Unable to Open Mailbox in Outlook After Successful 2010-2013 Move

I'm primed to move everybody over to Exchange 2013. I have two multi-role servers load balanced behind a Citrix Netscaler and all tests had gone off without a hitch. I successfully moved to two test mailboxes from 2010 to 2013 (love the new move process btw) and moved my own mailbox on Friday.

After the move completed, I was unable to connect to it via Outlook 2013 or Outlook 2010 (different PCs). I receive the following error:

Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance.

I already removed the mail profile and created a new one from scratch. I also completely blew away my user profile on another PC and still had no success. Outlook setup seems to run without any problems. But once it attempts to actually open my folders, I get the error. This is true on Outlook 2010 and 2013.

The strangest part is that I can access my mailbox from one of the other migrated mailboxes that has "full control" over my mailbox. This account is enabled for Lync 2013 (unlike the test accounts) and was sometimes given full control over other mailboxes but other than that, I can't think of any differences.

It was suggested that auto-mapping may be causing my problem so I used the following PS to discover what mailboxes I had full control over and then removed my access.  I ran this against both the 2010 and 2013 mailboxes.

Get-Mailbox -Server Server | Get-MailboxPermission | where { ($_.AccessRights -eq FullAccess) -and ($_.IsInherited -eq $false) -and -not ($_.User -like NT AUTHORITY\SELF) }

It is possible that this account had some sort of Exchange 2010 admin roles at some point but we removed those along time ago when we were tightening up responsibilities.

Any ideas?

April 3rd, 2015 11:27pm

Hi

As per the information and details provided by you, to solve this problem, please follow these steps: -

Solution 1: - I have seen that happen with Shared Mailboxes. Usually its better to move the Shared Mailbox and the people that have access to it at the same time. Or. Move the people first and the shared mailbox second.

Solution 2: - By default, you cant open any other mailbox on 2010 servers if the accessing users mailbox is already on 2013.

Solution is move back the shared mailboxes to 2010 and move it back right after all your other mailboxes are moved to 2013 or move all users that need the shared mailboxes 2013.

I hope this information will be helpful for you.

Thanks and regards

Shweta@G

Free Windows Admin Tool Kit Click here and download it now
April 4th, 2015 1:56am

But this is a personal mailbox - not a shared mailbox.

I am trying to open a personal mailbox in Outlook after moving it to 2013.  A mailbox already migrated to 2013 can view the mailbox but when I, the user/owner of that mailbox try to open my own folders in Outlook, it fails.

April 4th, 2015 10:52pm

Hi,

Please refer to this KB to check this issue:

http://support.microsoft.com/en-us/kb/3032395

If it doesnt help, please try the following steps to check this issue:

  • Log on to the Client Access server (CAS) to which the users are connected, and then locate the following folder that stores the log file on Mailbox Server:  C:\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access
  • Open the RCA-<var>YYYYMMDD-X</var>.log file, and then search events that are related to the users in question. For example, you find the following information:

/O=Contoso/OU=First Administrative Group/cn=Recipients/cn=USERTest' ,,,12.0.6315.5000,,170.12.8.90,fe80::78dd:fc1:9cb8:2e72%11,ncacn_ip_tcp,Connect,0,,,RpcDispatch: Unable to map userDn '/O=Contoso/OU=First Administrative Group/cn=Recipients/cn=USERTest' to exchangePrincipal (StoreError=UnknownUser)

  • Copy the LegacyexchangeDn information of the user. For example, copy the following:

/O=Contoso/OU=First Administrative Group/cn=Recipients/cn=USERTest

  • In Active Directory Users and Computer (ADUC), right-click the domain object, and then click Find.
  • Click the list next to Find, and then select Custom search.
  • Click Advanced, type the following Lightweight Directory Access Protocol (LDAP) statement under Enter LDAP query, and then click Find Now:

(proxyaddresses=X500:/O=Contoso/OU=First Administrative Group/cn=Recipients/cn=USERTest)C

  • Determine whether any duplicate users are returned
  • Remove the duplicate proxy address

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
April 6th, 2015 10:48pm

Turning off encryption slightly changes the error message:

Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The attempt to log on to Microsoft exchange has failed.

That particular query your wrote does not return any results for me.  I used the following query instead and only return my mailbox/AD account:

legacyExchangeDN=/o=MYDOMAIN/ou=First Administrative Group/cn=Recipients/cn=MYUSER

April 9th, 2015 1:34am

Hi JKM,

The user that is failing,does he/she have Access to other mailboxes (user or shared) that has not been moved?

If so, please try to remove those permissions and see if issue is still there.Think this was fixed in CU5 or 6 if im not wrong.

Cross permission does not work, which means that if shared mailbox is on 2010 server and user is on 2013 server, they will not be able to use send as permission.

Which CU are you currently on?

Free Windows Admin Tool Kit Click here and download it now
April 9th, 2015 2:46am

I don't believe he has access to others anymore.  I ran the command below to identify any access and don't see the user or any groups he's a part of show up:

Get-Mailbox -Server Server | Get-MailboxPermission | where { ($_.AccessRights -eq FullAccess) -and ($_.IsInherited -eq $false) -and -not ($_.User -like NT AUTHORITY\SELF) }

I updated to CU8 in an attempt to resolve this before posting here but no luck so far.

Also, running Get-MailboxPermission with the -Owner parameter against my mailbox throws an error that "some or all identity references could not be translated".

Tried following KB 2652193 but had no success.

  • Edited by -jkm- 11 hours 20 minutes ago
April 9th, 2015 2:42pm

I don't believe he has access to others anymore.  I ran the command below to identify any access and don't see the user or any groups he's a part of show up:

Get-Mailbox -Server Server | Get-MailboxPermission | where { ($_.AccessRights -eq FullAccess) -and ($_.IsInherited -eq $false) -and -not ($_.User -like NT AUTHORITY\SELF) }

I updated to CU8 in an attempt to resolve this before posting here but no luck so far.

Also, running Get-MailboxPermission with the -Owner parameter against my mailbox throws an error that "some or all identity references could not be translated".

Tried following KB 2652193 but had no success.

  • Edited by -jkm- Thursday, April 09, 2015 8:06 PM
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2015 6:40pm

I don't believe he has access to others anymore.  I ran the command below to identify any access and don't see the user or any groups he's a part of show up:

Get-Mailbox -Server Server | Get-MailboxPermission | where { ($_.AccessRights -eq FullAccess) -and ($_.IsInherited -eq $false) -and -not ($_.User -like NT AUTHORITY\SELF) }

I updated to CU8 in an attempt to resolve this before posting here but no luck so far.

Also, running Get-MailboxPermission with the -Owner parameter against my mailbox throws an error that "some or all identity references could not be translated".

Tried following KB 2652193 but had no success.

  • Edited by -jkm- Thursday, April 09, 2015 8:06 PM
April 9th, 2015 6:40pm

I took away and gave back ownership of the mailbox to my user account and also to "NT Authority\Self" but no success.

There is another account that was moved at the same time as mine that has the same first and last name but the login is different.  The X.400 address of this other account auto-appended a "2" at the end of the last name.  I removed this X.400 entry and made the last name part of the X.400 address different than my mailbox.  This had no impact.

I also moved another mailbox that was as old as mine and had no issues.  IE: it came from Exchange 2003 to 2010 and then 2013 just like mine.

Free Windows Admin Tool Kit Click here and download it now
April 13th, 2015 9:48pm

I just figured it out - big thanks to everybody who replied!

Solution: I opened up one of the logs in \V15\Logging\RPC Client Access and found entries for my username stating "ncacn_http is not allowed for this user. (StoreError=RpcHttpDisallowed)".  I ran get-casmailbox against my mailbox and saw that "MAPIBlockOutlookRpcHttp" was set to "True".

I then ran: set-CASMailbox username -MAPIBlockOutlookRpcHttp $false

Everything works now.

Post-mortem: not sure how or why that switch was set but will run these commands against all my mailboxes as I move them.  I may look into scripting it.


  • Edited by -jkm- 4 hours 37 minutes ago Found solution
  • Marked as answer by -jkm- 4 hours 37 minutes ago
April 16th, 2015 10:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics