Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

"Send As" on an Exchange 2010 server in a different domain?

Posted on 2011-02-23
24
Medium Priority
?
3,354 Views
Last Modified: 2012-05-11
I am in the middle of a domain migration.  I've used Quest Migration Manager for AD to migrate user accounts to my target domain.  The problem is when users login to the new target domain, they get an error when attempting to send email.  The NDR says "You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk."

I've disabled SID filtering, I have a trust, and the cross forest users have rights to open their mailboxes, just not send.  I'm assuming it's a Send As permision issue, but when in the ESM (or whatever it's called from 2010), It doesn't appear like I can add permissions from another domain to the mailbox.  

How can I configure the newly migrated users to be able to send mail on their existing Exchange 2010 server?  Any help would be greatly appreciated.

-fedsig
0
Comment
Question by:fedsig
  • 13
  • 9
  • 2
24 Comments
 
LVL 5

Expert Comment

by:ccns
ID: 34966404
by the sounds of it you need to create user accounts in AD for the users that are trying to send emails.
and also configure the exchange outlook settings to reflect the new exchange server...
0
 
LVL 5

Expert Comment

by:ccns
ID: 34966414
on reading it again, have you moved the exchange server to the new domain? or is there one already in the new domain. sounds like within ESM you need to move users from one mail server to the one that corresponds to the new domain.
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34966813
Just to be clear, you have migrated the user, but not the mailbox?  What type of trust?  You may have to do EnableSidHistory on the trust as well.

Did you disable the source account when you did the migration session in QMM?

Thanks,

Michael
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:fedsig
ID: 34966943
I only migrated the user. I enabled SIDHistory, disabled SID filtering, and he users can get to other resources in the domain. I know Sid history works b/c they can open the mailbox, move, delete, and receive new mail. They just cannot send, which is why I'm thinking it's a send as perm issue.

Any ideas?
0
 

Author Comment

by:fedsig
ID: 34966971
In order to move mail, I need to perform a quest migration for Exchange migration.

The users were migrated to a new domain.   Mailboxes are intact as they were in the source domain, and mail will be migrated later. I just want the users to be able to send mail during the coexistence period.

0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34967064
Other question, did you use the QMM migration session to disable the source account?  It should set the SendAs permission for you, along with the Associated External Account, so that the mailbox is able to be used (though, again, only if you used QMM Migration Session to disable source account).

Michael
0
 

Author Comment

by:fedsig
ID: 34967090
Good thought, but the source account is still enabled.

I think on exg 2k3 it set the associate external acct perm, bu 2010 is quite a bit different. I've performed about 16 migrations, but this is my first with exg 2k10.

I imagine Sid history would be useless with a disabled source acct.

0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34967097
I assumed the source was Exchange 2003 and the target was 2010.  Is that correct?
0
 

Author Comment

by:fedsig
ID: 34967122
Reverse. Target is 2k3, but will be 2k10 prior to the migration.  Source is 2k10 now. The perms in 2010 are managed via ESM, not AD
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34967135
Oh!  Sorry about that!  Most people are migrating from 2k3 to 2010, not the other way around.  :-)

The point is the same, though.  The Migration Session will set the SendAs perms for you if you disable the account in the source while you are doing the migration session.  However, if you are insistent on keeping the source user account enabled, then you can always do the powershell command to add sendas manually.  I'm not a Power Shell Guru, but....

To do one user to test, you could follow this article:
http://technet.microsoft.com/en-us/library/bb676368.aspx 

Powershell example:  Add-ADPermission "John Simpson" -User "Domain\User" -Extendedrights "Send As"

If that is the issue then it is just a matter of getting the command right to add each remote user the appropriate rights.
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34967147
And just in case...

In QMM terminology, the "Source" is the domain/org you are migrating from.  The "Target" is the domain/org you are migrating to.  

Also, you should certainly try doing the QMM Migration session with "disable source object" turned on.  It won't cost you a license to do it (as you have already migrated the user) and you can always "undo" the migrations session if it doesn't help your situation.  It is not normal to leave the source ad account enabled during a migration.  In short you are attempting to setup a temporary "resource forest" configuration, which, as Microsoft will tell you, means that you have a disabled user that holds the mailbox, and an enabled user in a different forest.

We are talking inter-forest (e.g. different forests), not intra-forest (two domains in the same forest), right?
0
 

Author Comment

by:fedsig
ID: 34967173
Intra-forest. 2 separate forests. 2 separate schemas.  2 independent GCs. 2 different exg orgs.

What I want to be clear on is the migrated user cannot send mail. Source disabled or not. Target with Exchange or not, it should work. I have perms to do everything except Send As (or on behalf of). That is what I'm trying to get working.
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 34967208
Shot in the dark then:

http://support.microsoft.com/kb/895949 


Right, so you haven't started your Exchange migration.  You migrated a user.  You log in as that user, and he is accessing his "original" mailbox.  What do the permissions on the mailbox look like?  (I don't want to see them, but it would be good to note if SendAs is on for the target user).

In the migration session, did you select to "merge" the security descriptor?  You aren't skipping anything in your migration session (such as ntSecurityDescriptor) by chance?

On the "disabled" thing, it only matter is you let QMM do the disabling.  As QMM disables the source account it will set the permissions so that the target user has full access.  If you don't disable, it tends to leave the permissions alone.  Manually disabling the user doesn't do the same thing.

I'm out for the evening.  Sorry I wasn't able to help more!

Michael
0
 

Author Comment

by:fedsig
ID: 34967210
Inter-forest, I meant.
0
 

Author Comment

by:fedsig
ID: 34967257
Thanks very much for the effort. The scenario you set up is spot on. I did not select merge, I believe that has to do with objects that match email/Sam acct name/Sid history.

The perms don't include any send as for objects in another domain. That would have been what I would have chose, but I cannot even browse for users in a different domain.

Regardng the disabling thing, I find a good migraTion requires a few sync sessions to populate all linked attributes.

Good night. If you think of something, hit me up in the morning.
0
 
LVL 2

Accepted Solution

by:
Gastrig earned 2000 total points
ID: 34967364
On the "merge", I was referring to this screen (attached).


Migration Sessions Security Settings Screen
But yes, there are other "merge" options as well.
0
 

Author Comment

by:fedsig
ID: 34967398
That option is only for merged accts.  I don't merge accts.  I rename duplicates prior to migration, so a user is logging in as XYZ in the source, he will be loging in as XYZ in the target.  If the user has 2b renamed in the target, I choose to manually rename him in the source.  He gets used to the renamed user acct and can easily transition into the new domain.  

Attached is the help file for the screen you just had up. QMM for AD - Merge
0
 
LVL 2

Assisted Solution

by:Gastrig
Gastrig earned 2000 total points
ID: 34970256
No, the help file is wrong - that option is NOT only for merged accounts.  It is for how you set the Security Descriptor on the target.  You can set Skip, Merge or Replace.  If you set skip, then no security descriptor data will flow forward from the source.  If you select "merge" then the source security descriptor information will be copied forward or merged with existing (if present).  Skip will not bring source security descriptor information forward at all.
0
 

Author Comment

by:fedsig
ID: 34992561
Gastrig,

     Thank you for your help.  I submitted some of your suggestions to Quest support, and the support engineer heard of you?  He said that you've done plenty of Quest migration engagements and said that I should give your solutions a try.

     I did read through the quest documentation and found that the help file is indeed wrong regarding the security descriptor.

     I've since remigrated 4 users and merged their accounts (as to not have to undo the migration) and selected merge security descriptor.  I'll give it a shot on Monday.  Thanks again for your help.

Regards,

fedsig
0
 

Author Comment

by:fedsig
ID: 35001383
I didn't mean to close it w/o awarding points.  Gastrig should get 500 points for this
0
 

Author Comment

by:fedsig
ID: 35001789
Please assign Gastrig all 500 points
0
 

Author Closing Comment

by:fedsig
ID: 35001833
In addition to selecting "Merge" for the security descriptor, I needed to resource prep the source domain.
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 35001856
Curious - I would not have thought that resource processing the source would have been required.  For clarification sake, did you process with ADPW (Active Directory Processing Wizard) or EPW (Exchange Processing Wizard)?  I would think you would have done ADPW.

Yes, fortunate or otherwise, support has heard of me.  I do these things for a living, though I have to say that it is always a challenge to "keep up" with all the changes in MS versions and hotfixes.


Thanks,

Michael
0
 

Author Comment

by:fedsig
ID: 35002456
To be honest, resource prep may not have been required.  Vlady suggested I do it.  That was his initial suggestion.  When I explained that you had suggestions, he suggested I follow those as well.

I did ADPW resource prepping, not EPW.  I imagine if it was neeed or not, it doesn't really hurt.  I'm gonna decommission the source domain anyhow and there are only a handful of admins in that domain.  they all do their domain administraton via the Domain Admins group.  No delegated users have perms directly in AD except that which is default/standard.

Believe it or not, this is my 12th migration.  With a solid local admin team, I can get a domain of up to 200 users knocked out in a week (lunchtime migrations).  It's making sure the local admins account for any 3rd party apps (licensing, AD membership, LDAP paths, etc) that take the time.

This was my first migration in 2 1/2 years and my first with Exchange 2010, Windows Server 2008, and Windows 7.  I hate it when my little canned scripts and migration procedures have to be revisited.  

I'm with you - it's fun to keep up with the MS changes.  It is what it is though.

-fedsig

-fedsig
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question