Exchange backup permission problems

[alex.proulx]

I've been fighting with retrospect to get it properly connected to Exchange. It's been a long battle, I'll summarize here the articles that were useful, I spent way too much time digging through these groups.

 

Background on my setup

 

- Retrospect Multi Server 7.0.326 update 7.0.12.105 running on Windows 2003 Server Standard (SP1)

- Multi domain model, ROOT domain is the container for a number of CHILD domains all running within a single site

- Running Exchange 2003 Standard (in Native mode) with SP2. There is only one exchange server

- Backup server is part of the ROOT domain, the RBU user was created on the ROOT domain (and needed to be in the Enterprise admin group to work properly)

- Retrospect is running as user RBU under preferences

- Logging in as a local administrator on the backup machine

 

Notes that might help others out

- http://kb.dantz.com/display/2n/kb/article.asp?aid=5305

- http://kb.dantz.com/display/2n/kb/article.asp?aid=9480

- http://forums.dantz.com/ubbthreads/showflat.php/Cat/0/Number/64377/an//page//vc/1

- http://forums.dantz.com/ubbthreads/showflat.php/Cat/0/Number/69655/an/page/page//vc/1 (I can't express how much time I wasted because of this... setup your permissions on the console if you're having problems)

 

Problem

 

I can now see my exchange stores under the "Exchange Server" icon in the Volumes database. Seems to work fine. The indiviudal mailboxes don't work though

 

When I release and assign the license to my volume, the following is written to the operation log.

 

Launched at 6/14/2006 10:53 AM in user account ROOT\RBU

Retrospect Update, version 7.0.12.105

Retrospect error code error -3402 (unknown)

Reported by function mbttkTestLogin

Access to mailboxes from the specified account has failed.

This user's mailbox may not be initialized. You may initialize it by

either starting Outlook as that user or by sending the user a mail message.

T-4: MapError: unknown Windows error -2,147,221,164

 

This is only in the operation log (no popup... shrug). Clicking on the The Exchange mailboxes return the error "Can't track volumes, error -3421 (Unknown)", this one is in a popup though. I'm short on ideas.

 

- The mailbox is initialized (I can see it has a message in there from the system manager)

- User isn't hidden from the global address list ( I can see the user showing up in the preview on system manager). I even rebuilt the offline GAL in case something was getting cached.

- The permissions on the mailbox seem to be okay (Exchange Advanced -> Mailbox Rights in AD Users)

- I've released & re-applied the license several times

 

Does anyone have any suggestions? Does anyone have any experience as to what diagnostic logging I could turn on in Exchange to possible get more useful error messages?

[wlandymore]

I had this problem with the 3421 error and it was because I was trying to backup mailboxes with a user who didn't have access to all of the mailboxes. The domain admin and administrator don't have these rights so you have to go on the exchange server itself and assign these rights to what ever account you want to be able to open the mailboxes to back them up.

 

There are Microsoft articles about how to do this, but if you have an account that you know can open up anyone else's mailbox, that is the one you should assign to do the backup. If you right click on the Exchange mailboxes icon in the volume selector you can select the 'login as...' and then put in the credentials:

 

Domain: domain.com

User: user1

Pass: password

 

Retrospect seems to be touchy about how you put in the credentials too. I had DOMAIN/user1 and it didn't like that, but when I switched it to just user1 it was happy.

 

Then you can also switch them in the preferences of Retrospect if you want to avoid this hassle in the future and you can just tell Retrospect to always use that account.

[lebisol]

Hello,

Use RBU but make sure you name your account the same and then you dont have to worry about username format again. Memberships of this account are crutial as well as the fact that account HAS to have smtp address. Send a test msg to rbu@yourdomain.com and then u can hide this account in exchange and prohibit mail delivery if you are worried about it showing up in GAL.

All the best!

[Glasswalker]

Just to be of help, I have solved the above problem, in case anyone else encounters it.

 

My solution was:

 

- Delegate "Full Exchange Admin" permissions to the Enterprise Admins group on the ROOT DC.

- Create a universal group at the CHILD domain level. Make it a member of the Enterprise Admins group

- Also make the new group a member of the enterprise backup operators group

- Confirm that enterprise admins is included in the local administrator group on the exchange server

- Create a user at the CHILD domain level, add the user to the group I just created in the CHILD domain level.

- Authenticate Retrospect with this new account.

 

Hopefully that helps anyone else experiencing this problem.