and it's resolving the correct addresses.

I had a quick look at the AD Schema snap in and although there is a long list of exch***** classes, when I click on the security tab for any of them it is blank, no permissions assigned. Is this supposed to be the case? I have nothing to compare it with.

OK, I'm not one hundred per cent on this but this was the last thing I did, which I hadn't tried or to be honest hadn't crossed my mind until today but appears to have solved my problem. I recalled a colleague having a problem with a service starting on a server (nothing to do with exchange). The service was configured to run under the domain admin account (same as the account I installed exchange under) chosen from AD in the usual manner through AD users and computers snap in. The service wouldn't start under the domainadmin@domain.com account but when he changed permissions to domain\domainadmin the service would start. I changed or added the full permissions to the Ecxhange 2003 box in the same way and ran the move mailbox wizard just to see and lo and behold I sat here and watched as it progressed through the motions. Hurray! So I've moved a couple of test mailboxes across and I am currently consulting various how to's so I replicate the Public folders, move the mailboxes and the roles of the first server over before blowing it away and upgrading the hardware with a clean install of server 2003 and exchange 2003!! Thanks for you help in this, if I have any further problems I'll be in touch. Cheers,

Noel.

The Exchange services are designed to run under Local System - nothing else. If you have changed the account then that would explain the problems.

The wrong account being used for the service is something that I must remember for future.

Simon.

No , you don't understand me here. I didn't change any of the system services permissions, only the administrator permissions, in that I changed the convention from admin@domain.com to domain/admin and it all kicked in to place!

I understood what you meant - the point I was making is that you shouldn't be using any other account EXCEPT the local system account. It doesn't matter how you reference the account being used for the services. Exchange 5.5 required its own service account, but Exchange 2000/2003 uses a special service account built in to Windows and using any other account can cause problems.

Simon.

No, Sembee did not answer my question. I sorted out the problem myself.

Please post your solution so we can PAQ - refund the question

If you read my previous few comments it explains the fix there.

I just reread the whole thread again...
You are right :)

Changed recommendation: PAQ - points refunded