New Mailboxes cannot login, cannot Get-MailboxPermission
I have a set of mailboxes that I created a few days ago, and they work fine. Users can access their mail through OWA and/or Outlook.However, any new mailboxes I create have the following problems: Cannot log into the mailbox either through OWA (see bottom of this post for details), or Outlook ("The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.") When I issue a Get-MailboxPermission for these (new) mailboxes, I get the following error: "WARNING: An unexpected error has occurred and a Watson dump is being generated: The Identity of the object is invalid."No relevant error messages are appearing in the event logs for the client or server. IAny thoughts?The OWA error message is below:RequestUrl: https://owatest.company.com:443/owa/default.aspxUser host address: 192.168.50.2ExceptionException type: Microsoft.Exchange.Data.Storage.StoragePermanentExceptionException message: Cannot open mailbox .Call stack Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, ADOrgPerson delegateUser, Object identity, OpenMailboxSessionFlags flags) Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, ADOrgPerson delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo) Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)Inner ExceptionException type: Microsoft.Mapi.MapiExceptionInvalidParameterException message: MapiExceptionInvalidParameter: Unable to open message store. (hr=0x80070057, ec=-2147024809) Diagnostic context: Lid: 27833 Lid: 29881 StoreEc: 0x80070057Call stack Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx) Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo) Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId) Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
April 13th, 2007 12:15am

For the benefit of anyone who may stumble across this post at a later time, I found my problem. Apparently, I had one domain in my environment which was not up to the Server 2003 domain functional level. Naturally, of all the GCs in the environment, the Exchange server chose to use a GC in that domain.
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2007 10:14pm

Same problem, but only one domain. New mailboxes created on Exchange 2007 using Exchange Management Console appear to be created, but the mailboxes cannot be accessed using Outlook 2007 or OWA. New mailboxes created on Exchange 2003 using ADUC are not stamped with " msExchUserAccountControl", which should be "0" fro an enabled account. Using ADSI edit and setting to "0" resolves the problem for that user. The event logs on EX07 do not indicate any problems and the Best Practice Analyzer does not either. The following errors are on the Exchange 2003 server for any new EX2003 users. Logon Failure on database "First Storage Group\Mailbox Store (SG1)" - Windows 2000 account NT AUTHORITY\SYSTEM; mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=eds. Error: -2147467259 Failed to read attribute msExchUserAccountControl from Active Directory for /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=eds.
July 27th, 2007 8:48pm

Hi Jim,I am actually stuck in a similar position, except we are in a spot where new users being created through Exchange 2007 tools (EMC or EMS) are missing several ADSI properties: legacyExchangeDN msExchALObjectVersion msExchMailboxGuid msExchMailboxSecurityDescriptor (set to "not set", all other accounts have a blank value here) msExchUserAccountControl msExchUserCulture (set on new accounts, not set on pre-existing accounts)We are actually in the similar boat as these guys:http://forums.msexchange.org/Can't_open_new_mailboxes/m_1800455217/tm.htmhttp://episteme.arstechnica.com/eve/forums?a=tpc&s=50009562&f=12009443&m=362006418831&r=606003038831#606003038831The last Exchange 2003 server is still around (until we can get this worked out), but RUS has been set to 'never run'. If we create new mailboxes using ADUC on the 2003 box, those properties do get stamped properly, but we then have to update the mailbox to 2007 (Set-Mailbox "new user" -ApplyMandatoryProperties).Any thoughts?
Free Windows Admin Tool Kit Click here and download it now
October 30th, 2007 11:41pm

This sounds the same problem I was trying to resolve with my post to the Admin forum: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2021296&SiteID=17 since then I have been trying to find a solution, including re-running the setup process. Specifically I tried re-running "Setup /PrepareLegacyExchangePermissions" but it had no effect. Sorry it is not a positive message, but perhaps the cross-reference might help. --philip.
November 7th, 2007 7:33pm

We actually just got some help from PSS on this.There is a bug with the Microsoft Exchange System Attendant service in Exchange 2007 at this point. The support tech will still be emailing me details, but for now the workaround is simple (at least in our case).Restart the Microsoft Exchange System Attendant service (Restart-Service MSExchangeSA in powershell) on your mailbox server(s), and try again!We are running Exchange 2007 with Update Roll-Up 4 and Update Roll-Up 5 installed, and this did the trick for us. We are using a script for mailbox provisioning at the moment, so it was easy enough to just restart the System Attendant on the new user's mailbox server prior to creating the mailbox with the new-mailbox command (Used psservice.exe from pstools/systinternals from http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx).The bug is not documented at this point, but the MS support tech noted that there were about 5 or 6 cases other than our own that reported this issue recently, while there is no KB for it at the moment and the fix is not public, a bug fix will most likely be included with SP1 (due by the end of this month).Let me know if this helps you in your experience.
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2007 9:15pm

Thanks for your updated informatino. Unfortunately applying Update Roll-Up 5 and restarting the System Attendant hasn't fixed it for me. If SP1 is coming out by the end of the month, perhaps that will fix it for me. --philip.
November 7th, 2007 9:21pm

We had a similar issue and we tried a number of things to resolve it but I think the following resolved it: Restart System Attendant service on all Exch2007 servers Logon to Exchange Management Shell (EMS)Confirm the mailbox is corrupted by running "get-mailbox username"Run "set-mailbox username -applymandatoryproperties" on the faulty mailboxWait 10-15 seconds and run "get-mailbox username" to confirm that the mailbox corruption has been resolved. Closing Outlook Deleting the username within the Mail ==> Email Accounts options in Control Panel. Re-typing the username and clicking on Check Name within the Mail ==> Email Accounts options in Control Panel. Starting Outlook Also make sure you aren't using Cached account when trying to diagnose Outlook problems....
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2007 8:09am

I posted an answer to a similar problem I have been having with not being able to create new mailboxes after removal of my last E2K3 server. http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2687386&SiteID=17&mode=1 The problem was the "purportedSearch" attribute in the CN=Mailbox Enable Usersystem policy. I had an ampersand in the mailnickname filter part instead of an asterisk and this prevented the Exchange 2007 tools from being able to create a new user or mailbox. On correcting the filter as per the KB903291 (actually aimed at solving a different problem on E2K3) I no longer have the problem and I can now create new users and mailboxes. Don't know if this might help in your case, but worth checking out if you still have the trouble. --philip.
January 16th, 2008 1:48am

That:http://technet.microsoft.com/en-us/library/bb885050.aspx did it for me.Here's what I had to do: Cause This exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in ActiveDirectoryUsers and Computers. You should also verify that the ExchangeServers group appears on the Security tab of the top-level domain container. This security group is required on the top-level container and must be propagated to each organizationalunitthat includes users before users can successfully log on to OutlookWebAccess. Before You Begin To perform this procedure, the account you use must be delegated membership in the Domain Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer MicrosoftExchangeServer2007, see Permission Considerations. Procedure To use Active Directory Users and Computers to set permissions for users and organizational units Open the ActiveDirectoryUsers and Computers snap-in. On the View menu, click Advanced Features. Open the properties of a user who cannot log on to OutlookWebAccess. Click the Security tab, and then click Advanced. Select the Allow inheritable permissions check box if it has not already been selected. Repeat steps 3 through 5 for each organizational unit between the user object and the top-level container. Allow time for replication to occur.Hope this solves it.Patrick Monfette
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2008 6:59pm

And for me too, THANKS!!!!
February 17th, 2008 10:31pm

Ticking Inheritable permissions did the trick for me, Thank you so much, saved me a lot of hassle! (although i don't know why 1 single account decided to not inherit permission)
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2008 5:18pm

Worked for me too!!! I'm using Exchange 2007 SP1 with Roll-up #3 so apparently this is still a bug.
September 19th, 2008 6:05pm

I ran into this issue ...Situation :Normal users are created in a part of the ad tree that DOEShave the EXCHANGE SERVERS group permissions inheritable as created by the exchange installnew admin users are created in a sperate part of the AD tree thatDOES NOThave the EXCHANGE SERVERS group inheritable An admin account requires Exchange account to be able to send / recieve messagesWe were able to create the mailbox but recieved the above error plus the ad exception errorResolution:you have 2 options1. Add the EXCHANGE SERVERS group with the same perms as the main usercontainerto the container and ensure inheritance is enabledor2. Add the EXCHANGE SERVERS group with the same perms as the main user container to the individual user account
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2009 2:30pm

Hi, That helped, lucky day! Thanks for your instructions!
December 30th, 2009 6:07pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics