Forum Discussion

al3b3d3v's avatar
al3b3d3v
Level 4
13 years ago

cross-domain vault archiving permissions issue

Hello, I have the following issue I am trying to work around.

I have two domains. Domain 1 has EV 8.5 sp5 and its own exchange org. (2007 exchange)

Domain 2 has its own 2003 exchange.

I want to setup cross-domain archving task to archive the mailboxes on domain2.

On DOMAIN2 I created a domain account called svc_evault, its a part of Domain users. It has local admin perms. I gave it full access to the 2003 Exchange Organization. I created a mailbox for it. Ive logged into that mailbox, and sent myself an email. 

In EV, Im getting 3305 and 2256 errors, which tell me permissions are incorrect.

Here is a DTRACE sample of whats going on when I attempt to start the Mailbox Archiving task for my Domain2 exchange server;---------

CAgentTask::Initialise - Opening a MAPI session to verify privileged access to Exchange server [domain2exchange] using mailbox [SMTP:svc_EVault@blah.com]

CMailboxHelper::CreateProfileAndSession - Address [SMTP:svc_EVault@blah.com] not found in address book. Please ensure the mailbox has not been hidden, that the server is running and that the Vault account has sufficient permissions on the server

acc is not hidden, disabled or locked out

Event ID: 3305 The Task 'Mailbox Archiving Task for domain2exchange' failed to log on to Exchange server 'domain2exchange' using mailbox 'SMTP:svc_EVault@blah.com'. Please ensure the mailbox has not been hidden, that the server is running and that the Vault account has sufficient permissions on the server

--------------

Is it looking or a outlook profile ? here is another interesting thing, on my local machine I can create a profile and point it to domain2 exchange server which finds the svc_evault mailbox. However on the Vault server, I cannot. It tells me that it wants to use svc_evault from my exchange org. could that be the issue? thanks for any and all help!

  • JesusWept2, i solved it with the help of symantec support.

    loooks like i had 2 reg keys which needed to be cleared. 1) DS Server was pointing to a one of my domain controllers

    2) Closest GC set to 0

    As soon as I cleared those two keys I was able to create an outlook profile for the other domain exchange server and succesfully enable a mailbox/ archive the mailbox.

7 Replies

  • so first and foremost....

    1. Make sure that the domains trust each other
    2. Make sure that your VSA / EVAdmin has Send As / Receive As permissions on Exchange servers in Domain 2
    3. For each exchange server in Domain 2 , ensure you have a system mailbox created for each exchange server you are targeting, so if you target 5 exchange servers in domain 2, you need 5 mailboxes, each one residing on the exchange server you are targeting4
    4. Determine a good valid Global Catalog server in Domain2 and run the following queries
     

    UPDATE Organization
    SET GCOverride = 'GC://yourGC.domain2.com'
    WHERE DomainName = 'domain2.com'

    UPDATE ExchangeServerEntry
    SET ExchangeGCOverride = 'GC://yourGC.domain2.com'
    WHERE OrganizationEntryId = (SELECT OrganizationEntryId FROM Organization WHERE DomainName = 'domain2.com')

     

    But ultimately, the EVAdmin on the EVServer in Domain1 needs to be able to open up mailboxes on an exchange server in Domain2 without being prompted for username or password
     

  • i resolved my issue by adding an smtp address to the svc_evault account on my EV Exchange Org. to the target domain.

  • thanks for the quick answer, I have all of those pre-reqs down, it was just looking for the smtp address.

    However now I am running into an issue with enabling mailboxes on that domain,.

     

    Error

    Event Source: Enterprise Vault 
    Event Category: Agent Client Broker 
    Event ID: 3139
    Date: 8/22/2011
    Time: 2:08:17 PM
    User: N/A
    Computer: HQNYCVLT01
    Description:
    An non-specific error has occurred whilst enabling archiving for the mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=UserName
     
    Error: The MAPI error MAPI_E_FAILONEPROVIDER (0x8004011D) occurred when opening the mailbox message store during a synchronisation. This generally occurs when the mailbox has been deleted.      [0xc0040ce6] 
     
    Any Ideas?
     
    For more information, see Help and Support Center at http://evevent.symantec.com/rosetta/showevent.asp
  • is this still an issue?
    If so could you get a dtrace of AgentClientBroker when attempting to enable the mailbox for archiving

  • ill try the dtrace on AgentClientBroker while enabling the mailbox and post the results here. but the first part of the permissions is resolved

  • these are some of the lines I see in the dtrace;

    [2804] (AgentClientBroker) <9088> EV:M CAgentExchSynch::SynchronizeMailboxEntryEx2 - Start to synchronize mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=GMcDonald

    [2804] (AgentClientBroker) <9088> EV:M CMailboxHelper::CreateProfileAndSession(VaultMbxAgent-NJPAREXCH01-9088-1314040215-0-424-0) - Profile successfully created

    [2804] (AgentClientBroker) <9088> EV:M CMAPISession::GetExchangeServerDnFromSession - found exchange server dn: /o=NewmarkRE/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HQNYCEXC0[2804] (AgentClientBroker)

    <9088> EV:M CAgentExchSynch::OpenUserAndStore() - Failed to open mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=GMcDonald. Most probable cause is that the mailbox has been deleted or that it is new and does not fully exist within Exchange.

    [2804] (AgentClientBroker) <9088> EV~E Event ID: 3139 An non-specific error has occurred whilst enabling archiving for the mailbox /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=GMcDonald |Error: The MAPI error MAPI_E_FAILONEPROVIDER (0x8004011D) occurred when opening the mailbox message store during a synchronisation. This generally occurs when the mailbox has been deleted.      [0xc0040ce6] |

  • JesusWept2, i solved it with the help of symantec support.

    loooks like i had 2 reg keys which needed to be cleared. 1) DS Server was pointing to a one of my domain controllers

    2) Closest GC set to 0

    As soon as I cleared those two keys I was able to create an outlook profile for the other domain exchange server and succesfully enable a mailbox/ archive the mailbox.