jssb-bgruett
asked on
Exmerge Generates 8007203a And 0x8004011d Errors And Fails
I have used EXMERGE numerous times over the years in various Exchange 2003 (w/ Server 2003) environments to both import and export data to and from mail stores, both as user terminations as well as during mail migrations. Never had a problem.
Well, never had a REAL problem, that is (ie: something that wasn't easily fixed).
Recently I inhereted an Exchange 2003, Windows 2003 (AD2000) server which handles a sizable user community within one of my corporation's division, and was surprised to learn that when users leave the company their mailboxes are simply deleted instead of exmerg'ed to PST files and archived to disc (or something equivilent).
I have RDP access to the server (it's located out-of-state) and so I remoted in and took a look around. I immediately determined that EXMERGE was never copied onto it, so my first order of business was to copy the EXMERGE setup files from antoher Exchange 2003 system in my environment over to the server in question.
I am able to run EXMERGE, punch in the mail server name and a local DC/DNS box, and from there access the various mail stores and select individual mailboxes for exporting, but three things consistently happen every time I attempt to export any mailbox:
==========================
- It takes the server a VERY LONG time to generate a list of all the mailboxes present in the mail store on the mail server. We're talking in upwards of 5 minutes here. On my other mail servers this process takes a few seconds at most.
- If I take a look at the EXMERGE.LOG file during this 'enumeration' process I see an 'Error 80072303a opening an LDAP connection' error message.
- After selecting the mailbox in question and initiating the export, the EXMERGE.LOG file records the following error: 'Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)'. At this point, the export fails.
==========================
I have been through numerous MS support articles and online forums to troubleshoot this, but so far nothing has worked. The acount I am using to perform the EXMERGE is the Domain Admin account (I know, not the preferable way of doing this but my creation of a dedicated EXMERGE account didn't work and I wanted to rule out permissions being the problem). I have checked the mailbox's security tab and its permissions and verified that the account has all the access it requires to complete the EXMERGE. I have run ADSIEDIT and verified that permissions globally are set properly. I have tried exporting to numerous locations, both local and remote, both on the volume hosting the mail store files and off the volume, but so far all results are the same.
I should note that I have attempted to perform EXMERGE processes on this server using various mailboxes as test subjects, and various local DC/DNS servers. Again, all attempts failed.
A copy of the full EXMERGE log for one such attempt follows.
Thanks for the help.
-Bob
Well, never had a REAL problem, that is (ie: something that wasn't easily fixed).
Recently I inhereted an Exchange 2003, Windows 2003 (AD2000) server which handles a sizable user community within one of my corporation's division, and was surprised to learn that when users leave the company their mailboxes are simply deleted instead of exmerg'ed to PST files and archived to disc (or something equivilent).
I have RDP access to the server (it's located out-of-state) and so I remoted in and took a look around. I immediately determined that EXMERGE was never copied onto it, so my first order of business was to copy the EXMERGE setup files from antoher Exchange 2003 system in my environment over to the server in question.
I am able to run EXMERGE, punch in the mail server name and a local DC/DNS box, and from there access the various mail stores and select individual mailboxes for exporting, but three things consistently happen every time I attempt to export any mailbox:
==========================
- It takes the server a VERY LONG time to generate a list of all the mailboxes present in the mail store on the mail server. We're talking in upwards of 5 minutes here. On my other mail servers this process takes a few seconds at most.
- If I take a look at the EXMERGE.LOG file during this 'enumeration' process I see an 'Error 80072303a opening an LDAP connection' error message.
- After selecting the mailbox in question and initiating the export, the EXMERGE.LOG file records the following error: 'Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)'. At this point, the export fails.
==========================
I have been through numerous MS support articles and online forums to troubleshoot this, but so far nothing has worked. The acount I am using to perform the EXMERGE is the Domain Admin account (I know, not the preferable way of doing this but my creation of a dedicated EXMERGE account didn't work and I wanted to rule out permissions being the problem). I have checked the mailbox's security tab and its permissions and verified that the account has all the access it requires to complete the EXMERGE. I have run ADSIEDIT and verified that permissions globally are set properly. I have tried exporting to numerous locations, both local and remote, both on the volume hosting the mail store files and off the volume, but so far all results are the same.
I should note that I have attempted to perform EXMERGE processes on this server using various mailboxes as test subjects, and various local DC/DNS servers. Again, all attempts failed.
A copy of the full EXMERGE log for one such attempt follows.
Thanks for the help.
-Bob
****************************************************************
Microsoft Exchange Mailbox Merge Program, v6.5.7529.0
Start Logging:May 09, 2011 15:58:34
****************************************************************
[15:58:34] Logging Level: None
[15:58:34] Reading settings from file 'E:\Program Files\Exchsrvr\bin\EXMERGE.INI'.
[15:58:35] Error 8007203a opening an LDAP connection. ('LDAP://[SERVER NAME REMOVED]/rootDSE') (CADRoutines::GetNamingContextData)
[15:58:35] Accessing Domain Controller 'LGDC3'
[15:58:35] '[SERVER NAME REMOVED]' is running Exchange Server 2000 or later
[15:58:35] Source server read from settings file is '[SERVER NAME REMOVED]'.
[15:58:35] Reading list of subjects for messages to be selected from file ''
[15:58:35] Reading list of attachment names for messages to be selected from file ''
[15:58:35] List of folders to be ignored has been read. 0 folders in the list.
[15:58:35] Current machine locale ID is 0x409
[15:58:35] Operating System Version 5.2 (Build 3790)
[15:58:43] Error 8007203a opening an LDAP connection. ('LDAP://[SERVER NAME REMOVED]/rootDSE') (CADRoutines::GetNamingContextData)
[15:58:43] Accessing Domain Controller '[DOMAIN CONTROLLER NAME REMOVED]'
[15:58:45] '[SERVER NAME REMOVED]' is running Exchange Server 2000 or later
[15:58:54] Mailbox '/O=[BUSINESS NAME REMOVED]/OU=[SHORT BUSINESS NAME REMOVED]/cn=Configuration/cn=Connections/cn=SMTP ([SERVER NAME REMOVED])/cn={E2660A53-2C41-45AE-88AD-1F07164BC01E}' will be ignored as its DN contains strings in the ignore list
[15:58:55] Mailbox '/O=[BUSINESS NAME REMOVED]/OU=[SHORT BUSINESS NAME REMOVED]/cn=Configuration/cn=Servers/cn=[SERVER NAME REMOVED]/cn=Microsoft System Attendant' will be ignored as its DN contains strings in the ignore list
[16:05:43] Found 186 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE ([SERVER NAME REMOVED])'.
[16:05:43] Ignored 2 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE ([SERVER NAME REMOVED])'.
[16:05:43] Found 186 mailbox(es) homed on the specified databases.
[16:05:43] Ignored 2 mailbox(es) homed on the specified databases.
[16:37:45] Using attribute 'PR_MESSAGE_DELIVERY_TIME' for date operations.
[16:37:45] Merging data into target store. The program will copy only those messages that do not exist in the target store.
[16:37:45] Associated folder data will NOT be copied to the target store.
[16:37:45] Using 'English (US)' (0x409) as the default locale (Code page 1252)
[16:37:45] All mailboxes will be processed, regardless of locale
[16:37:45] Using default locale for all mailboxes
[16:37:45] Initializing worker thread (Thread0)
[16:37:45] Copying data from mailbox 'Shannon Elliott' ('SCARBAJAL') on Server '[SERVER NAME REMOVED]' to file 'E:\MAILBOX EXPORTS\SCARBAJAL.PST'.
[16:37:45] Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)
[16:37:45] Errors encountered. Copy process aborted for mailbox 'Shannon Elliott' ('SCARBAJAL').
[16:37:45] Number of items copied from the source store for all mailboxes processed: 0
[16:37:45] Total number of folders processed in the source store: 0
[16:37:45] 0 mailboxes successfully processed. 1 mailboxes were not successfully processed. 0 non-fatal errors encountered.
[16:37:45] Process completion time: 00:00:00ASKER
Thanks for the quick reply!
If you wouldn't mind, could you clarify one point for me, please? You're saying that if I'm using an account that is a member of the Domain Admins group, it will be denied access by default?
If this is correct then I should go back to my original attempt, which was to create a dedicated EXMERGE account, grant it the appropriate rights against the mailbox, and run the EXMERGE process as it.
Thanks again,
Bob
If you wouldn't mind, could you clarify one point for me, please? You're saying that if I'm using an account that is a member of the Domain Admins group, it will be denied access by default?
If this is correct then I should go back to my original attempt, which was to create a dedicated EXMERGE account, grant it the appropriate rights against the mailbox, and run the EXMERGE process as it.
Thanks again,
Bob
OK - by default - the Domain Admin Group will have rights to the mailbox showing (in grey) DENY on the permissions.
See mailbox properties/ Exchagne Advanced / Mailbox Rights.
This is by design to protect mailbox content from Domain admin processes.
Try this link for creating an access account:
http://support.microsoft.com/kb/821897
"If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail."
See mailbox properties/ Exchagne Advanced / Mailbox Rights.
This is by design to protect mailbox content from Domain admin processes.
Try this link for creating an access account:
http://support.microsoft.com/kb/821897
"If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail."
ASKER
Hmmm.... Okay, I'll give this a shot today and post back with the results. Thanks again!
I would definitely setup an account for ExMerge use only and don't add it to any administrative group or you will get hit with explicit deny rights. I would suggest that you create an account called ExAdmin so that there is no mistake as to the purpose of the account and then follow the instructions on this link to assign the appropriate rights http://support.microsoft.com/kb/292509
Once you have created a new account and validated the permissions etc if you still have this issue check this article out http://technet.microsoft.com/en-us/library/bb124178(EXCHG.65).aspx
Once you have created a new account and validated the permissions etc if you still have this issue check this article out http://technet.microsoft.com/en-us/library/bb124178(EXCHG.65).aspx
ASKER
Sorry, didn't work. Still getting the 8007230a during LDAP connection and 0x8004011d during message store open.
This is what I did:
- Created a new domain user account, called exmerge2 (there was already an exmerge with Domain Admin rights that I didn't want to mess with). I did NOT give this new account any special access. It is a Domain User and that is all.
- Used ADUAC to access the mailbox in question. Under Mailbox Rights I added exmerge2 and gave it Allow access to everything except Associated external account and Special permissions. Under Security I gave it Allow access to everything except Special permissions.
- Waited about 15 minutes to see if the rights would undo themselves.
- Logged on to the mail server using exmerge2 and attempted an export. Just as before, I got an error during the export process, and the exmerge.log file indicates a permissions issue when trying to open the mail store.
- Checked the permissions of the mailbox in question and discovered that the new rights I granted the exmerge2 account were all still in place.
Really not sure where to go from here. So far I have stayed away from making any changes within ESM (I wanted to get things working on a single mailbox before expanding any access changes), but perhaps there's something I'm missing.
Thanks,
Bob
This is what I did:
- Created a new domain user account, called exmerge2 (there was already an exmerge with Domain Admin rights that I didn't want to mess with). I did NOT give this new account any special access. It is a Domain User and that is all.
- Used ADUAC to access the mailbox in question. Under Mailbox Rights I added exmerge2 and gave it Allow access to everything except Associated external account and Special permissions. Under Security I gave it Allow access to everything except Special permissions.
- Waited about 15 minutes to see if the rights would undo themselves.
- Logged on to the mail server using exmerge2 and attempted an export. Just as before, I got an error during the export process, and the exmerge.log file indicates a permissions issue when trying to open the mail store.
- Checked the permissions of the mailbox in question and discovered that the new rights I granted the exmerge2 account were all still in place.
Really not sure where to go from here. So far I have stayed away from making any changes within ESM (I wanted to get things working on a single mailbox before expanding any access changes), but perhaps there's something I'm missing.
Thanks,
Bob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggestion, Lucid. Unfortunately, still a no-go.
In fact, not only did I follow your instructions step-by-step, but after the subsequent failure with the same permissions error I went back and granted the EXMERGE2 account full access across the board to the mail stores in ESM and tried again. Same result.
Here's one more detail to muddy the waters a bit: I have another Exchange environment (different domain) in which my EXMERGE account works perfectly. No problems whatsoever. However, in that environment the EXMERGE account is a member of both DOMAIN USERS and DOMAIN ADMINS, and DOMAIN ADMINS has been explicitely denied access to SEND AS and RECEIVE AS on the mail store (as expected). Nevertheless, even with this explicit denial in place, EXMERGE works just fine in that environment.
So that's strange: the environment in which EXMERGE2 has all the rights it should have doesn't work at all, but the environment in which EXMERGE has explicit deny access to the mail stores (and mailboxes, through inheretance), works fine.
To be honest, I care much less about this second anomaly than I do about getting EXMERGE2 to work in the first environment, but I thought I'd mention that just in case it stirs any thoughts.
Thanks,
Bob
In fact, not only did I follow your instructions step-by-step, but after the subsequent failure with the same permissions error I went back and granted the EXMERGE2 account full access across the board to the mail stores in ESM and tried again. Same result.
Here's one more detail to muddy the waters a bit: I have another Exchange environment (different domain) in which my EXMERGE account works perfectly. No problems whatsoever. However, in that environment the EXMERGE account is a member of both DOMAIN USERS and DOMAIN ADMINS, and DOMAIN ADMINS has been explicitely denied access to SEND AS and RECEIVE AS on the mail store (as expected). Nevertheless, even with this explicit denial in place, EXMERGE works just fine in that environment.
So that's strange: the environment in which EXMERGE2 has all the rights it should have doesn't work at all, but the environment in which EXMERGE has explicit deny access to the mail stores (and mailboxes, through inheretance), works fine.
To be honest, I care much less about this second anomaly than I do about getting EXMERGE2 to work in the first environment, but I thought I'd mention that just in case it stirs any thoughts.
Thanks,
Bob
Are you doing this on the Exchange Server or on a client/workstation?
Also check out this article as it may help http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323546
ASKER
Lucid8,
Thanks again for the suggestions.
To clarify, I'm doing everything directly on the Exchange server itself via an RDP session from my desktop PC (the way I conduct EXMERGE operations on the other mail systems in my environment).
I took a look at the Microsoft article you linked and followed all the steps. I should point out that when I navigated to the mailbox store in ADSIEDIT, the EXMERGE2 account which I created earlier was already present and had Allow access to everything.
I just ran the EXMERGE attempt against the mailbox in question again and I'm still getting the same permissions error code that I got before (I was hoping that perhaps the permissions change would take some time to take effect).
Thanks,
Bob
Thanks again for the suggestions.
To clarify, I'm doing everything directly on the Exchange server itself via an RDP session from my desktop PC (the way I conduct EXMERGE operations on the other mail systems in my environment).
I took a look at the Microsoft article you linked and followed all the steps. I should point out that when I navigated to the mailbox store in ADSIEDIT, the EXMERGE2 account which I created earlier was already present and had Allow access to everything.
I just ran the EXMERGE attempt against the mailbox in question again and I'm still getting the same permissions error code that I got before (I was hoping that perhaps the permissions change would take some time to take effect).
Thanks,
Bob
Have you tried bypassing RDP and going directly to the console to ensure the RDP is not causing a problem. Wayyyyy back when I had this happen to me one time, never figured out why but when using RDP it would puke vs direct at the console was fine. I know its a long shot, but will only take a few minutes to validate.
Other issue is LDAP, i.e. has this server by chance been configured to run on an alternate LDPA Port?
Lastly are any databases offline currently? On my way out to a meeting right now but there was another issue when the DB with a system mailbox was offline then ExMerge would puke.
Will check back upon my return
Other issue is LDAP, i.e. has this server by chance been configured to run on an alternate LDPA Port?
Lastly are any databases offline currently? On my way out to a meeting right now but there was another issue when the DB with a system mailbox was offline then ExMerge would puke.
Will check back upon my return
The ONLY rights needed is "Full Mailbox Access" - nothing else is needed for Exmerge to work.
ASKER
Got sidetracked troubleshooting a BES issue there for a couple days, but now I'm back and working on this again. Thanks to the suggestions since my last post.
Lucid8 - In answer to your questions, I have taken your advice and tried performing an EXMERGE from the console. Unfortunately this produced the same results as my other attempts. Good idea, though - didn't think of that. Also, I have scanned port 389 on the DC and it's definitely listening, so I think LDAP is good.
Here's something interesting, though: up until today whenever EXMERGE attempted to enumerate the mailbox list in the mail store it took about 5 minutes for me to get anything back. Now, for whatever magical reason (and yes, I'm rather certain magic *IS* involved), I can see the list of mailboxes within a few seconds.
Ultimately I'm still getting the same permissions errors as before, but this one item has changed.
An updated copy of my most recent EXMERGE attemt's log dump follows.
Thanks again, guys.
-Bob
Lucid8 - In answer to your questions, I have taken your advice and tried performing an EXMERGE from the console. Unfortunately this produced the same results as my other attempts. Good idea, though - didn't think of that. Also, I have scanned port 389 on the DC and it's definitely listening, so I think LDAP is good.
Here's something interesting, though: up until today whenever EXMERGE attempted to enumerate the mailbox list in the mail store it took about 5 minutes for me to get anything back. Now, for whatever magical reason (and yes, I'm rather certain magic *IS* involved), I can see the list of mailboxes within a few seconds.
Ultimately I'm still getting the same permissions errors as before, but this one item has changed.
An updated copy of my most recent EXMERGE attemt's log dump follows.
Thanks again, guys.
-Bob
****************************************************************
Microsoft Exchange Mailbox Merge Program, v6.5.7529.0
Start Logging:May 12, 2011 17:19:42
****************************************************************
[17:19:42] Logging Level: None
[17:19:42] Reading settings from file 'E:\Program Files\Exchsrvr\bin\EXMERGE.INI'.
[17:19:43] Error 8007203a opening an LDAP connection. ('LDAP://[EXCHANGE SERVER]/rootDSE') (CADRoutines::GetNamingContextData)
[17:19:43] Accessing Domain Controller '[DOMAIN CONTROLLER]'
[17:19:43] '[EXCHANGE SERVER]' is running Exchange Server 2000 or later
[17:19:43] Source server read from settings file is '[EXCHANGE SERVER]'.
[17:19:43] Reading list of subjects for messages to be selected from file ''
[17:19:43] Reading list of attachment names for messages to be selected from file ''
[17:19:43] List of folders to be ignored has been read. 0 folders in the list.
[17:19:43] Current machine locale ID is 0x409
[17:19:43] Operating System Version 5.2 (Build 3790)
[17:19:49] Error 8007203a opening an LDAP connection. ('LDAP://[EXCHANGE SERVER]/rootDSE') (CADRoutines::GetNamingContextData)
[17:19:49] Accessing Domain Controller '[DOMAIN CONTROLLER]'
[17:19:49] '[EXCHANGE SERVER]' is running Exchange Server 2000 or later
[17:19:51] Mailbox '/O=[LONG COMPANY NAME]/OU=[SHORT COMPANY NAME]/cn=Configuration/cn=Connections/cn=SMTP ([EXCHANGE SERVER])/cn={E2660A53-2C41-45AE-88AD-1F07164BC01E}' will be ignored as its DN contains strings in the ignore list
[17:19:51] Mailbox '/O=[LONG COMPANY NAME]/OU=[SHORT COMPANY NAME]/cn=Configuration/cn=Servers/cn=[EXCHANGE SERVER]/cn=Microsoft System Attendant' will be ignored as its DN contains strings in the ignore list
[17:19:55] Found 187 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE ([EXCHANGE SERVER])'.
[17:19:55] Ignored 2 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE ([EXCHANGE SERVER])'.
[17:19:55] Found 187 mailbox(es) homed on the specified databases.
[17:19:55] Ignored 2 mailbox(es) homed on the specified databases.
[17:20:03] Using attribute 'PR_MESSAGE_DELIVERY_TIME' for date operations.
[17:20:03] Merging data into target store. The program will copy only those messages that do not exist in the target store.
[17:20:03] Associated folder data will NOT be copied to the target store.
[17:20:03] Using 'English (US)' (0x409) as the default locale (Code page 1252)
[17:20:03] All mailboxes will be processed, regardless of locale
[17:20:03] Using default locale for all mailboxes
[17:20:03] Initializing worker thread (Thread0)
[17:20:03] Copying data from mailbox '[USER NAME]' ('[USERID]') on Server '[EXCHANGE SERVER]' to file 'E:\MAILBOX EXPORTS\[USERID].PST'.
[17:20:03] Error opening message store (MSEMS). Verify that the Microsoft Exchange Information Store service is running and that you have the correct permissions to log on. (0x8004011d)
[17:20:03] Errors encountered. Copy process aborted for mailbox '[USER NAME]' ('[USERID]').
[17:20:04] Number of items copied from the source store for all mailboxes processed: 0
[17:20:04] Total number of folders processed in the source store: 0
[17:20:04] 0 mailboxes successfully processed. 1 mailboxes were not successfully processed. 0 non-fatal errors encountered.
[17:20:04] Process completion time: 00:00:00
Tye moving/ renaming your ExMerge.ini file and then try again.
ASKER
Thanks so much for the help! I took a fresh look at the accounts and security this morning, stripped all the EXMERGE and EXMERGE2 security from the mail store and the mail server in ESM, then re-added EXMERGE with the proper security rights to the mail server in ESM, verified those rights propagated down to the individual mailboxes, re-ran the export and everything worked.
Not sure what was wrong, but maybe I fat-fingered the security somewhere along the way. In any case, thanks again for all the help!
-Bob
Not sure what was wrong, but maybe I fat-fingered the security somewhere along the way. In any case, thanks again for all the help!
-Bob
Excellent, thanks for the update and the points!
Thi line in the log shows that you do not have rightst o the mailbox - Is your login a domain admin acct?
If so, it will be denied access by default.
If you have another acct that does have rights to the mailbox, try running EXMERGE under that login.
Also try puttting the FQDN for the DC you are using for LDAP. This may speed it up.