Solved

5.5 to 2003 migration failing with ADC permission problem

Posted on 2004-10-22
428 Views
Last Modified: 2008-01-09
Hi,

I've seem simliar questions here, but no answer that  gives a solution, unless I'm missing something, which is very possible :)

The ADC has installed okay and the first parts (Steps 1 and 2) run okay.  Step 3, running the resource mailbox wizard goes okay.  After setting the credentials it runs through, but very fast.  The progress bar moves and it says it's modifying mailboxes.  But the only nes listed are resource ones, not user mailboxes.  /but as this the resoujrce wizard guess that is okay?    Then when I run the Verify the following error shows:

Warning: Either you do not have permission to view hidden objects in the Exchange 5.5 directory, or the directory is not Exchange 5.5 SP1 or later. Returned information may be inaccurate.
Finished verifying the results of the Resource Mailbox Wizard.

This also apears in  the ADCTools.log below:

Current user is 'Administrator\TEST' on computer 'BRA-SERV2'

Resource Mailbox verify 10/22/2004 15:24:04
      Warning: Either you do not have permission to view hidden objects in the Exchange 5.5 directory, or the directory is not Exchange 5.5 SP1 or later. Returned information may be inaccurate.

This I guess must be some permission problem.  There is a two-way trrust between the two domains (NT 4 and 2003).  I've added the 2003 Admin account to just about everything in the NT 4 domain to see if any thing happens, but nothing does.

Hoping someone would have a solution?

Thanks,

Neil.
0
Question by:NeilLoffhagen
    24 Comments
     
    LVL 21

    Expert Comment

    by:marc_nivens
    Adding the 2003 admin account to NT permissions is not enough, it needs to be a service account.  Follow these steps:

    - Launch the 5.5 admin program
    - Click Tools/Options, check the 1st and 2nd boxes (show security page, etc...) and click ok to get out
    - Highlight the Organization name, file/properties.  On the security tab, add the 2003 admin account and give him service account admin
    - Repeat this for the site container and the configuration container

    Once these are set try running ADCTools again.
    0
     

    Author Comment

    by:NeilLoffhagen
    Really appreciate your help.  Thanks - Getting a lot further :)

    Now seeing all the accounts go through, but getting the below error:

    Pass 1 of 1: Resource Mailbox Scan validation (objects processed: 158)
    Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.
    Finished verifying the results of the Resource Mailbox Wizard.

    How long does this normally take?  We have just over 150 accounts, so not a large site.  Does the verify button become immediately available?  If so am I clicking it too soon?  Also, the Connection Agreement  Wizard buttons are still greyed out.  Do they only become active once the Resource Mailbox wizard has run succesfully?

    I almost see light at the end of this migration tunnel :)

    Thanks again,

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    You will have to run the Resource Mailbox Wizard first, then the verify will pass.  It shouldn't take long at all with 150 users.  After that the buttons for the connection agreements will be available.
    0
     

    Author Comment

    by:NeilLoffhagen
    I ran the Resource Mailbox Wizard again and when I run the Verify it stills fails with the same error:

    Current user is 'Administrator\TEST' on computer 'BRA-SERV2'

    Resource Mailbox verify 10/22/2004 16:51:50
          Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.

    Is there anything else to try, or is it a case of just keeping on running the Resource Mailbox Wizard and the Verify until the error goes away?  Though without changing anything not sure if the error would ever disappear?

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    You will need to make changes.  The Wizard should be telling you the accounts that need changes.  Is the wizard giving you the opportunity to fix them?
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    Also, check out this step by step guide:

    http://www.winnetmag.com/Article/ArticleID/41444/41444.html
    0
     

    Author Comment

    by:NeilLoffhagen
    Hi Marc,

    Your comments and link have been very helpful, but still not quite there yet.

    It seems the NT account that is probably causing the problem is one called "Hilary Ward".  When running wizard it is this account that is shown as having 4 mailboxes associated with it.  But can only see one of them on the Exchange 5.5 Server, whjich is the good mailbox.  One of the other three redendant mailboxes is shown in the Global Address Book, but not in the the Private Information Store.  So can't see where to delete these redundant mailboxes and they are redundant.  For example, one is called "Fred Bloggs" and must have been set up as a test by some previous Admin and then associated with this user's NT account.  Out of these 4 mailboxes have tried setting each one as Primary in the ADC wizard, but nothing seems to change, the Verify still fails.  Am I stuck here or is there a way of getting rid of the other un-needed mailboxes attached to the NT account?

    Thanks again,

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    If the ADC wizard isn't doing it you will need to find the mailboxes using the 5.5 admin program and change the primary NT account that way.  The easiest way I can think to do this if you can't find them in the admin program is to export the directory to CSV file, open it in Excel, and sort by the Primary NT Account column.  Here you can see all mailboxes that are tied to that account and fix them manually.
    0
     

    Author Comment

    by:NeilLoffhagen
    Marc,

    The contents of the csv file is below.  This is got from running the ADC wizard.  Not sure how I alter this file correctly?  Or is this the wrong file?  Once this is sorted all ahould be okay to run the Verify and then the Connection Agreement wizard?

    Thanks again,

    Neil.

    Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
    Mailbox,NTDSNoMatch,Small Board Room,\Everyone,smallboardroom,SMALLBOARDROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    Mailbox,NTDSNoMatch,Large Board Room,\Everyone,largeboardroom,LARGEBOARDROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    Mailbox,NTDSNoMatch,Quiet Room,\Everyone,quietroom,QUIETROOM,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    Mailbox,NTDSNoMatch,Thin Client,\Everyone,Thinclient,Thinclient,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    Mailbox,NTDSNoMatch,Birmingham Board Room,\Everyone,Birmingham.B,Birmingham.B,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients
    0
     

    Author Comment

    by:NeilLoffhagen
    Okay, tried the following:

    Changed the Extension-Attribute-10 to NTDSNoMatch as per instructions in the ADC help file.  Tried importing this to the Exchange 5.5 Server, but got an error.  I'd left the Container as Recipients.  Selectdd the "Use selected container.." button.  Left Recipient Template blank.  Pointed Import File to the altered csv file.  Left Create Windows NT account and Deleted Windows NT account blank.  Left Multivalued Properties as Append.  Error is "The attribute NTDSNoMatch is unknown"

    So should this NTDSNoMatch attribute be known?  If not do you know how I add it in?

    Thanks,

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    It sounds like the file is misformatted as it thinks that NTDSNoMatch is an attribute, not an attribute value.  Can you open the file in notepad, copy it out, and give us the results?  You can change your private information if needed.
    0
     

    Author Comment

    by:NeilLoffhagen
    This is how the csv is:

    Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
    Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients

    This is how it is after I've edited it:

    Obj-Class,NTDSNoMatch,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
    Mailbox,NTDSNoMatch,Hilary Ward,KELTEC\Hilary Ward,HilaryW,HilaryW,BRA-SERV-2,/o=Keltec Ltd./ou=KELTEC/cn=Recipients

    Am I changing the wrong bit?

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    Yes, the top line contains attribute names.  Do not change Extension-Attribute-10, leave it as is.  You could also just go to that mailbox and remove the primary NT account.
    0
     

    Author Comment

    by:NeilLoffhagen
    Okay - was being a but off track.  I guess I don't need to edit it?  But should just import it, the way it was exported?  Though having imported it as it was exported, and the import seesm to work okay.  Get a bar chart moving across the screen and it says import was succesful, but the verify still does not work.

    Now, I think I'm understandiun this better.  There is also another csv file that is being created, for an old site that no longer exists.  We have an old Server called Birmingham (that was in Birminghah, other server based elsewhere), that was taken out of service several years ago.  But the connector is still present on the current Exchange server.  I've been told that if the connector is removed then users is Birmingham stop receiving mail?  So looking at the other csv file this is related to old Birmingham users?

    Obj-Class,Extension-Attribute-10,Display Name,Primary Windows NT Account,Alias Name,Directory Name,Home-Server,Obj-Container
    Mailbox,NTDSNoMatch,Hilary Ward old,KELTEC\Hilary Ward,WardH,ScamblerH,BIRMAILGATE,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients
    Mailbox,NTDSNoMatch,fred bloggs,KELTEC\Hilary Ward,fredb,HilaryW,BIRMAILGATE,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients
    Mailbox,NTDSNoMatch,Hilary Ward old,KELTEC\Hilary Ward,HilaryW,Hilary Ward,BIR-SERV-2,/o=Keltec Ltd./ou=KELTEC BIRMINGHAM/cn=Recipients

    When I try to import this file I get error:

    Could not modify object Hilary Ward because the directory service reported the following error: Changes cannot be written to this directory object. Try connecting to a Microsoft Exchange Server computer in the same site as this object.

    Any ideas?

    Thanks,

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    Ah now its making sense.  If the server is no longer up in Birmingham then users aren't receiving mail anyway.  It sounds like this site no longer exists at all.  If this is the case you will need to remove the dirrep connector and the users from that site will go away.  

    Were the Birmingham users moved to this site or something?  
    0
     

    Author Comment

    by:NeilLoffhagen
    From my understanding there were two sites based in the UK.  One in the midlands (Birmingham), the other in the south.  Originally both had Exchange Servers.  The South was the main one, with a connector to the midlands one.  Then the one in the midlands was taken out of service and all mail was then accessed on the Exchange Server in the south.  But users in the midlands do still get mail from the south Exchange Server.  They connect over a leased line.  It seems that this Hilary Ward user has an active account on the South Exchange Server and also some left over stuff on the Birmingham Exchange Server, where the import it is trying to update her account, but can't as the Server is no longer there?

    Would taking the Connector out help?  Or would the accounts still point there?

    Neil
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    If you remove the dirrep connector the users will dissapear completely for that site.  I'll need a bit more info:

    - How many directory replication connectors does this site have?
    - Where sites are they pointing to?
    - When south makes an update, does your site receive the update?

    It almost sounds like this site had a dirrep connector to both sites.  If that is the case, you can safely remove the dirrep connector to the old site and then the bad account information should disappear.
    0
     

    Author Comment

    by:NeilLoffhagen
    Looking at the site we have one dir repl on the South Server pointing to the old Birmingham Server.  Noted that the Schedule is set to "Never"?  So presumably it will never seek any new infro from the Birmingham server?  So I guess we could take out and delete this dir repl?  What about the Site Connector that is also pointing to the old Birmingham server?  What worries me about removing that one is the claim by an older guy here who said they took the Site Connector out a while back and all the users who are in Birmingham could no longer get mail, even though their Outlook in pointing to the South Exchange Server, over a leased line.  To me that doesn't make sense?

    If we remove the dir repl, does it take long for the changes to be seen on the South Exchange box?

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    If there is another dirrep connector in place already for the correct site, you can just remove the one for the incorrect site.  If there is only 1 dirrep connector you will still have to remove it, but you will need to create another one afterwards to point to the correct site.
    0
     

    Author Comment

    by:NeilLoffhagen
    Not quite following this.  If we have only the one active site here in the south, do we still need a dir repl pointing to itself?

    Do we need to worry about the connector pointing to a non-existant site?

    Neil.
    0
     
    LVL 21

    Expert Comment

    by:marc_nivens
    Sorry, I thought there were 3 sites.  If the only site you have is this one, you can safely delete any dirrep/site connectors.
    0
     

    Author Comment

    by:NeilLoffhagen
    Okay - done that and all users still okay.  But still when running the ADC get the errors that:

    The Data Collection tool found objects that must be marked as resource mailboxes before they can be replicated to Active Directory. Running the Resource Mailbox Wizard in Step 3 will resolve these issues.
    Finished Data Collection.
    Pass 1 of 1: Resource Mailbox Scan validation (objects processed: 159)
    Warning: The Exchange 5.5 directory still contains objects that need to be marked as resource mailboxes before they can be replicated to Active Directory. If you have just run the Resource Mailbox Wizard, or have just imported the CSV file Generated by Resource Mailbox Wizard, allow time for the changes to replicate throughout the Exchange 5.5 directory. Then rerun the verification task in Step 3. Otherwise, rerun the Resource Mailbox Wizard.
    Finished verifying the results of the Resource Mailbox Wizard.

    When I do the export to csv file and import it to Exchange 5.5 still get the error that:

    Could not modify object HilaryW because the directory service reported the following error: Changes cannot be written to this directory object. Try connecting to a Microsoft Exchange Server computer in the same site as this object.

    This gives me the impression that there is still something hanging over from the old Exchange Server?

    Neil.
    0
     
    LVL 21

    Accepted Solution

    by:
    Yeah, sounds like the KCC hasn't ran yet.  You will know it has and it worked when the other site disappears from the admin program.  To run a KCC, do this:

    - Open Exchange admin program
    - Drill down to your server and highlight the server object
    - On the right, double click directory service
    - Hit the "check now" button

    If it made changes it will tell you so.  Once this completes the other site should be completely gone, along with the mailboxes that no longer exist.
    0
     

    Author Comment

    by:NeilLoffhagen
    Sorty for not getting back to you sooner on this.  Apprecaite all your help and give you all the points.  As you say just neded time for the KCC to do its stuff.

    Thanks again,

    Neil.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
    Use email signature images to promote corporate certifications and industry awards.
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    This video discusses moving either the default database or any database to a new volume.

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now