Link to home
Start Free TrialLog in
Avatar of padiap
padiap

asked on

Backing Up Exchange 2007 with Backup Exec 12.5; both on Windows Server 2008

Hi,

I'm finally past (most of) the hundreds of crazy errors thrown at me by Exchange 2007 SP1 running on Windows Server 2008. Now I'm running into difficulties while attempting to back it up with Backup Exec 12.5.

I originally had no troubles backing up or restoring our Exchange 2000 environment with Backup Exec 12.5 running on Server 2003. We then built a new backup server on a 2008 machine and have since been unable to make backups or restores at the mailbox level (cannot browse below the Storage Groups under the Information Store) for Exchange 2000 or 2007. When we do attempt to backup the Storage group we receive the following error:
'Cannot log on to MAPI with the specified credentials. Review the resource credentials for the job, and then run the job again'.

Here's my current setup (we have since decommissioned the Exchange 2000 box):

Server1:
Mailbox & Hub
Exchange Server 2007 SP1 - Rollup 7
Windows Server 2008 64-bit
Domain Controller - DNS/GC
Messaging API and Collaboration Data Objects 1.2.1

Server2:
Windows Server 2008 32-bit
Symantec Backup Exec 12.5
Exchange 2007 Management Tools - Rollup 7
Messaging API and Collaboration Data Objects 1.2.1

The account I am using is BENTSA and it is a member of the following groups;
* Administrators
* Domain Admins
* Domain Users
* Exchange Domain Servers
* Exchange Organization Administrators
* Exchange Services
* Schema Admins

I've been working with Symantec for the past 2 weeks on this and I'm pretty sure I've gone backwards. I now have troubles simply browsing to the Exchange server through Backup Exec and I'm prompted with; 'Logon Account: System Logon Account Access is denied'. Administrator however can browse fine, except to the mailboxes of course.
Obviously I can't backup using the admin account, as I'm prompted with; 'The Logon account you specified must correspond to a unique mailbox'. Neither account is hidden from the Exchange address lists.

I've read about IPv6 causing issues but I am unable to add the registry change (Disable Components) or disable IPv6 as when I do so Exchange starts filling the Event Log with errors; 'Process MSEXCHANGETOPOLOGYSERVICE.EXE (PID=2516). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC).' I believe this is because it's attempting to use IPv6 for DSACCESS (or the 2007 equivalent), which essentially means it can't see itself!
Symantec had me change the hosts file as per http://seer.entsupport.symantec.com/docs/306689.htm but it didn't help.

They also had me install Microsoft Exchange Server MAPI Editor onto the Exchange Server. When connecting as the logged in user it connects fine, but for example if I am logged in as Administrator and connect as BENTSA I receive: 'MAPI_E_FAILONEPROVIDER == 0x8004011D'.
I can only assume this is normal, as it connects fine otherwise.

Any ideas experts? Would really appreciate the help.

Cheers,

padiap
Avatar of padiap
padiap

ASKER

Update:
Symantec had me disable UAC on the Backup Exec server (and reboot). No dice. Still receiving access denied when trying to expand it, as well as the MAPI error when trying to expand the Mailboxes.

Cheers,

padiap
Avatar of honmapog
honmapog
Flag of Ireland image
Have you enabled debug logging? What sort of debug logs do you have for Backup Exec. Do you have beremote debug logs? Do you have a remsvr debug log somewhere? Check both servers.

If you say "I now have troubles simply browsing to the Exchange server through Backup Exec and I'm prompted with; 'Logon Account: System Logon Account Access is denied", I would suggest creating a completely new account.
Make it Exchange Full Admin, add the account directly to the Local Admin group on the Exchange server. Create a mailbox for the account. Send email to it. Make sure its not hidden from the GAL. Make it a domain admin.


Use dependencywalker as described in http://seer.entsupport.symantec.com/docs/301181.htm to check which versions of mapi32.dll you're using.
What's the file size of the MAPI32.dll files you're using.
Avatar of padiap
padiap

ASKER

Hi honmapoq,

Thanks for the reply.

Symantec support had me create a log for them; see sgmon.log.
I disabled IPv6 on the Backup Server and it now connects to machines much quicker through the Selections List, however this just means I receive the Access Denied error quicker.
Attempted to connect to the Mail Server (usual error) with debug running, attatched log; authorization error.log.
I don't have any remote debug logs. If I should be running them and you could let me know what types of logs to run and how to do so that would be greatly appreciated.

I have created 2 other accounts with Symantec support, both of which have the same rights as the BENTSA account (listed above). They cannot be made local admins on the Exchange server however as it is also a Domain Controller. I have logged on to the machine as them and made changes without any problems. They also have mailboxes I have sent to/from that are visible in the GAL.

Last night I went through the following with Symantec Support (had done so before, this time with an 'advanced technician'):

* Host file change on MAIL, CAS, & BE servers.
* Disabled IPv6 on CAS server, added 'Disabled Components' registry key and rebooted. - Support mentioned that some requests could be forwarded to this which I did not realize, hence why I didn't mention this server in the question. I have not attempted to back-up this server as yet.
* Uninstalled and re-installed remote agent (from RAWSX64 directory).
* Re-started services on Backup server.
* Ran a backup job (couldn't expand the Mailbox Databases though)

Still the same Access Denied errors.

I can see the information store, ran the the tool you suggested but could not find the 3 files (bedsxchg.dll, bedsxese.dll and bedsmbox) to verify with on the Exchange Server.
The properties however of the mapi32.dlls are as follows:
File version: 1.0.2536.0
Description: Extended MAPI 1.0 for Windows NT
Size:       65.0KB (Windows\SysWOW64)
      84.0KB (Windows\System32)

Please let me know if you need any more info.

Cheers,

padiap
authoraization-error.txt
sgmon.log
Avatar of honmapog
honmapog
Flag of Ireland image
Check if you have a System Logon account. To do that check whether the "System Account" button in Figure 1 in http://seer.entsupport.symantec.com/docs/274012.htm is greyed out. If it's not greyed out, follow the steps in the article.

Are you backing up to disk or tape?

To enable the debug logs follow http://seer.entsupport.symantec.com/docs/275639.htm. For your purpose just checking the checkbox "Enable debug log for job engine and remote agent service" should be sufficient. None of the other checkboxes in Figure 1 need to be checked.
In addition to this, right-click on "All Remote Agent Computers" in the middle pane of beutility, and add your mail server as new remote agent computer. Then right-click this server and choose "Enable debug logs". Only check the topmost checkbox to gather logs.

Then run the backup again.

Afterwards, zip and post the all files that have been modified during the backup job from the "program files\symantec\backup exec\logs" folder on the media server and from the "program files\symantec\backup exec\raws\logs" folder on the mail server.

Avatar of padiap
padiap

ASKER

Hi honmapoq,

Yes, there is a System Logon account. It has been setup from scratch about 6 or 7 times now (through troubleshooting).

To tape. I haven't tried backing up to disk as I have errors popping up (as previously mentioned) when simply browsing in the selections list.

When attempting to enable debug logs on our mail server I received the following error:
Save the remote agent debug configuration.
Failed to access the registry keys of selected server PADIAP-MAIL to get the Backup Exec version numbers.
Operation to set the remote agent debug log configuration failed.

I ran the backup (which failed). The logs from both directories are attached.

Thanks again for your help,

padiap
Backup-Server-Log.zip
Exchange-Server-Backup-Logs.zip
Avatar of honmapog
honmapog
Flag of Ireland image
Is the "Remote Registry" service running on PADIAP-MAIL? I suggest you enable it. I'm not sure whether it is needed for the backup, but that's why you couldn't create the logs.
Avatar of padiap
padiap

ASKER

Hi honmapoq,

Damn, probably should have re-read that error and fixed it myself! :P
Remote registry was disabled. I've enabled & started it. Logs are attached.

I've also uninstalled and re-installed the MAPI/CDO client on the Mail server.

One thing I did notice; after installing the remote agent on our CAS server I could browse (click the plus next to it using system logon account) in the backup selections list and see its drives etc. Which isn't the case with the Mail server (access denied when using system logon account) when browsing.

Thanks again.

padiap
BE-Logs.zip
Exchange-Logs.zip
Avatar of honmapog
honmapog
Flag of Ireland image
You should sort out that Access Denied problem when browsig. You said that seemed to be introduced while troubleshooting with Symantec. Remember what was changed before? I suppose the "Remote Agent" service is started under the LocalSystem account on the Mail server?

Reviewing the remsvr log, you're getting error MAPI_E_AMBIGUOUS_RECIP. To me this sounds like your admininistrator account is not unique.

That is confirmed by what you see in the beremote debug log:
[8668] 04/07/09 15:11:27 Using Rem Provider for Browse/Backup.
[8668] 04/07/09 15:11:27 Logon: m_lpMAPISession->Logon returned 80040700
[8668] 04/07/09 15:11:27       NAME NOT UNIQUE: administrator
[8668] 04/07/09 15:11:27 MB2_Chgdir:Logon returned e000febd


So, check http://seer.entsupport.symantec.com/docs/256537.htm and make sure your administrator account is unique, or create a completely new account to do the backup with and make sure that account is completely unique.
Avatar of padiap
padiap

ASKER

Hi honmapog,

Access denied and MAPI errors have been sorted. Although we could access other DCs (pre-Server 2008) without the issue it seems that 2008 DCs have local policies that only allow a specific account to back them up. The System Logon Account was added to the following group policy items in the Default Domain Controllers Policy;

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 
* Act as part of the operating system
* Back up files and directories
* Create a token object
* Log on as a batch job
* Log on as a service
* Manage auditing and security log
* Restore files and directories

It may be that only 1 or 2 of these needed to be altered but it seems to have fixed the access issues. Only problem now is we're getting the following error when running a backup:

 - AOFO: Initialization failure on: \\padiap-mail\Microsoft Information Store\Finance. Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS). V-79-10000-11226  VSS Snapshot error. The Microsoft Volume Shadow Copy Service (VSS) snapshot provider selected returned: Unexpected provider error. Ensure that all provider services are enables and can be started. Check the Windows Event Viewer for details.

The Application Log on the Mail server has the following error:

Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {5fc845eb-f299-40f0-9725-34045f7ea8ba} [0x80070422].
Operation:
   Creating instance of hardware provider
   Obtain a callable interface for this provider
   Add a Volume to a Shadow Copy Set
Context:
   Provider ID: {f5dbcc43-b847-494e-8083-f030501da611}
   Provider ID: {f5dbcc43-b847-494e-8083-f030501da611}
   Class ID: {5fc845eb-f299-40f0-9725-34045f7ea8ba}
   Snapshot Context: 0
   Execution Context: Coordinator

Shadow Copies work fine on the server. Apparently it may be that Backup Exec can start the service but cannot release/stop it? Symantec Support will be troubleshooting this later today with me but if you have any input that would be greatly appreciated.

Thanks again.

padiap
ASKER CERTIFIED SOLUTION
Avatar of honmapog
honmapog
Flag of Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of padiap
padiap

ASKER

Hi honmapog,

Symantec support had me disable the 2 services associated with Acronis during troubleshooting. Didn't even think about enabling them again.

I uninstalled the application and ran a backup through Backup Exec which had no errors.

Thanks again for all your help mate. Really appreciate it.

Cheers,

padiap