cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

VSA and Domain Admins (Event ID 3410)

Go to solution
Elio_C
Level 6

‎11-06-2015 01:17 AM

Hi,

I'm getting Event ID 3410 on my EV11.0.1 HF2 server.

The task failed to log on to the Exchange Server.

The task is running as a Windows user that is a member of the 'domain admins' group. Remove the user from this group to ensure that the task has sufficient access to the Exchange Server.

I have 2 Exchange 2010 and an Exchange 2013 server Archiving tasks and the error only relates to the Exchange 2013 task, the 2 Exchange 2010 tasks work fine.

The VSA is a member of Domain Admins, the Domain Admins "Deny" permission have been removed from the mailboxes. I can open the task/system mailbox in OWA using the VSA credentials.

The Deployment Scanner reports "green" for Exchange Server Permissions. I did not run the SetEVExchangePermissions.ps1 as I don't believe I need to.

Moving the mailbox back to 2010 produces the same 3410 error and the 3413 "The system mailbox is not on the same Exchange Server that the Mailbox archiving task processes. This may result in decreased archiving performance. " but it still doesn't start.

I have Outlook 2007, with all the latest patches, installed on the server.

What am I missing here?

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Elio_C
Level 6

‎11-08-2015 11:33 PM

Adding the VSA credentails to to the task log on settings appears to work. 

 

Regarding VSA and Domain Admins, (my excuse is) the systems were setup by consultants/partners during a period of massive and rapid change. It's near the top of my list now.

 

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎11-06-2015 02:19 AM

Hello,

It is strongly advised to not have the VSA a member of Domain Admin group. I think that will be the first thing Support will ask you to change when logging a call. (as remark).

You basically have 2 errors. I believe the 1st one is a 'simple' check to see if the VSA is member of Domain Admin (or not). The 2nd indicates that the EVSystemMailbox you are using for that specific task is currently not on the Exchange server the task is targeting.

We have (in our environment) a seperate database on each exchange server which is not part of a DAG. The EVSystem mailbox is in this db. That makes sure the systemmailbox is always on the exchange server, and the task will only fail when the exchange server itself is down.

You might want to check to see where the systemmailbox for the failing task currently lives, and if necessary move that one back to the exchange server the task is targeting. Deployment scanner (AFAIK) does not scan membership of VSA of domain admins, hence the 'all green'.

 

Regards. Gertjan
0 Kudos

Go to solution
Elio_C
Level 6

‎11-06-2015 02:31 AM

Thanks Gertjan,

The mailbox location is easy to fix, I was just testing if a Ex2013 mailbox was the issue.

Regarding VSA and Domain Admins, from https://www.veritas.com/support/en_US/article.TECH76700#Vault_Service_Account "It is recommended that the VSA not be a member of the Enterprise Admins group, the Domain Adminsgroup, or any other group that contains a default DENY permission on mailboxes. It is better to start with a standard domain user account and explicitly assign only the required permissions.". The 2 Exchange 2010 archiving tasks work fine.

Any idea what I can change to make it work in this configuration? Can the domain admin check by bypassed in any way?

0 Kudos

Go to solution
GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

‎11-06-2015 03:20 AM

Your welcome,

I am not sure it is possible to bypass. If so, I have no knowledge on how to do that. Perhaps Veritas Support can assist.

Is there perhaps something that 'resets' the Domain Admin's permission on the mailboxes? Did you remove the deny on the mailboxes manually? Using a powershell script of some sort? Perhaps you need to run that again, to make sure the permission is indeed removed. It might be something on Exchange 2013,

Have a read on this: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28129175.html

 

Regards. Gertjan
0 Kudos

Go to solution
AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎11-08-2015 10:30 AM

why do you need the VSA to be domain admin? are all your other applications' service accounts domain admins?

0 Kudos

Go to solution
Elio_C
Level 6

‎11-08-2015 11:33 PM

Adding the VSA credentails to to the task log on settings appears to work. 

 

Regarding VSA and Domain Admins, (my excuse is) the systems were setup by consultants/partners during a period of massive and rapid change. It's near the top of my list now.

 

0 Kudos