01-11-2011 06:54 AM
Currently have Enterprise Vault 8 installed archiving email on Exchange 2003 server and journaling against another Exchange 2003 server. This has been running successfully for over 6 months.
A new Exchange 2007 server has been built so that we can utilize Managed folders (we are a state agency with old Outlook clients, so no 2010 Exchange). I have moved my mailbox to the 2007 Exchange server and am sending and receiving mail successfully.
I am attempting to setup a email archiving task against the 2007 Exchange server. I created the system mailbox, it is not hidden, and the account is not disabled. The system mailbox is a member of the Exchange View Only Administrators group. The service account has been created also.
I followed the instructions from the Installation Guide Chapter 6, pages 52 - 56. I setup the archiving task and used the system mailbox.
I get a total of 6 (There are actually 2, they repeat 3 times) errors in the Event Log and then the task fails.
The first is Event ID 3305 -
Event Type: Error
Event Source: Enterprise Vault
Event Category: Archive Task
Event ID: 3305
Date: 1/11/2011
Time: 9:06:17 AM
User: N/A
Computer: NREV1
Description:
The Task 'Exchange Mailbox Archiving Task for NRMX3' failed to log on to Exchange server 'NRMX3' using mailbox 'SMTP:vaultSAnrmx3@. Please ensure the mailbox has not been hidden, that the server is running and that the Vault account has sufficient permissions on the server.
The second is Event ID 2256
Event Type: Error
Event Source: Enterprise Vault
Event Category: Archive Task
Event ID: 2256
Date: 1/11/2011
Time: 9:38:10 AM
User: N/A
Computer: NREV1
Description:
The Archiving Task 'Exchange Mailbox Archiving Task for NRMX3' could not be started due to startup errors.
I came across this Technote just a minute ago while searching Forums.
http://www.symantec.com/business/support/index?page=content&id=TECH51293
I did not run this Powershell Script, is this what I am missing? What exactly what does this script do? From what I can tell it is changing/applying permissions against Active Directory user accounts?
Chris
Solved! Go to Solution.
01-19-2011 05:01 AM
A few days off to clear the mind and the eyes. Sometimes you just want to find a wall and beat your head against it.
I set the permissions on the user account for my system mailbox on the Exchange 2007 server and not the Vault System Account for the EV Enterprise.
Email Archinving Task is running and email is being archived on my mailbox that I moved to the new server.
Thanks for the help as always.
Chris
01-11-2011 07:31 AM
yup, if you don't have like the view only admin etc assigned to the EV System mailbox it will not work cos it doesn't have the permissions.
Most likely if you were to log on to the EV Server as the EVAdmin account and attempt to log in to the system mailbox on the new server, it would be prompted with a username and password. If it does prompt you then Send As/Receieve As permissions have not been set up correctly.
Normally in big organizations because there are a few mailboxes that require the same kind of permissions (Blackberry Admins, Virus scan admins, backup admins, spam filters etc) they put them in a security group and assign that group the relevant permissions.
If you have BES in your environment, the VSA or EVAdmin would have the exact same setup procedures as the BESAdmin
01-11-2011 10:36 PM
Please refer to the foloowing.
01-12-2011 07:42 AM
Reading this it sounds like what I may need to do. Is there another document that pertains to Exchange 2007?
Chris
01-12-2011 07:52 AM
Just run the following two powershell scripts on the exchange server
get-mailboxserver "<mail_server_name>" | add-exchangeadministrator "yourEVAdmin" -role ViewOnlyAdmin
get-mailboxserver "<mail_server_name>" | add-adpermission -user "yourEVAdmin" -accessrights ExtendedRight -extendedRights Send-As, Receive-As, ms-Exch-Store-Admin
01-13-2011 10:25 AM
I get an error when I run the first script. I ran it without and with the -Identity paramenter with the same error. I did the same with the domain name for the user account, with the same error. I went ahead and ran the second script and it came back with warnings that the
WARNING: Appropriate ACE is already present on object.
[PS] C:\Windows\system32>get-mailboxserver -Identity NRMX3 | Add-ExchangeAdmini
trator NRDNR\nrvaultSAnrmx3 -Role ViewOnlyAdmin
Add-ExchangeAdministrator : The input object cannot be bound to any parameters
for the command either because the command does not take pipeline input or the
input and its properties do not match any of the parameters that take pipeline
input.
At line:1 char:62
+ get-mailboxserver -Identity NRMX3 | Add-ExchangeAdministrator <<<< NRDNR\nrv
aultSAnrmx3 -Role ViewOnlyAdmin
+ CategoryInfo : InvalidArgument: (NRMX3:PSObject) [Add-ExchangeA
dministrator], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.Exchange.Managemen
t.RecipientTasks.AddDelegate
01-13-2011 11:17 AM
Reading further, I re-read that the Vault Service Account should only be a member of the Domain Users group which it is. But I have the VSA as a member of the Exchange View-Only Administrators, shoud the VSA also be a member of this group? I have read so many Tech Notes, I am losing track of what I have done and what they have reccomended to do.
Chris
01-14-2011 08:58 AM
Have you seen the following TechNote?
http://www.symantec.com/docs/TECH51293
At the bottom of this there's a link to another article that contains the PowerShell script for correctly setting permissions required which shipped originally in EV 9.0 but is suitable for an install with Exchange 2007 (or mixed mode).
If using this script you no longer need to worry about being a member of Exchange View-Only administrators. Although it shouldn't hurt - only groups such as Domain Admins that have explicit denies on certain permissions are harmful.
Thanks
Karl
01-14-2011 10:19 AM
I saw the technote before, but I didn't run it as I thought because I made the permissions changes thorugh adsiedit, thats all I needed to do. I ran the script a few minutes ago (no errors), I can't restart the Exchange Information Store service right now. I will attempt to start the Mail Archiving Task later today.
To add more information on what I have been able to succesfully do:
Using the VSA:
I can logon to the EV server and access the VAC
Logon to the email server
Send and Recieve email using Outlook with VSA and corresponding email box.(v. 2010)
I deleted my email server and Task Service from EV and re-added. earlier today (prior to running script), same issue.
After I restart the task service later, I will post if it failed or is running.
01-19-2011 05:01 AM
A few days off to clear the mind and the eyes. Sometimes you just want to find a wall and beat your head against it.
I set the permissions on the user account for my system mailbox on the Exchange 2007 server and not the Vault System Account for the EV Enterprise.
Email Archinving Task is running and email is being archived on my mailbox that I moved to the new server.
Thanks for the help as always.
Chris
01-19-2011 06:00 AM
wait hang on...what??
Are you saying that it wasn't working because you were giving permissions to the wrong account? or are you saying you got it working by giving the permissions to the VSA?
01-24-2011 07:43 AM
That was it. I think I had to many other things going on the at the sametime and I selected the wrong user account when adding permissions.