Exchange 2016 error “A valid migration mailbox could not be found for this organization”

Introduction

Microsoft Exchange Server system mailboxes are also known as “Arbitration” mailbox. Exchange Server use these arbitration mailboxes for various tasks like eDiscovery Search Metadata, Admin audit logs, OAB, Mailbox Migration, UM data like menus, dial plan etc. These mailboxes are automatically created when you setup first exchange server and the process of preparing Active Directory creates these accounts in root domain of your active directory during the process of AD preparation. These mailboxes can be seen via Exchange Management Shell by running the following EMS cmdlet.

C:\>Get-Mailbox –Arbitration

Below are the arbitration mailboxes created by Exchange Server during the installation with a disable AD account in root active directory under users OU.

  • SystemMailbox{1f05a927-eac1-46e7-9a47-611e1a81bb50}
  • SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
  • SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
  • Migration.8f3e7716-2011-43e4-96b1-aba62d229136

Today I have been working on Exchange Server 2010 to Exchange Server 2016 upgrade and got the following error message with a user mailbox migration batch.

Exchange 2016 error "A valid migration mailbox could not be found for this organization"

Microsoft has the solution documented in the KB article 2812509. The reason for error is that the migration mailbox is either not enabled or was deleted. When you use the New-MigrationBatch cmdlet, the Migration mailbox must exist and be enabled or else you won’t be able to migrate the mailboxes.

Although the migration arbitration mailbox is created upon initial installation of your Exchange server 2016, this account can be corrupted or being deleted by mistake. You can easily re-create this account by running the following EMS cmdlets.

How to Fix It?

  • Firstly step is to ensure that the account Migration.8f3e7716-2011-43e4-96b1-aba62d229136 does not exist

Get-Mailbox -Arbitration | fl name, alias

  • Prepare your active directory by running the following cmdlet in Windows PowerShell

.\Setup /PrepareAD /IAcceptExchangeServerLicenseTerms

Exchange 2016 error "A valid migration mailbox could not be found for this organization"

  • Once the AD preparation is completed, Verify that the account exist under default Users OU in root active directory
  • Enable the Arbitration mailbox used for migration

Enable-Mailbox -Arbitration -Identity “Migration.8f3e7716-2011-43e4-96b1-aba62d229136”

Exchange 2016 error "A valid migration mailbox could not be found for this organization"

  • Configure the migration arbitration mailbox as below

Set-Mailbox “Migration.8f3e7716-2011-43e4-96b1-aba62d229136” -Arbitration –Management:$true

Exchange 2016 error "A valid migration mailbox could not be found for this organization"Once the arbitration mailbox is enabled and configured properly, Create the migration batch to migrate user mailboxes from one database to another.

For more information on Exchange 2016, please go through the following blog posts.

 

Exchange Server 2013 CU14 and Exchange Server 2016 CU3 Issues

Microsoft released Exchange Server 2013 CU14 in september and issues that are being addressed by Exchange 2013 CU14 are listed here. Along with Exchange server 2013 CU14, Microsoft also released CU3 of Exchange 2016. Implementation of these updates in production has caused issues with database content index failure. Both the updates were released in September of this year.

I have experienced this issue with Exchange 2016 CU3 implementation and a lot of customers has reported the same issue on Microsoft TechNet forum as well for Exchange Server 2013 CU14. Working with Microsoft support ticket, it has been reported back that a bug has already been acknowledged and for now, the solution is to deploy a new Exchange server 2013 CU13 or Exchange Server 2016 CU2 and move all user mailboxes to new server. Although, it’s the ugly workaround but for now we have to do this or I would say, we shouldn’t upgrade our Exchange implementation to current CU until a fix is being released by Microsoft.

Being a consultant, I will not recommend you to deploy Exchange Server 2013 CU14 or Exchange Server 2013 CU3 in your production environment until we have a fix for this bug.

If you are experiencing the same issue in your exchange organization, I would highly recommend to open a support ticket with Microsoft and let them know that you are also impacted with the issue. With content indexing failing on database, you’ll also see the following event ID on your server.

Watson report about to be sent for process id: 28160, with parameters: E12IIS, c-RTL-AMD64, 15.00.1236.003, M.E.Search.Service, M.E.Data.Directory, M.E.D.D.ScopeSet.GetOrgWideDefaultScopeSet, System.ArgumentNullException, 301, 15.00.1236.000.
ErrorReportingEnabled: False

This issue is widely reported by many organizations and I highly recommend to test Exchange updates in dev environment thoroughly before rolling out the changes to your production exchange server.

Distribution List owner is unable to manage DL membership after mailbox migration to Exchange 2013

Introduction

Recently, I did Exchange 2007 to Exchange 2013 upgrade for one of my customer and we noticed the change in behavior of distribution list management via outlook client. In our scenario, we have delegated the management of distribution lists to end users who owns the distribution list. After we had the Exchange 2013 coexistence deployed with Exchange 2007. We migrated user mailboxes from Exchange 2007 to Exchange 2013 and we came across issue of managing Distribution lists in outlook client. Distribution list owners were able to modify the membership of distribution list prior to mailbox migration to exchange 2013 but now when they tried to update the membership, they were getting the following error.

Changes to the distribution list membership could not be saved. You do not have sufficient permission to perform this operation on this object

Distribution List owner is unable to manage DL membership after mailbox migration to Exchange 2013

How to fix it?

As we can see from the error message that it’s related to permissions. We need to look at permissions setup to fix this issue. Perform the following steps to fix this issue with distribution list management using outlook client.

  • Login to Exchange Admin Center using administrative credentials
  • Navigate to Recipients > Groups > Go to the properties of Distribution list and verify the user is still an owner of the distribution list
  • Once you have verified the ownership of Distribution list, Navigate to Recipients > Mailboxes > and go to the properties of user who has ownership of distribution list

Note that we have this issue after mailbox migration to Exchange 2013 from Exchange 2007 and nothing is being modified before or after the mailbox migration to Exchange 2013

  • Click on Mailbox features to verify the “Role Assignment Policy

Distribution List owner is unable to manage DL membership after mailbox migration to Exchange 2013

  • As you can see that the “Default Role Assignment Policy” is being applied to the user mailbox after the mailbox is migrated to Exchange 2013 and it’s by design
  • Default Role Assignment Policy does not allow you to update the membership of distribution list by default
  • You can either modify the “Default Role Assignment Policy” or create a new “Role Assignment Policy” to fix this issue
  • To modify “Default Role Assignment Policy” Navigate to Permissions > User Role > Select the policy and click on Edit

Distribution List owner is unable to manage DL membership after mailbox migration to Exchange 2013

  • Click on checkbox for “My Distribution Groups” to allow the DL owners to manage distribution lists membership from outlook client and click on Save

Distribution List owner is unable to manage DL membership after mailbox migration to Exchange 2013

Once you modify the “Default Role Assignment Policy“, users will be able to manage membership of distribution lists from outlook client again to which they had the owner rights.

Troubleshoot Free/Busy in Exchange 2013 Hybrid

Introduction

When working with Exchange hybrid implementation, Free/Busy sharing is one of the most important and required feature for organizations to support long term co-existence between on premises exchange and exchange online. Being an IT Consultant, I have seen different issues that are hard to find over the internet and have limited or no information available to help you fix the issue.

Troubleshoot Hybrid Exchange Free/Busy

Last week, I have faced an issue with Free/Busy in Exchange 2013 hybrid with Exchange online, I was troubleshooting the exchange of Free/Busy information in hybrid deployments as Free/Busy information was not working. On-premises user was able to see the Free/Busy information of migrated user in office 365 but Office 365 user wasn’t able to see the Free/Busy information of on-premises mailbox.
I started my troubleshooting to basic configuration of Exchange hybrid like

  • EWS Virtual Directory Authentication and URL Settings
  • Autodiscover Virtual Directory Authentication Settings
  • IIS Handler
  • Organization Relationship Configuration
  • Verified all the configurations as per Microsoft support tool

After performing all the basic tests, I started to perform advance troubleshooting and found an issue with FederationTrust test while running the Test-FederationTrust cmdlet.

Begin testing for organization relationship CN=O365 to On-premises – 961960e2-8cbd-46e7-8442-a860ec05f4dc,CN=Federation

,CN=Configuration,CN=msexperttalk.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR04A001,DC=prod,DC=outlook,DC=com,enabled stat

e True.

 

Exchange D-Auth Federation Authentication STS Client Identities are uri:WindowsLiveID/outlook.com;urn:federation:Micros

oftOnline/outlook.com;

STEP 1: Validating user configurationWARNING: The federated domain ‘msexperttalk.com’ of the user is in the local organizational relationship which normally

 only contains the domains of external organizations.

 

RESULT: Success.

STEP 2: Getting federation information from remote organization…

 

 

RESULT: Success.

 

STEP 3: Validating consistency in returned federation information

 

 

RESULT: Success. STEP 4: Requesting delegation token from the STS…

 

RESULT: Error.

 

LAST STEP: Writing results…

 

 

 

RunspaceId  : 5c91e911-f482-4fef-9d49-ae39eec1dd81

 

Identity   

:

Id          : FailureToGetDelegationToken

Status

Error

Description : Failed to get delegation token:

 

How to Fix It?

This issue can be caused by many factors related to hybrid implementation. You have to execute below commands to your on-premises server in a CMD window to resolve the issue of “delegation token from the STS”

  1. bitsadmin /Util /SetIEProxy LOCALSYSTEM NO_Proxy
  2. bitsadmin /Util /SetIEProxy NETWORKSERVICE NO_Proxy
  3. bitsadmin /Util /SetIEProxy LOCALSERVICE NO_Proxy

After setting the value to NO_Proxy from AutoDetect i was able to fix the issue after running the cmdlet to RefreshMetaData for Federation Trust. After running the cmdlet you have to wait for about 1 Hr for changes to replicate.

Get-FederationTrust | Set-Federationtrust –RefreshMetaData

After running the command, I re-ran the Test-FederationTrust command which completed successfully.

 

Exchange 2013: Event ID 2937 MSExchange ADAccess after Exchange decommissioning

I have been performing health check for one of my exchange 2013 organization and noticed few warning messages in application logs related to MSExchange ADAccess. The warning messages were related to a pointer of user object pointing to a database that no longer exist in exchange server. Below is the detailed warning message.

Process w3wp.exe (ECP) (PID=11448). Object [CN=Riaz Butt,OU=Test,DC=mscloudtalks,DC=com]. Property [PreviousDatabase] is set to value [mscloudtalks.com/Configuration/Deleted Objects/DB01
DEL:30e71668-0813-4277-b9dd-4513a506c10a], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.

Event log that was being captured by Applications logs on Exchange server was related to MSExchange ADAccess Event ID 2937.

Exchange 2013: Event ID 2937 MSExchange ADAccess after Exchange decommissioning Exchange 2013: Event ID 2937 MSExchange ADAccess after Exchange decommissioningThis issue needs to be fixed ASAP as it can cause service interruption to the user for which you are getting this warning error message. A quick check of user attributes in active directory confirmed the warning message and the reason why I was getting the warning message.

How to fix Event ID 2937 MSExchange ADAccess Warning?

  • Log in to domain controller and launch Active Directory Users and Computers
  • Make sure you have “Advanced Features” enabled from view menu.

Exchange 2013: Event ID 2937 MSExchange ADAccess after Exchange decommissioning

  • Browse to the OU where user account resides and go to the properties of the user account

Exchange 2013: Event ID 2937 MSExchange ADAccess after Exchange decommissioning

  • Click on Attribute Editor and search for the attribute “msExchPreviousHomeMDB

5

  • Clear the value and hit ok
  • Click on Apply to save the changes and wait for Active Directory replication or manually replicate the AD changes using the powershell cmdlet

C:\> Repadmin /Syncall /Force

Once the active directory replication is completed, you’ll not see any issues related to user database property pointing to a deleted object container. This will fix a lot of end user issues as well.

1 2 3