Solved

"Send As" on an Exchange 2010 server in a different domain?

Posted on 2011-02-23
24
3,091 Views
Last Modified: 2012-05-11
I am in the middle of a domain migration.  I've used Quest Migration Manager for AD to migrate user accounts to my target domain.  The problem is when users login to the new target domain, they get an error when attempting to send email.  The NDR says "You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk."

I've disabled SID filtering, I have a trust, and the cross forest users have rights to open their mailboxes, just not send.  I'm assuming it's a Send As permision issue, but when in the ESM (or whatever it's called from 2010), It doesn't appear like I can add permissions from another domain to the mailbox.  

How can I configure the newly migrated users to be able to send mail on their existing Exchange 2010 server?  Any help would be greatly appreciated.

-fedsig
0
Comment
Question by:fedsig
  • 13
  • 9
  • 2
24 Comments
 
LVL 5

Expert Comment

by:ccns
Comment Utility
by the sounds of it you need to create user accounts in AD for the users that are trying to send emails.
and also configure the exchange outlook settings to reflect the new exchange server...
0
 
LVL 5

Expert Comment

by:ccns
Comment Utility
on reading it again, have you moved the exchange server to the new domain? or is there one already in the new domain. sounds like within ESM you need to move users from one mail server to the one that corresponds to the new domain.
0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
Just to be clear, you have migrated the user, but not the mailbox?  What type of trust?  You may have to do EnableSidHistory on the trust as well.

Did you disable the source account when you did the migration session in QMM?

Thanks,

Michael
0
 

Author Comment

by:fedsig
Comment Utility
I only migrated the user. I enabled SIDHistory, disabled SID filtering, and he users can get to other resources in the domain. I know Sid history works b/c they can open the mailbox, move, delete, and receive new mail. They just cannot send, which is why I'm thinking it's a send as perm issue.

Any ideas?
0
 

Author Comment

by:fedsig
Comment Utility
In order to move mail, I need to perform a quest migration for Exchange migration.

The users were migrated to a new domain.   Mailboxes are intact as they were in the source domain, and mail will be migrated later. I just want the users to be able to send mail during the coexistence period.

0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
Other question, did you use the QMM migration session to disable the source account?  It should set the SendAs permission for you, along with the Associated External Account, so that the mailbox is able to be used (though, again, only if you used QMM Migration Session to disable source account).

Michael
0
 

Author Comment

by:fedsig
Comment Utility
Good thought, but the source account is still enabled.

I think on exg 2k3 it set the associate external acct perm, bu 2010 is quite a bit different. I've performed about 16 migrations, but this is my first with exg 2k10.

I imagine Sid history would be useless with a disabled source acct.

0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
I assumed the source was Exchange 2003 and the target was 2010.  Is that correct?
0
 

Author Comment

by:fedsig
Comment Utility
Reverse. Target is 2k3, but will be 2k10 prior to the migration.  Source is 2k10 now. The perms in 2010 are managed via ESM, not AD
0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
Oh!  Sorry about that!  Most people are migrating from 2k3 to 2010, not the other way around.  :-)

The point is the same, though.  The Migration Session will set the SendAs perms for you if you disable the account in the source while you are doing the migration session.  However, if you are insistent on keeping the source user account enabled, then you can always do the powershell command to add sendas manually.  I'm not a Power Shell Guru, but....

To do one user to test, you could follow this article:
http://technet.microsoft.com/en-us/library/bb676368.aspx

Powershell example:  Add-ADPermission "John Simpson" -User "Domain\User" -Extendedrights "Send As"

If that is the issue then it is just a matter of getting the command right to add each remote user the appropriate rights.
0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
And just in case...

In QMM terminology, the "Source" is the domain/org you are migrating from.  The "Target" is the domain/org you are migrating to.  

Also, you should certainly try doing the QMM Migration session with "disable source object" turned on.  It won't cost you a license to do it (as you have already migrated the user) and you can always "undo" the migrations session if it doesn't help your situation.  It is not normal to leave the source ad account enabled during a migration.  In short you are attempting to setup a temporary "resource forest" configuration, which, as Microsoft will tell you, means that you have a disabled user that holds the mailbox, and an enabled user in a different forest.

We are talking inter-forest (e.g. different forests), not intra-forest (two domains in the same forest), right?
0
 

Author Comment

by:fedsig
Comment Utility
Intra-forest. 2 separate forests. 2 separate schemas.  2 independent GCs. 2 different exg orgs.

What I want to be clear on is the migrated user cannot send mail. Source disabled or not. Target with Exchange or not, it should work. I have perms to do everything except Send As (or on behalf of). That is what I'm trying to get working.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
Shot in the dark then:

http://support.microsoft.com/kb/895949


Right, so you haven't started your Exchange migration.  You migrated a user.  You log in as that user, and he is accessing his "original" mailbox.  What do the permissions on the mailbox look like?  (I don't want to see them, but it would be good to note if SendAs is on for the target user).

In the migration session, did you select to "merge" the security descriptor?  You aren't skipping anything in your migration session (such as ntSecurityDescriptor) by chance?

On the "disabled" thing, it only matter is you let QMM do the disabling.  As QMM disables the source account it will set the permissions so that the target user has full access.  If you don't disable, it tends to leave the permissions alone.  Manually disabling the user doesn't do the same thing.

I'm out for the evening.  Sorry I wasn't able to help more!

Michael
0
 

Author Comment

by:fedsig
Comment Utility
Inter-forest, I meant.
0
 

Author Comment

by:fedsig
Comment Utility
Thanks very much for the effort. The scenario you set up is spot on. I did not select merge, I believe that has to do with objects that match email/Sam acct name/Sid history.

The perms don't include any send as for objects in another domain. That would have been what I would have chose, but I cannot even browse for users in a different domain.

Regardng the disabling thing, I find a good migraTion requires a few sync sessions to populate all linked attributes.

Good night. If you think of something, hit me up in the morning.
0
 
LVL 2

Accepted Solution

by:
Gastrig earned 500 total points
Comment Utility
On the "merge", I was referring to this screen (attached).


Migration Sessions Security Settings Screen
But yes, there are other "merge" options as well.
0
 

Author Comment

by:fedsig
Comment Utility
That option is only for merged accts.  I don't merge accts.  I rename duplicates prior to migration, so a user is logging in as XYZ in the source, he will be loging in as XYZ in the target.  If the user has 2b renamed in the target, I choose to manually rename him in the source.  He gets used to the renamed user acct and can easily transition into the new domain.  

Attached is the help file for the screen you just had up. QMM for AD - Merge
0
 
LVL 2

Assisted Solution

by:Gastrig
Gastrig earned 500 total points
Comment Utility
No, the help file is wrong - that option is NOT only for merged accounts.  It is for how you set the Security Descriptor on the target.  You can set Skip, Merge or Replace.  If you set skip, then no security descriptor data will flow forward from the source.  If you select "merge" then the source security descriptor information will be copied forward or merged with existing (if present).  Skip will not bring source security descriptor information forward at all.
0
 

Author Comment

by:fedsig
Comment Utility
Gastrig,

     Thank you for your help.  I submitted some of your suggestions to Quest support, and the support engineer heard of you?  He said that you've done plenty of Quest migration engagements and said that I should give your solutions a try.

     I did read through the quest documentation and found that the help file is indeed wrong regarding the security descriptor.

     I've since remigrated 4 users and merged their accounts (as to not have to undo the migration) and selected merge security descriptor.  I'll give it a shot on Monday.  Thanks again for your help.

Regards,

fedsig
0
 

Author Comment

by:fedsig
Comment Utility
I didn't mean to close it w/o awarding points.  Gastrig should get 500 points for this
0
 

Author Comment

by:fedsig
Comment Utility
Please assign Gastrig all 500 points
0
 

Author Closing Comment

by:fedsig
Comment Utility
In addition to selecting "Merge" for the security descriptor, I needed to resource prep the source domain.
0
 
LVL 2

Expert Comment

by:Gastrig
Comment Utility
Curious - I would not have thought that resource processing the source would have been required.  For clarification sake, did you process with ADPW (Active Directory Processing Wizard) or EPW (Exchange Processing Wizard)?  I would think you would have done ADPW.

Yes, fortunate or otherwise, support has heard of me.  I do these things for a living, though I have to say that it is always a challenge to "keep up" with all the changes in MS versions and hotfixes.


Thanks,

Michael
0
 

Author Comment

by:fedsig
Comment Utility
To be honest, resource prep may not have been required.  Vlady suggested I do it.  That was his initial suggestion.  When I explained that you had suggestions, he suggested I follow those as well.

I did ADPW resource prepping, not EPW.  I imagine if it was neeed or not, it doesn't really hurt.  I'm gonna decommission the source domain anyhow and there are only a handful of admins in that domain.  they all do their domain administraton via the Domain Admins group.  No delegated users have perms directly in AD except that which is default/standard.

Believe it or not, this is my 12th migration.  With a solid local admin team, I can get a domain of up to 200 users knocked out in a week (lunchtime migrations).  It's making sure the local admins account for any 3rd party apps (licensing, AD membership, LDAP paths, etc) that take the time.

This was my first migration in 2 1/2 years and my first with Exchange 2010, Windows Server 2008, and Windows 7.  I hate it when my little canned scripts and migration procedures have to be revisited.  

I'm with you - it's fun to keep up with the MS changes.  It is what it is though.

-fedsig

-fedsig
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now