Exmerge\Export error with a Recovery Storage Group
I am having trouble exmerging a mbx from a recovery storage group on one of my Exchange 2003 clusters. Everything I have found regarding the error points to permissions. Yet, I have full control on the RSG. I have no issues doing online exports, so it has to be something with the RSG itself.
Error:
[08:26:31] Copying data from mailbox USER('JJJ') on Server 'SERVERNAME' to file 'C:\DOCUMENTS AND SETTINGS\ME\DESKTOP\JJJ.PS
[08:26:32] Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)
Any ideas?
Error:
[08:26:31] Copying data from mailbox USER('JJJ') on Server 'SERVERNAME' to file 'C:\DOCUMENTS AND SETTINGS\ME\DESKTOP\JJJ.PS
[08:26:32] Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)
Any ideas?
ASKER
I check the DB under the RSG... no denys anywhere.
Are you sure that full mailbox access is granted? Being a Full Exchange Administrator and domain or enterprise admin is not enough. From Technet: "If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system."
The denies can probably be found using ADSI Edit. Check this article to grant the necessary permissions to a non-administrator account: http://www.infinitec.de/articles/exchange/grantmailboxaccess.aspx
Hope this helps
Peter
The denies can probably be found using ADSI Edit. Check this article to grant the necessary permissions to a non-administrator account: http://www.infinitec.de/articles/exchange/grantmailboxaccess.aspx
Hope this helps
Peter
ASKER
yep... I have full access.
-Manually added my account and granted “sent\receive as” on DB (same error)
-Created a new generic account and granted “sent\receive as” on DB (ruled out default deny for admins)
-Removed inherited permissions and granted all users\groups listed “send\receive as” (eliminating all denys)
-Attempted an export via a non-RSG DB (worked, and permissions between online and non-RSG DB are identical)
-Tried another restore of the DB (ruled out issue with the NetBackup restore)
-Tried exporting other mailboxes (ruled out any issue with the one mailbox)
-Tried running ExMerge from a workstation (ruled out potential problems running export from Exchange servers)
-Tried via our “God” Exchange KVS account (should definitely work without any permissions error)
Any idea what else to try?
-Manually added my account and granted “sent\receive as” on DB (same error)
-Created a new generic account and granted “sent\receive as” on DB (ruled out default deny for admins)
-Removed inherited permissions and granted all users\groups listed “send\receive as” (eliminating all denys)
-Attempted an export via a non-RSG DB (worked, and permissions between online and non-RSG DB are identical)
-Tried another restore of the DB (ruled out issue with the NetBackup restore)
-Tried exporting other mailboxes (ruled out any issue with the one mailbox)
-Tried running ExMerge from a workstation (ruled out potential problems running export from Exchange servers)
-Tried via our “God” Exchange KVS account (should definitely work without any permissions error)
Any idea what else to try?
ASKER
Here was the fix guys:
he mailbox that you are trying to recover, has that been moved? Meaning does it reside on a new store? I want you to check the following for me and see if it helps:
How the Recovery Storage Group Links Back to the Original Database A Recovery Storage Group uses the following two Active Directory attributes to link a copy of the database with its original database:
• The msExchMailboxGUID attribute: The first test that a mailbox must pass before you can recover data from the mailbox by using a Recovery Storage Group is that the mailbox GUID must correspond to a user in Active Directory. The mailbox GUID is a unique value that distinguishes a mailbox from all others. The mailbox GUID is created in the mailbox store when the mailbox is created, and the value remains the same for the lifetime of the mailbox. The msExchMailboxGUID attribute uses the mailbox GUID value from the mailbox store. The msExchMailboxGUID attribute is set on the user who owns the mailbox when you link a mailbox to a user account in Active Directory. The Exmerge.exe tool uses the msExchMailboxGUID attribute to match the mailbox in the Recovery Storage Group with the original mailbox. When you delete a mailbox, mailbox attributes are removed from the user object in Active Directory that previously owned the mailbox. As a result, you cannot use a Recovery Storage Group to recover a deleted mailbox.
• The msExchOrigMDB attribute: The second test that a mailbox must pass before you can recover data from the mailbox by using a Recovery Storage Group is that the mailbox must exist in the original mailbox store where the Recovery Storage Group was created. The msExchOrigMDB attribute is set on each database object in the Recovery Storage Group and it specifies the distinguished name of the original database where the Recovery Storage Group was created. If you move the mailbox to a different mailbox store, you cannot use the Exmerge.exe tool to extract data from the mailbox. To resolve this issue, do one of the following:
• Move the mailbox back to the original mailbox store.
• Modify the msExchOrigMDB attribute on the Recovery Storage Group database to point to the mailbox store that you moved the mailbox to. When you use this option, you cannot use the Exmerge.exe tool to access any mailboxes that you did not move to a different mailbox store. If you want to access the mailboxes that remain in the original mailbox store, you must change the msExchOrigMDB attribute back to its original value. To modify the msExchOrigMDB attribute by using ADSI Edit, follow these steps. Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
1. Start ADSI Edit.
2. Locate the mailbox store that you moved the mailbox to. To do so, expand Configuration Container [ YourServerName . YourDomainName . YourTopLevelDomain ], expand CN=Configuration,DC= YourDomainName ,DC= YourTopLevelDomain , expand CN=Services, expand CN=Microsoft Exchange, expand CN= YourOrganizationName , expand CN=Administrative Groups, expand CN= Your Administrative Group , where Your Administrative Group is the administrative group that contains the storage group that you want to modify), expand CN=Servers, expand CN= YourServerName , expand CN=InformationStore, and then click CN= YourStorageGroup .
3. In the right pane, right-click the database object, and then click Properties.
4. In the Select which properties to view list, click Both.
5. In the Select a property to view list, click distinguishedName.
6. Right-click the value that is in the Value(s) box, and then click Copy.
7. Click Cancel.
8. Locate and then click the Recovery Storage Group database object in the CN=Configuration,DC= YourDomainName ,DC= YourTopLevelDomain container.
9. In the right pane, right-click the Recovery Storage Group database object, and then click Properties.
10. In the Select which properties to view list, click Both.
11. In the Select a property to view list, click msExchOrigMDB.
12. Click Clear.
13. Right-click an empty area of the Edit Attributes box, and then click Paste.
14. Click Set, and then click OK.
15. Quit ADSI Edit.
he mailbox that you are trying to recover, has that been moved? Meaning does it reside on a new store? I want you to check the following for me and see if it helps:
How the Recovery Storage Group Links Back to the Original Database A Recovery Storage Group uses the following two Active Directory attributes to link a copy of the database with its original database:
• The msExchMailboxGUID attribute: The first test that a mailbox must pass before you can recover data from the mailbox by using a Recovery Storage Group is that the mailbox GUID must correspond to a user in Active Directory. The mailbox GUID is a unique value that distinguishes a mailbox from all others. The mailbox GUID is created in the mailbox store when the mailbox is created, and the value remains the same for the lifetime of the mailbox. The msExchMailboxGUID attribute uses the mailbox GUID value from the mailbox store. The msExchMailboxGUID attribute is set on the user who owns the mailbox when you link a mailbox to a user account in Active Directory. The Exmerge.exe tool uses the msExchMailboxGUID attribute to match the mailbox in the Recovery Storage Group with the original mailbox. When you delete a mailbox, mailbox attributes are removed from the user object in Active Directory that previously owned the mailbox. As a result, you cannot use a Recovery Storage Group to recover a deleted mailbox.
• The msExchOrigMDB attribute: The second test that a mailbox must pass before you can recover data from the mailbox by using a Recovery Storage Group is that the mailbox must exist in the original mailbox store where the Recovery Storage Group was created. The msExchOrigMDB attribute is set on each database object in the Recovery Storage Group and it specifies the distinguished name of the original database where the Recovery Storage Group was created. If you move the mailbox to a different mailbox store, you cannot use the Exmerge.exe tool to extract data from the mailbox. To resolve this issue, do one of the following:
• Move the mailbox back to the original mailbox store.
• Modify the msExchOrigMDB attribute on the Recovery Storage Group database to point to the mailbox store that you moved the mailbox to. When you use this option, you cannot use the Exmerge.exe tool to access any mailboxes that you did not move to a different mailbox store. If you want to access the mailboxes that remain in the original mailbox store, you must change the msExchOrigMDB attribute back to its original value. To modify the msExchOrigMDB attribute by using ADSI Edit, follow these steps. Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
1. Start ADSI Edit.
2. Locate the mailbox store that you moved the mailbox to. To do so, expand Configuration Container [ YourServerName . YourDomainName . YourTopLevelDomain ], expand CN=Configuration,DC= YourDomainName ,DC= YourTopLevelDomain , expand CN=Services, expand CN=Microsoft Exchange, expand CN= YourOrganizationName , expand CN=Administrative Groups, expand CN= Your Administrative Group , where Your Administrative Group is the administrative group that contains the storage group that you want to modify), expand CN=Servers, expand CN= YourServerName , expand CN=InformationStore, and then click CN= YourStorageGroup .
3. In the right pane, right-click the database object, and then click Properties.
4. In the Select which properties to view list, click Both.
5. In the Select a property to view list, click distinguishedName.
6. Right-click the value that is in the Value(s) box, and then click Copy.
7. Click Cancel.
8. Locate and then click the Recovery Storage Group database object in the CN=Configuration,DC= YourDomainName ,DC= YourTopLevelDomain container.
9. In the right pane, right-click the Recovery Storage Group database object, and then click Properties.
10. In the Select which properties to view list, click Both.
11. In the Select a property to view list, click msExchOrigMDB.
12. Click Clear.
13. Right-click an empty area of the Edit Attributes box, and then click Paste.
14. Click Set, and then click OK.
15. Quit ADSI Edit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have a look at the Exmerge log file for more details.
From Technet: "This behavior occurs because the account you are logged on as does not have Receive As and Send As permissions to the mailboxes on which ExMerge is exporting and importing messages. Even the Full Exchange administrator account does not have Receive As and Send As permissions by default." - http://support.microsoft.com/default.aspx?scid=kb;en-us;273642
related article: http://support.microsoft.com/kb/174197
Hope this helps.
Peter