Windows – Exchange 2003: Mailboxes and address book entries not being created

exchangeexchange-2003windows

First up, we don't change staff or accounts much where I work, so this problem may have started any time in the last 3 or 4 months.

We're running an AD domain using Server 2003R2 and Exchange 2003. The Exchange server is also a DC and a GC server.

Yesterday I create 3 new AD accounts, complete with mailboxes. Or so I thought. When I tried to send test messages to those accounts I discovered that the mailboxes were not created at all.

Using ADSIedit to compare one of the new accounts to an existing one I found that the msExchUserAccountControl setting was "". Setting that value to 0, as the existing account has, resulted in the corresponding mailbox being created. The only other settings that I could see which were not set in the new accounts but set in the existing one related to the address books. I expected those to be updated automatically. However, The GAL is not updating either and attempting to enter those address book settings directly with ADSIedit resulted in a "User not found".

Perhaps coincidentally, although I suspect not, starting yesterday using Message Tracking Center on my XP workstation is now ending with an "Access denied" error, ID 80070005. There is nothing in the event logs on either workstation or server to shed any light on this. The Message Tracking Center on the server works just fine with the same user logon account. All this leads me to suspect something security related is broken, but what?

Googling has turned up very little. The only entries I could find with similar descriptions all related to moving mailboxes between versions. We have never moved a mailbox and this is in fact the company's first and only Exchange server.

Right now we can use those new accounts with OWA but cannot use them with Outlook (2002/XP, sorry to say) as the names will not resolve because they are not in the address book. Any suggestions I can check out before resorting to a full server rebuild?

Best Answer

The msExchUserAccountControl attribute should be set automatically by the Recipient Update Service (RUS). It is also responsible for setting the necessary attributes on the mailbox to make it appear in the GAL. Probably the reason those new mailboxes aren't appearing in the GAL (and thus not MAPi-accessible) is that the showInAddressBook either isn't set or is set incorrectly. Trying comparing that attribute on a good user to one of the new ones. The other possibility is that the permissions issue you described is somehow also preventing the RUS from modifying these new mailboxes. The RUS is complicated and I can't do much troubleshooting this way but it's at least a lead for you. Review the application logs on the Exchange server in detail and take a look at this as a start: http://msexchangeteam.com/archive/2004/07/07/175444.aspx. Good luck.

Related Solutions

Exchange 2010 – Offline Address Book Not Updating for One User

Investigating this issue required me to use a bit of Active Directory know how, as well as some Exchange-2010-Management-Shell-fu.

The first thing I checked is if my 2 domain controllers are replicating properly. My initial thought was when I updated the Hide from Exchange address lists checkbox in Active Directory Users and Computers that I had changed this on one Domain Controller, which was not replicating to the other Domain Controller that the Offline Address Book generation process happened to pick. As it turns out, the Domain Controllers are replicating properly and this is not the issue.

The next thing to do is to check out some Active Directory attributes and their current values. My preferred tool for doing low level things with Active Directory is ADExplorer from Sysinternals, however ADSI Edit will do an equally good job if you prefer that.

The first attribute I looked at on the user is the msExchHideFromAddressLists attribute. This should be FALSE if the user should appear in address lists and TRUE if they shouldn't. This is really just a sense check as it's what Active Directory Users and Computers updates when you (un)tick the Hide from Exchange address lists checkbox. This was correctly showing TRUE.

The next attribute to check is showInAddressBook. This is a multi value attribute that contains all address lists that this user should appear in. Ordinarily, this should contain at least one address list the user should appear in, but for anybody who has the msExchHideFromAddressLists attribute set to TRUE this attribute should not be set at all. This was the biggest clue, as this user still had values in this attribute which should have been removed when the Hide from Exchange address lists checkbox was checked.

The Recipient Update Service on the Exchange 2003 server is responsible for updating the value of the showInAddressBook attribute (among others) in Active Directory so I determined that for some reason the Recipient Update Service was malfunctioning here.

When I initially installed Exchange 2010, I had to run setup.com /PrepareLegacyExchangePermissions to grant the Recipient Update Service some permissions it needs because Exchange 2010 moves things around a little bit.

To check out the permissions, I opened up Active Directory Users and Computers and selected View => Advanced Features to enable me to view the security attributes for the user account in Active Directory. I then opened the offending user and checked on the security tab, and compared this to another user who should be included in the Offline Address Book. While I didn't check each permission, it was immediately obvious that the user who should be in the Offline Address Book had many more permissions granted than the user who had just left. Checking a few other users, they also had many more permissions granted than the offending user did.

Something I happened to notice purely by chance is that the offending user was not inheriting permissions from parent objects, whereas all the other users I checked were. I know from experience that this usually only happens when the user is (or once was) a member of an Active Directory privileged group. After verifying they are no longer a member of a privileged group, I went back to ADExplorer and changed the adminCount attribute on this user to 0 from 1. I then went back into Active Directory Users and Computers and enabled this user profile to inherit permissions from parent objects.

After I did that, I went into the users properties and unchecked the Hide from Exchange address lists checkbox and then checked it again. I waited a few minutes for the Recipient Update Service to do its thing, and sure enough 5 minutes later when I looked at the user object in ADExplorer the Recipient Update Service had removed the showInAddressBook attributes that it had no permission to do earlier. A quick manual rebuild of the Offline Address Book and everybody is happy.

Exchange Server Address List Service Failure When Creating Mailboxes

I don't if this is related or not to your problem, by I'd start by fixing those obviously address-book-related errors.

For the first one: go to the properties of the Mailbox Database, in the "Client Settings" tab, and configure the Offline Address Book this database's users should use (if you only have the default one, just select it).

For the other ones: force a full Offline Address Book rebuild using

Get-OfflineAddressBook | Update-OfflineAddressBook

Best Answer

Related Solutions

Exchange 2010 – Offline Address Book Not Updating for One User

Exchange Server Address List Service Failure When Creating Mailboxes

Related Topic