A Subscription Delivery error has occured. (rsDeliveryError)
One of the extention parameters is not valid for the following reason: The name of the host specified in the e-mail address sandeep@messagingserversupport.com is not valid. (rsInvalidExtentionParameter)

Cause:
==========
Permittedhost section of rsreportserver.config is populated with specific domain names

Resolution”
=============

Add the external domain name or IP address to the permittedhost section of rsreportserver.config file to allow email delivery to that domain, if you do not want to restrict email delivery & want it to be recieved by all domains, leave the permittedhost section blank.

by default this value is not set,

Reference : http://msdn.microsoft.com/en-us/library/ms157273.aspx

What we found out is we should disable the Mysite Cleanup job prior to recreating the user profile sync connection.

This behaviour is by design if you want to not have Mysites deleted automatically.

Key point to remember here is that
1. Mysite Cleanup Job needs to be disabled prior to recreating user profile Sync
2. When you do the Initial sync you will see user profiles marked for deletion
3. successful completion of a full sync and at least one incremental sync so that the users are again marked as active.

While all this time, we could create a new profile for the moved mailbox using autodiscover & that would work, it could connect with the new Exchange Server 2010 just fine, however the old or existing profile will not automatically get updated.

After some research we found the following article on Microsoft knowledge base

http://support.microsoft.com/kb/2626707

This happens because of the store cache interval & In all practical scenario’s it may take upto 2 hours ( as seen in this case) for the profile to get updated as seen in this case. During this period, if you create a new profile for the user using autodiscover, it will correctly point to the new server, but in the real world the customers would want to have their existing outlook profile point to the new server.

The resolution is to reduce the store cache, but still some delay is expected. So practically the online move feature with E2K10 is not very useful here, so do not recommend move mailbox from E2K7 to E2K10 during work hours to make use of the Online move feature.

This caught us unaware this time, but hopefully not for future migrations.

Let’s start with Preparing server for installing Exchange 2013 RTM.

1- Install Remote Administration Server tool on the Server.
Install-WindowsFeature RSAT-ADDS

2- Install Windows Features on Windows Server 2012 required for Exchange 2013 RTM. It requires the same features for Mailbox server role and Client access server role.
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Installation of these features may fail if you don’t have the internet connection on server because these features are not installed by default with windows server 2012 base installation and it tries to download from internet. In such case use below step to install these features.

Open up PowerShell as an administrator and run following commands.

Mkdir C:\mountdir
Dism /get-wiminfo /wimfile:D:\sources\install.wim (Here D:\ is DVD drive which has Windows Server 2012 setup disk)
Dism /mount-wim /WimFile:D:\sources\install.wim /Index:4 /MountDir:c:\mountdir /readonly (Choose the Index from the above command’s output based on your server version)

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation -Source C:\mountdir\windows\winsxs

3- Post installing these features restart the server and install following software.
Unified Communications Managed API 4.0 Runtime – http://www.microsoft.com/en-us/download/details.aspx?id=34992
Office 2010 Filter Pack 2.0 – http://go.microsoft.com/fwlink/?LinkID=191548
Office 2010 Filter Pack 2.0 SP1 – http://go.microsoft.com/fwlink/?LinkId=262358

Now we are good to prepare active directory schema and domain.

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
To run this command you must be a member of Schema admin and Enterprise admins group.
This command should be executed from the same domain and same active directory site as Schema Master server.
This imports 100 ldf files to update the schema with Exchange 2013 specific attributes.
Once its completed, Please check the attribute RangeUpper at following object.
CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=MSS,DC=Com
The value should be 15137. You can also look at the ExchangeSetup.log to see more information

Setup.exe /PrepareAD /OrganizationName:”organizationname” /IAcceptExchangeServerLicenseTerms
If you already have an existing exchange organization, You don’t need to specify organizationname switch.
You must be a member of Enterprise Admin group to run this command
Verifies the active directory schema is updated for Exchange 2013 RTM , If not it will prepare the active directory schema first.
Creates Microsoft Exchange container and it’s sub containers under configuration partition of the Active directory database.
Creates “Microsoft Exchange Security Groups” OU in the root domain tree within forest and set permissions on this OU.
Assign permission throughout the active directory configuration
Creates universal security groups under Microsoft Exchange Security Groups OU
It also prepares the local domain for Exchange server 2013

Setup.exe /Preparedomain /IAcceptExchangeServerLicenseTerms
You should be a member of Domain Admins group to run this command.
You need to run this command if you are planning to deploy exchange in child domain or any other domain within same forest.
If you want to prepare all domains within your forest so run below command and this would require Enterprise admin permission
Setup.exe /PrepareAlldomains /IAcceptExchangeServerLicenseTerms
Creates Microsoft Exchange System Object container under domain tree and sets permission on this container.
Creates “Exchange install domain servers” global group under MESO and updates its membership.

4- How to verify if my active directory is prepared successfully for Exchange Server 2013 RTM.
* Check and verify the value for RangeUpper attribute at “CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=MSS,DC=Com”. It should be 15137.
* Check and verify the value for objectVersion on Microsoft Exchange System object container under domain partition. It should be 13236.
* Check and verify the value for following attribute at ”cn=organization name,cn=Microsoft exchange,cn=services,cn=configuration,dc=mss,dc=com”
msExchProductId  – The value should be 15.00.516.032.
objectVersion  – The value should be 15449.

Now we are all set to install Exchange server 2013 RTM. You can install Exchange Server 2013 either using setup wizard or unattended mode. To install using setup wizard you just need to double click on setup.exe for exchange 2013 and follow the setup wizard. For unattended mode you will have to run following command.

Open up command prompt as an administrator and Navigate to Exchange Server 2013 RTM setup
Setup.exe /Mode:Install /Roles:CA,MB /IAcceptExchangeServerLicenseTerms
For more information on unattended setup options please check http://technet.microsoft.com/en-us/library/aa997281(v=exchg.150).aspx

It will install following roles on the server

Once the installation is completed, It will suggest you to restart the server once before putting into production.

Now we have installed Exchange Server  2013 RTM successfully. In the next article we will see how to verify the Exchange Server 2013 RTM installation.

Please write an email to us at mail@messagingserversupport.com for any queries or suggestions

Cheers,
Team MSS

Here is what I have tested in my lab.

Granted Read Access permission to user LCAdmin on Indiauser1 mailbox by running below command

Added Indiauser1 mailbox as an additional mailbox in LCAdmin outlook profile. Tried to expand the folder for Indiauser1 and got below error.

Here is the workaround that I have found to grant the Read Access permission on a mailbox in Exchange 2010.

1. Granted Reviewer permission to Lcadmin on Indiauser1 mailbox folder “Top of Information Store”. Reviewer access right grants ReadItems and Folder Visible permission. See http://technet.microsoft.com/en-us/library/dd298062(v=exchg.141).aspx for more details

2. As soon as I granted this permission, Lcadmin was able to expand the Indiauser1 mailbox but it does not show any default folders such as Inbox or Sent Items.

3. Now ran the below command to provide REVIEWER permissions over all the existing folders in the Mailbox

ForEach ($f in (Get-MailboxFolderStatistics Indiauser1 | Where {($_.folderpath -notlike “/Conversation Action Settings”) -and ($_.folderpath -notlike “/Quick Step Settings”) -and ($_.folderpath -notlike “/Recoverable Items”) -and ($_.folderpath -notlike “/Deletions”) -and ($_.folderpath -notlike “/Purges”) -and ($_.folderpath -notlike “/Versions”) -and ($_.Folderpath -notlike “/Top of Information Store”)})) {$fname = “Indiauser1:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User Lcadmin -AccessRights Reviewer}

Note: I have excluded few folders in the above command because these folders are hidden except root folder “Top of Information Store”. If you don’t exclude these folders you will get the warning as below.

There are two reasons to exclude the root folder “Top of information store”.

1- Exchange does not recognize the root folder as “User@domain.com:\Top of Information store” though it’s not a hidden folder.

2- I have already granted the permission on root folder ;)

Please let us know if you  have any feedback at mail@messagingserversupport.com

Cheers,
Team MSS

Lets Start with operating system supported for Exchange 2013 RTM.

Supported Operating Systems:
Exchange 2013 has got only two roles. Mailbox and Client Access server role. These roles can be installed on following operating systems.
# Windows 2008 R2 Standard edition with Service Pack 1
# Windows 2008 R2 Enterprise edition with Service Pack 1
# Windows 2008 R2 RTM Datacenter edition or later version
# Windows 2012 Standard edition
# Windows 2012 Enterprise edition
# Windows 2008 R2 or Windows 2012 core edition is not supported.

Exchange 2013 management tools can be installed on following operating systems.
# Windows 2008 R2 Standard edition with Service Pack 1
# Windows 2008 R2 Enterprise edition with Service Pack 1
# Windows 2008 R2 RTM Datacenter edition or later version
# Windows 2012 Standard edition
# Windows 2012 Enterprise edition
# 64 bit edition Windows 8
# 64 bit edition Windows 7 with Service pack 1

Other Components:
# Microsoft .NET Framework 4.5
# Windows management framework 3.0
# 64 bit Microsoft office 2010 filter pack
# 64 bit Microsoft office 2010 filter pack Service pack 1
# 64 bit Unified Communications Managed API (UCMA) 4.0
# Remote Server Administration tools pack
# Desktop-Experience
# KB 974405, 2533623, 2619234 – These hotfixes are required only if we plan to install Exchange 2013 on Windows 2008 R2 SP1
# Some of the IIS components (Will discuss about that in the next article for installing exchange 2013)

Supported Outlook and Mac Clients:
In Exchange 2013 Outlook connectivity would be only available through RPC over HTTPs. Here are the list of minimum client requirements.
# Outlook clients  older than Outlook 2007 SP3 cannot connect to Exchange 2013
# Outlook 2013, Outlook 2011 for Mac
# Outlook 2010 SP1 with July 2012 cumulative update
# Outlook 2007 SP3 with April 2012 cumulative update
# Entourage 2008 Web services edition for Mac

IPv6 Support:
Exchange 2013 supports IPv6 however this requires IPv4 to be installed on every exchange 2013 servers. We can disable IPv4 if we are not using it but we should not uninstall IPv4 otherwise it will not be supported.

Minimum Hardware requirements for Exchange 2013:
This is a minimum hardware requirements for Exchange 2013, It may vary from the actual hardware requirement.

CPU:
# Intel processor that supports Intel 64 architecture (Known as Intel EM64T)
# Intel Itanium IA64 is not supported
# AMD processor that supports AMD64 platform

Memory:
It depends on what roles you install on the server, no. of mailbox and their type basis on Light, Medium, heavy and very heavy utilization.

Stand alone Mailbox Server role                               -  8GB Minimum
Stand alone Client Access Server role                     -  4GB Minimum
Multi Role                                                                   -  8GB Minimum

Disk Size:
Below mentioned minimum space requirement does not account disk space required for Exchange database file and transaction logs.

5 GB disk free space on the drive you will install Exchange server 2013 RTM.
An additional 500 MB free disk space for each UM language pack that you install.
500 MB free space to store the mail queue database on mailbox server.
200 MB free space on the system drive.
3.5 GB free space to extract setup files from Exchange 2013 RTM ISO

Supported Active Directory topology:
To install exchange 2013 RTM we must have following Active directory topology.
# Forest functional level and Domain functional level must be Windows Server 2003 or higher
# Schema Master role, Global catalog and Domain controller must run on one of the following domain controller.
   Windows Server 2012
   Windows Server 2008 R2 Standard/Enterprise edition
   Windows Server 2008 Standard/Enterprise
   Windows Server 2008 Datacenter RTM or later version
   Windows Server 2003 R2/SP2 Standard/Enterprise 32/64 bit
# RODC will not be supported to install Exchange 2013

Supported Coexistence:
Exchange 2013 will be supported under following coexistence between Exchange 2013 and previous version of Exchange.
# Exchange 2007 SP3 with Rollup update (Rollup update is not yet released. This RU should be installed on all exchange 2007 servers  in exchange organization).
# Exchange 2010 SP3. (Service pack 3 for Exchange 2010 is not yet released. SP3 for Exchange 2010 should be installed on all Exchange 2010 servers in exchange organization.
#  Exchange 2003 and earlier version of Exchange are not supported in coexistence.

Permissions required to install Exchange 2013:
The user account which you will be using to install exchange 2013 must have following permissions.
# To prepare Active directory for exchange 2013 will require Schema Admin and Enterprise admin permission.
# Domain controller which holds schema master role must be in the same domain and same AD site from where you prepare the active directory.
#To run the exchange installation setup post preparing active directory would need Enterprise admin permission and local built in administrator permission.

I hope this should be helpful while preparing to install exchange 2013. In the next article we will demonstrate how to install Exchange 2013 RTM and verify exchange 2013 RTM installation. For any queries or comments please write us an email at mail@messagingserversupport.com.

Stay Tuned !!!

Cheers,
Team MSS

1- Who has made the Change
2- What Changes have been made
3- When the changes have been made

In Exchange 2010 RTM, Admin audit log is disabled by default. You had to specify an audit mailbox when enabling administrator audit logging. The audit mailbox was used to store all of the audit logs and administrators could access this mailbox to review reports. We can change the admin audit log mailbox in RTM version.

In Exchange 2010 SP1, Admin audit log is enabled by default. Admin audit logs can be reviewed using Shell commands or ECP. No more specified Mailbox exists.In fact, the parameter AdminAuditLogMailbox has been removed.It now uses a hidden mailbox (an arbitration mailbox) and you cannot change or modify this.

What Gets Audited:
Any operation performed using Exchange management shell, Exchange management console or Exchange web management interface run cmdlets in the background. If those cmdlet are on the cmdlet auditing list and one or more parameters on that cmdlet are on the parameter auditing, It will be audited by admin Audit Log built-in cmdlet extension agent.

Get-, Search- cmdlets are not audited. Test-cmdlets are not audited by default however we can enable to log Test-cmdlets. The purpose of Admin audit log is to show the action that has been performed on any object within exchange organization rather than showing what has been viewed.

Set-AdministratorAuditLog cmdlet is always logged. No matter the cmdlet is listed under cmdlet auditing list or admin audit is enabled or disabled.

Admin Audit Logging configuration: By default admin audit logging is enabled, and admin Audit Log built-in cmdlet extension agent logs every cmdlet that has been run except Get-and Search-. You can also configure to log information for cmdlets you are interested in as well as you can exclude cmdlets to not get audited.

We can use following cmdlets to manage admin audit logging configuration.
Get-AdminAuditLogConfig
Set-AdminAuditLogConfig

Here is the output of Get-AdminAuditlogconfig cmdlet.

Few examples to set the admin audit log cmdlets and parameters
To Log any cmdlet parameter that has Server in their names
Set-AdminAuditLogConfig –AdminAuditLogParameters *Server*

To Log cmdlet Remove-Mailbox
Set-Adminauditlogconfig -AdminAuditlogcmdlets Remove-Mailbox

To Log cmdlet Remove-Mailbox and Disable-Mailbox
Set-Adminauditlogconfig -AdminAuditlogcmdlets Remove-Mailbox,Disable-Mailbox

As soon as you run Set-Adminauditlogconfig command you will see following warning in the Exchange management shell. WARNING: The admin audit log configuration change you specified could take up to 60 minutes to take effect. Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Shell again on each computer.

Admin Audit Log Agent: The Admin Audit Log agent is enabled by default, which is required for audit logging to function. It can’t be disabled, and its priority can’t be changed. This agent manages audit logging of cmdlet operations in Exchange 2010

Manual Admin Audit Log entry:
Exchange 2010 sp1 allow us to manually write log entries to the audit log. This can be helpful in following scenarios Custom script entry and exit Change control information Maintenance start and end times

Write-AdminAuditLog:
Using Write-AdminAuditLog we can specify alphanumeric string of text up to 500 characters under comment parameters. Here is the example

Audit Logs:
When any object is modified within exchange organization, Admin Audit Log built-in cmdlet extension agent performs following.

1-Checks the cmdlet that has been run
2-Tries to check if that cmdlet is listed under AdminAuditLogConfigCmdlets parameter, If yes
3-Tries to check if the parameter specified in the cmdlet is listed under AdminAuditLogConfigParameters
4-If any one or more parameter matches, It Logs the cmdlet in the dedicated arbitration mailbox

We can retrieve these logs using one of the following in Exchange 2010 SP1
1-ECP -Roles & Auditing Page
2-Search-AdminAuditLog (Result shows in Shell)
3-New-Adminauditlogsearch (Result sent to a recipient specified in the cmdlet as a XML attachment which can be 10MB max in size)

Exchange Control Panel – Auditing Page

 Search-AdminAuditLog output

Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. We can use the ResultSize parameter to specify up to 250,000 log entries.

Search-AdminAuditLog Parameters
Cmdlets Specifies the cmdlets you want to search for in the administrator audit log. Parameters Specifies the parameters you want to search for in the administrator audit log. You can only search for parameters if you specify a cmdlet to search for.
End date Scopes the administrator audit log results to log entries that occurred on or before the specified date.
Start date Scopes the administrator audit log results to log entries that occurred on or after the specified date.
Object IDs Specifies that only administrator audit log entries that contain the specified changed objects should be returned.
User IDs Specifies that only the administrator audit log entries that contain the specified IDs of the user who ran the cmdlet should be returned.
Successful completion Specifies whether only administrator audit log entries that indicated a success or failure should be returned.

New-AdminAuditLogsearch uses the same parameters as Search-AdminAuditlog, In Addition we have
StatusMailRecipients Specifies the recipient email address to send the audit log.

Admin Audit Log Entry in the XML file

I hope this should be helpful to start with admin audit logs. If you have any queries or suggestion, Please contact us at mail@messagingserversupport.com

Thanks,
Team MSS

1. Users are unable to change password using owa. They get the following error.
   “The password supplied does not meet the minimum security requirements. Please contact technical support for your organization if you need help”
   Note: Admin is able to set the same password using active directory users and computers
   
2. Users are unable to login in owa if the User must change password at first logon is enabled. They get the following error.
   “The user name or password that you entered is not valid. Try entering it again.”

Before we jump to the resolution, Lets get the basic information about password change feature using owa in Exchange 2007.

The Change Password feature is provided from within Outlook Web Access and by Microsoft Internet Information Services (IIS) and enables the user to use a Web browser to change their domain password. The Change Password feature is not specific to Microsoft Exchange. Password policy settings under group policy directly affect Outlook Web Access users and will be enforced. Password policies include the following settings:

Password Complexity
Password History
Minimum Password Length
Maximum Password Age
Minimum Password Age

An Outlook Web Access user can use the Change Password feature in the following cases:

To change their password after they have logged on to their mailbox by using OWA
To change their password if their password will expire within a given time period
To change their password if their password has already expired
To change their password if the User must change password at first logon is enabled
To change their password if the User cannot change password option is enabled

Note: By default password change feature is enabled however it require additional configuration if you want to support changing passwords that have already expired or user accounts that are configured to change their password the next time the user logs on.

Exchange 2007 SP3 adds a new feature to the Client Access server role. This feature creates a new Internet Information Services (IIS) 7 module that detects expired passwords, and redirects users to a new change password page. By default, this feature is disabled. To enable the password reset feature, you must set following registry dword.

REG_DWORD – ChangeExpiredPasswordEnabled
Value – 1
Registry hive – HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

Note: This registry only works with IIS 7.0, It does not work with IIS 6.0

Now lets take a look at the resolution for our issues. Fix for the first issue was pretty simple. We had to modify the domain group policy “Minimum Password Age” to 0 in the Account forest and that fixed the issue. By default Minimum password age is set to 1.

To fix our secondary issue we added the registry ‘ChangeExpiredPasswordEnabled‘ on windows 2008 server and it fixed the issue. Now any user whose password is expired or set to change password at next logon were redirected to the following page to change their password using owa.

Now here is the problem. As per my client topology we have two CAS servers. One is based on windows 2008 sp2 and another is based on Windows 2003 SP2. Now as we know ‘ChangeExpiredPasswordEnabled’ does not work with IIS 6.0, so whenever any user hit to client access server role which is based on windows 2003, It will not allow access to the user whose password is expired or set to change at the next logon.

To fix this problem we had to follow below steps.

Change PasswordChangeFlags setting.

Followings are possible values for password change flags in IIS.
0        An SSL connection is required to change passwords
1        An SSL connection is not required to change passwords
2        Password changing is disabled
4        Password expiration notification is disabled
6        Password changing and password expiration notification are disabled.

We can run following command to verify value for Password change flags. Open up command prompt and navigate to C:\Inetpub\Adminscripts
Cscript adsutil.vbs get w3svc\PasswordChangeFlags

As per my client topology load balancer does SSL offload so I set the value 1 for password change flags by running following command.
Cscript adsutil.vbs Set w3svc\PasswordChangeFlags 1

Create IISADMPWD virtual directory

1. Open up IIS manager.
2. Right click on Default web site and select New Virtual directory.
3. In the Virtual Directory Creation wizard, type IISADMPWD in the Alias box, and then click Next.
4. In the Directory box, type C:\winnt\system32\inetsrv\iisadmpwd (Path may change as per folder location)
5. Choose Read and Run scripts permissions only and then click Next and finish.
6. Check and make sure that the IISADMPWD virtual directory has only basic authentication set . Set default domain as per account forest domain name if you have resource forest topology.
7. Make sure the application pool is set to MSExchangeOWAAppPool.
8. Check and make sure that Active server pages is allowed under web service extension.
Change Password functionality has been modified to use Active Server Pages in IIS6.0. ASP technology also provides additional benefits, such as the ability to customize the change password functionality pages to include graphics or Web site designs.

Now any user whose password is expired or set to change password at next logon and if that user owa connection hits to CAS server which is based on Windows 2003 SP2 are redirected to following page to change their password using owa.

If you have any suggestion or queries, Please send us email at mail@messagingserversupport.com

Thanks,
Team MSS 

This post explains how to remove sIDHistory in bulk for multiple users.

First you will need to export the sIDHistory for users for backup purpose
Download ADMod & ADfind -> http://www.joeware.net/freetools/tools/admod/

from the location of ADfind & ADMod run the following command from command line
adfind -h -b “OU=Users,OU=Migrated,DC=TestDomain,DC=local” -f “(&(objectClass=user)(objectCategory=Person)(sidhistory=*)(msexchmasteraccountsid=*))” sidhistory msexch
masteraccountsid -adcsv > c:\sidhistory.csv

then run the following to clear sidhistory for users specified in the OU -> “OU=Users,OU=Migrated,DC=TestDomain,DC=local”

adfind -h -b “OU=Users,OU=Migrated,DC=TestDomain,DC=local” -f “(&(objectClass=user)(objectCategory=Person)(sidhistory=*)(msexchmasteraccountsid=*))” sidhistory -adcsv | admod -sc csh -upto 7000

you may want to further tweak this to remove sIDHistory of users in specific group, here is the modification

adfind -h -b “OU=Users,OU=Migrated,DC=TestDomain,DC=local” -f “(&(objectClass=user)(objectCategory=Person)(sidhistory=*)(msexchmasteraccountsid=*)(memberof=CN=SiDHistoryClear,CN=Users,DC=TestDomain,DC=local))” sidhistory -adcsv | admod -sc csh -upto 7000

Hope this helps, let us know if there are questions

-Team MSS
mail@messagingserversupport.com

Here is my environment details.
Account Forest – Wipro.com
Resource Forest – ATT.com.
Recipient type details – Linked Mailbox

I have user accounts in Wipro.com domain and linked mailboxes in ATT.com domain. When user tries to change his password, It shows to change the password for resource forest account which is in disabled state.

When we tried to check the associated linked master account with this mailbox, It shows as ATT\Bjoshi vs Wipro\Bjoshi.

The linked master account should show as Wipro\BJoshi as its showing below for another linked mailbox.

We tried to set the linked master account to Att\Bjoshi but got following error.

We took the sid value from MsexchMasteraccountsid attribute on Bjoshi mailbox and tried to find sid using ldp.exe on windows 2008 domain controller. We found it was resolving to ATT\Bjoshi

We took the ldp dump for user Bjoshi and found, This user has the same sid value in sIDHistory attribute as well. (Note: We had migrated this user using ADMT and it has copied the sIDHistory as well in past)

We tried to clear the sIDHistory using adsiedit but failed so we used ldp to modify sIDHistory attribute.

It deleted the value from sIDHistory attribute for Bjoshi user account and now when we checked the linked master account, It shows the correct linked master account. Now user was able to change his password successfully.

In the next post we will describe multiple ways to clean sIDHistory if have to do it for multiple users.

Please let us know if you have any suggestion or queries at mail@messagingserversupport.com

Cheers,
Team MSS