5.5 to 2003 migration failing with ADC permission problem

Hi,

I've seem simliar questions here, but no answer that  gives a solution, unless I'm missing something, which is very possible :)

The ADC has installed okay and the first parts (Steps 1 and 2) run okay.  Step 3, running the resource mailbox wizard goes okay.  After setting the credentials it runs through, but very fast.  The progress bar moves and it says it's modifying mailboxes.  But the only nes listed are resource ones, not user mailboxes.  /but as this the resoujrce wizard guess that is okay?    Then when I run the Verify the following error shows:

Warning: Either you do not have permission to view hidden objects in the Exchange 5.5 directory, or the directory is not Exchange 5.5 SP1 or later. Returned information may be inaccurate.
Finished verifying the results of the Resource Mailbox Wizard.

This also apears in  the ADCTools.log below:

Current user is 'Administrator\TEST' on computer 'BRA-SERV2'

Resource Mailbox verify 10/22/2004 15:24:04
      Warning: Either you do not have permission to view hidden objects in the Exchange 5.5 directory, or the directory is not Exchange 5.5 SP1 or later. Returned information may be inaccurate.

This I guess must be some permission problem.  There is a two-way trrust between the two domains (NT 4 and 2003).  I've added the 2003 Admin account to just about everything in the NT 4 domain to see if any thing happens, but nothing does.

Hoping someone would have a solution?

Thanks,

Neil.
NeilLoffhagenAsked:
Who is Participating?
 
marc_nivensCommented:
Yeah, sounds like the KCC hasn't ran yet.  You will know it has and it worked when the other site disappears from the admin program.  To run a KCC, do this:

- Open Exchange admin program
- Drill down to your server and highlight the server object
- On the right, double click directory service
- Hit the "check now" button

If it made changes it will tell you so.  Once this completes the other site should be completely gone, along with the mailboxes that no longer exist.
0
 
marc_nivensCommented:
Adding the 2003 admin account to NT permissions is not enough, it needs to be a service account.  Follow these steps:

- Launch the 5.5 admin program
- Click Tools/Options, check the 1st and 2nd boxes (show security page, etc...) and click ok to get out
- Highlight the Organization name, file/properties.  On the security tab, add the 2003 admin account and give him service account admin
- Repeat this for the site container and the configuration container

Once these are set try running ADCTools again.
0
 
NeilLoffhagenAuthor Commented:
Really appreciate your help.  Thanks - Getting a lot further :)

Now seeing all the accounts go through, but getting the below error:

Pass 1 of 1: Resource Mailbox Scan validation (objects processed: 158)
Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.
Finished verifying the results of the Resource Mailbox Wizard.

How long does this normally take?  We have just over 150 accounts, so not a large site.  Does the verify button become immediately available?  If so am I clicking it too soon?  Also, the Connection Agreement  Wizard buttons are still greyed out.  Do they only become active once the Resource Mailbox wizard has run succesfully?

I almost see light at the end of this migration tunnel :)

Thanks again,

Neil.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
marc_nivensCommented:
You will have to run the Resource Mailbox Wizard first, then the verify will pass.  It shouldn't take long at all with 150 users.  After that the buttons for the connection agreements will be available.
0
 
NeilLoffhagenAuthor Commented:
I ran the Resource Mailbox Wizard again and when I run the Verify it stills fails with the same error:

Current user is 'Administrator\TEST' on computer 'BRA-SERV2'

Resource Mailbox verify 10/22/2004 16:51:50
      Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.

Is there anything else to try, or is it a case of just keeping on running the Resource Mailbox Wizard and the Verify until the error goes away?  Though without changing anything not sure if the error would ever disappear?

Neil.
0
 
marc_nivensCommented:
You will need to make changes.  The Wizard should be telling you the accounts that need changes.  Is the wizard giving you the opportunity to fix them?
0
 
marc_nivensCommented:
Also, check out this step by step guide:

http://www.winnetmag.com/Article/ArticleID/41444/41444.html
0
 
NeilLoffhagenAuthor Commented:
Hi Marc,

Your comments and link have been very helpful, but still not quite there yet.

It seems the NT account that is probably causing the problem is one called "Hilary Ward".  When running wizard it is this account that is shown as having 4 mailboxes associated with it.  But can only see one of them on the Exchange 5.5 Server, whjich is the good mailbox.  One of the other three redendant mailboxes is shown in the Global Address Book, but not in the the Private Information Store.  So can't see where to delete these redundant mailboxes and they are redundant.  For example, one is called "Fred Bloggs" and must have been set up as a test by some previous Admin and then associated with this user's NT account.  Out of these 4 mailboxes have tried setting each one as Primary in the ADC wizard, but nothing seems to change, the Verify still fails.  Am I stuck here or is there a way of getting rid of the other un-needed mailboxes attached to the NT account?

Thanks again,

Neil.
0
 
marc_nivensCommented:
If the ADC wizard isn't doing it you will need to find the mailboxes using the 5.5 admin program and change the primary NT account that way.  The easiest way I can think to do this if you can't find them in the admin program is to export the directory to CSV file, open it in Excel, and sort by the Primary NT Account column.  Here you can see all mailboxes that are tied to that account and fix them manually.
0
 
NeilLoffhagenAuthor Commented:
Marc,

The contents of the csv file is below.  This is got from running the ADC wizard.  Not sure how I alter this file correctly?  Or is this the wrong file?  Once this is sorted all ahould be okay to run the Verify and then the Connection Agreement wizard?

Thanks again,

Neil.

Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
Mailbox,NTDSNoMatch,Small Board Room,\Everyone,smallboardroom,SMALLBOARDROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
Mailbox,NTDSNoMatch,Large Board Room,\Everyone,largeboardroom,LARGEBOARDROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
Mailbox,NTDSNoMatch,Quiet Room,\Everyone,quietroom,QUIETROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
Mailbox,NTDSNoMatch,Thin Client,\Everyone,Thinclient,Thinclient,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
Mailbox,NTDSNoMatch,Birmingham Board Room,\Everyone,Birmingham.B,Birmingham.B,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
0
 
NeilLoffhagenAuthor Commented:
Okay, tried the following:

Changed the Extension-Attribute-10 to NTDSNoMatch as per instructions in the ADC help file.  Tried importing this to the Exchange 5.5 Server, but got an error.  I'd left the Container as Recipients.  Selectdd the "Use selected container.." button.  Left Recipient Template blank.  Pointed Import File to the altered csv file.  Left Create Windows NT account and Deleted Windows NT account blank.  Left Multivalued Properties as Append.  Error is "The attribute NTDSNoMatch is unknown"

So should this NTDSNoMatch attribute be known?  If not do you know how I add it in?

Thanks,

Neil.
0
 
marc_nivensCommented:
It sounds like the file is misformatted as it thinks that NTDSNoMatch is an attribute, not an attribute value.  Can you open the file in notepad, copy it out, and give us the results?  You can change your private information if needed.
0
 
NeilLoffhagenAuthor Commented:
This is how the csv is:

Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients

This is how it is after I've edited it:

Obj-Class,NTDSNoMatch,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients

Am I changing the wrong bit?

Neil.
0
 
marc_nivensCommented:
Yes, the top line contains attribute names.  Do not change Extension-Attribute-10, leave it as is.  You could also just go to that mailbox and remove the primary NT account.
0
 
NeilLoffhagenAuthor Commented:
Okay - was being a but off track.  I guess I don't need to edit it?  But should just import it, the way it was exported?  Though having imported it as it was exported, and the import seesm to work okay.  Get a bar chart moving across the screen and it says import was succesful, but the verify still does not work.

Now, I think I'm understandiun this better.  There is also another csv file that is being created, for an old site that no longer exists.  We have an old Server called Birmingham (that was in Birminghah, other server based elsewhere), that was taken out of service several years ago.  But the connector is still present on the current Exchange server.  I've been told that if the connector is removed then users is Birmingham stop receiving mail?  So looking at the other csv file this is related to old Birmingham users?

Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
Mailbox,NTDSNoMatch,Hilary Ward old,KELTEC\Hilary Ward,WardH,ScamblerH,BIRMAILGATE,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients
Mailbox,NTDSNoMatch,fred bloggs,KELTEC\Hilary Ward,fredb,HilaryW,BIRMAILGATE,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients
Mailbox,NTDSNoMatch,Hilary Ward old,KELTEC\Hilary Ward,HilaryW,Hilary Ward,BIR-SERV-2,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients

When I try to import this file I get error:

Could not modify object Hilary Ward because the directory service reported the following error: Changes cannot be written to this directory object. Try connecting to a Microsoft Exchange Server computer in the same site as this object.

Any ideas?

Thanks,

Neil.
0
 
marc_nivensCommented:
Ah now its making sense.  If the server is no longer up in Birmingham then users aren't receiving mail anyway.  It sounds like this site no longer exists at all.  If this is the case you will need to remove the dirrep connector and the users from that site will go away.  

Were the Birmingham users moved to this site or something?  
0
 
NeilLoffhagenAuthor Commented:
From my understanding there were two sites based in the UK.  One in the midlands (Birmingham), the other in the south.  Originally both had Exchange Servers.  The South was the main one, with a connector to the midlands one.  Then the one in the midlands was taken out of service and all mail was then accessed on the Exchange Server in the south.  But users in the midlands do still get mail from the south Exchange Server.  They connect over a leased line.  It seems that this Hilary Ward user has an active account on the South Exchange Server and also some left over stuff on the Birmingham Exchange Server, where the import it is trying to update her account, but can't as the Server is no longer there?

Would taking the Connector out help?  Or would the accounts still point there?

Neil
0
 
marc_nivensCommented:
If you remove the dirrep connector the users will dissapear completely for that site.  I'll need a bit more info:

- How many directory replication connectors does this site have?
- Where sites are they pointing to?
- When south makes an update, does your site receive the update?

It almost sounds like this site had a dirrep connector to both sites.  If that is the case, you can safely remove the dirrep connector to the old site and then the bad account information should disappear.
0
 
NeilLoffhagenAuthor Commented:
Looking at the site we have one dir repl on the South Server pointing to the old Birmingham Server.  Noted that the Schedule is set to "Never"?  So presumably it will never seek any new infro from the Birmingham server?  So I guess we could take out and delete this dir repl?  What about the Site Connector that is also pointing to the old Birmingham server?  What worries me about removing that one is the claim by an older guy here who said they took the Site Connector out a while back and all the users who are in Birmingham could no longer get mail, even though their Outlook in pointing to the South Exchange Server, over a leased line.  To me that doesn't make sense?

If we remove the dir repl, does it take long for the changes to be seen on the South Exchange box?

Neil.
0
 
marc_nivensCommented:
If there is another dirrep connector in place already for the correct site, you can just remove the one for the incorrect site.  If there is only 1 dirrep connector you will still have to remove it, but you will need to create another one afterwards to point to the correct site.
0
 
NeilLoffhagenAuthor Commented:
Not quite following this.  If we have only the one active site here in the south, do we still need a dir repl pointing to itself?

Do we need to worry about the connector pointing to a non-existant site?

Neil.
0
 
marc_nivensCommented:
Sorry, I thought there were 3 sites.  If the only site you have is this one, you can safely delete any dirrep/site connectors.
0
 
NeilLoffhagenAuthor Commented:
Okay - done that and all users still okay.  But still when running the ADC get the errors that:

The Data Collection tool found objects that must be marked as resource mailboxes before they can be replicated to Active Directory. Running the Resource Mailbox Wizard in Step 3 will resolve these issues.
Finished Data Collection.
Pass 1 of 1: Resource Mailbox Scan validation (objects processed: 159)
Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.
Finished verifying the results of the Resource Mailbox Wizard.

When I do the export to csv file and import it to Exchange 5.5 still get the error that:

Could not modify object HilaryW because the directory service reported the following error: Changes cannot be written to this directory object. Try connecting to a Microsoft Exchange Server computer in the same site as this object.

This gives me the impression that there is still something hanging over from the old Exchange Server?

Neil.
0
 
NeilLoffhagenAuthor Commented:
Sorty for not getting back to you sooner on this.  Apprecaite all your help and give you all the points.  As you say just neded time for the KCC to do its stuff.

Thanks again,

Neil.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.