If your environment employs a resource domain, or if you happen to have multiple user logon domains (as we do), you're probably familiar with the concept of linked mailboxes in Exchange. We currently have two domains that contain logon accounts, while all of our Exchange servers, and therefore the mailboxes, are in just one of those domains.
Side note: The biggest downside I see to this whole concept of linked accounts is that it's tougher to monitor for inactive accounts, since the resource account used to host the mailbox is never active, never used for an interactive logon. Sure, the user accounts in the linked domain are monitored, disabled when someone leaves, and then purged regularly, but the associated resource account and mailbox can hang around for moths or even years. Security is more worried about interactive logons instead of stale data, so there's really no one that sees this as a problem.
This morning I ran into a little problem with one of these old accounts, and a former employee that had come back again. When he left, sometime last year, his account was disabled and moved into a "Retired Users" OU. His mailbox account had been untouched, and was still collecting mail ever since he left. I decided to delete the old mailbox and create a new one, so he could start out fresh. Note that I only removed the Exchange attributes from his resource account. I didn't delete the account, just the old linked mailbox.
Using the mailbox wizard (I'm lazy), I repeatedly tried to create a new linked mailbox, using both of his old accounts, but ran into a snag - the wizard couldn't find his logon account. The resource account in the Exchange domain was just fine, but his logon account (which had been re-enabled and moved into a production OU) would not show up in the wizard when it listed the accounts available to be linked. I spent a couple of hours verifying settings and trying different things in an effort to make the account become visible, to no avail.
Finally, after breaking for lunch, I hit on an idea. On the assumption that the account was visible because Exchange somehow believed that it was already mail-enabled, I looked up an old Exchange team blog article on removing Exchange attributes (http://blogs.technet.com/b/exchange/archive/2006/10/13/3395089.aspx), and then fired up ADSIEdit to see what I could find on the user's logon account, and sure enough, it had several Exchange attributes set. After clearing those attributes, the wizard was quickly able to locate the user's account, and the new linked mailbox was completed.
The underlying cause of the problem was interesting - the user's logon domain had once had its own Exchange organization. In fact, that domain had belonged to another company, which had merged with our company a few years back. When we deployed Exchange 2007 (a couple of years ago), we decommissioned the other domain's Exchange organization and moved them into ours via the linked mailbox model. That's also why we still have two logon domains, one with Exchange and one without. Even though we had migrated the other domain's mailboxes, at least some of the old Exchange attributes were left behind, unused, and one or more of those attributes prevented me from linking the account again because Exchange believed the account was already mail-enabled. How about that?
Monday, November 26, 2012
Subscribe to:
Posts (Atom)