Thursday, May 8, 2014

Linked Mailboxes disconnected after migration to Exchange 2013

One tactic to enable a user in one forest to access an Exchange mailbox in another forest is to link the mailbox to the foreign security principle via a disabled account in the Exchange forest. Problems can arise if the disabled user becomes enabled after the user is migrated into the Exchange forest. I'll illustrate this as a sequence of events:

  • The company MagicBox inc. gets purchased by a company called Lucius Inc.
  • Lucius Inc would like to have the employees of MagicBox to have mailboxes in the corporate Lucius forest which contains exchange servers.
  • For every user in MagicBox, a DISABLED Active Directory account is created and linked to the foreign security principle that represents the user in MagicBox. (Obviously this requires an forest trust between the two forests).
  • (some time passes)
  • The users, workstations etc at MagicBox are migrated over to the domain at Lucius and one of them is "Joe Smith"
  • The AD account for "Joe Smith" is enabled on the Lucius domain.
  • (some time passes)
  • The Exchange 2007 system and Lucius gets migrated to Exchange 2013, and as part of that initiative the mailbox for Joe Smith is migrated into an Exchange 2013 database.
  • The mistake here was simply enabling Joe's mailbox in the Lucius domain, the correct process should include disconnecting then reconnecting Joe's mailbox. What will typically happen is that Joe's Outlook client will not be able to connect to his mail, nor will have access to his mail via OWA. The correct process is performed by (for example) the Qwest Migration Tools.

The good news is that the disconnect/reconnect process should fix this, even after the migration. I'll use PowerShell.

Step One: Prep
You will need to preserve certain attributes that will be wiped by step two, this includes the configured retention policy, secondary SMTP addresses, POP, IMAP, OWA, MAPI etc. The easiest way to do that is to dump the configuration thus:

For retention:
get-mailbox smithj | FL DisplayName, RetentionPolicy

For ActiveSync, OWA, POP, IMAP, MAPI
get-casmailbox putleym

Step Two: Disconnect the mailbox:

Disable-Mailbox "Joe Smith"

Step Three: Discover which database Joe's mailbox is in:

get-mailboxdatabase |get-MailboxStatistics |where {$_.displayname -like "*Joe Smith*"}|fl displayname, database

Step Four: Use the database name to reconnect the mailbox

Lets assume step two supplied the database name of DAG1-DB6

Connect-Mailbox "Joe Smith" -database DAG-DB13 "Joe Smith"

I'll leave you to decide in these steps whether you use display name or SMTP or samAccountNAME to identify the correct user in the commands.

These processes are described here in more detail:


No comments:

Post a Comment