This post is more than 5 years old
9 Posts
0
4260
April 3rd, 2015 07:00
Exchange 2013 and NMM 8.2.1 RDB Data Recovery Fails
Since the EMC support folks for Networker seem to be off on vacation lately, I thought I'd try posting here.
I'm setting up a new Exchange 2013 mailbox server, working on migrating over from 2007. We have Networker server 8.2 and I installed Networker 8.2.1 and NMM 8.2.1 on the server. Backups work fine. I can run the NMM GUI and do a database restore to an RDB (and also create the RDB via NMM) without a problem. However, when I try to do an RDB Data Recovery, it sits there for a bit before finally giving me an error that says "Unable to query MAPI Interface". At the same time, the primary Administrator account for the domain gets locked out in AD. Note that I am NOT logged in as that Administrator account, and I am not running NMM as that Administrator account. Digging into the Event Log on the Exchange server, I see events at the time of the lock out where the nsrexchcscd.exe process, running as the backup user, is attempting to connect to the Client Access Server ( of all things), but using the credentials of the Administrator account (unsuccessfully).
Note that:
- MAPI/CDO tools 1.2.1, build 8353 are installed.
- I can log in to the Exchange Management Shell as the Exchange Backup user and use the various RDB cmdlets to restore mailbox items from the RDB so it seems like the process of NMM connecting to the RDB to provide a list of contents is what's failing. The exchange backup user definitely has the permissions to actually DO the data recovery.
- If I run NMM config checker as the exchange backup user, I get 1 "Fail" message saying that the exchange backup user does not have Send-As, Receive-As permissions. However, I have granted those permissions, and if I try to grant them again, I get a message saying the command ran successfully, but no items were updated. Further, if I run NMM config check as the domain administrator, I do *not* get that Fail message.
- libmapibrowse.raw has repeated messages of "The Exchange Information Store is busy. Please retry after 5 minutes. On Exchange 2013, check if the necessary ThrottlingPolicy is set. I couldn't find any "necessary ThrottlingPolicy" settings in the EMC documentation, but I did see a forum posting saying to change RcaMaxBurst to Unlimited for the exchange backup user, which I did to no affect.
AaronSmith1
9 Posts
0
April 15th, 2015 10:00
Ok, I wanted to come back and post here for posterity. I opened a ticket with EMC support and they sent a list of things to check. Just about all of them I had either checked or were fine. The one item that wasn't, that ended up being the issue, was I ended up having to uninstall *BOTH* the Networker Client software AND NMM. I then logged into the server as my Exchange Backup User (which was a local administrator) and re-installed the Networker Client and NMM. After that, RDB restores worked fine and the administrative account stopped getting locked out each time I initiated an RDB restore. Actually, that last bit is only partially true. The very first time I tried after re-installing, that domain admin account *did* lock, but subsequent restore sessions did NOT cause it to be locked. I'm chalking that one up to a fluke.
sddc_guy
159 Posts
0
April 3rd, 2015 09:00
looks to me like specified the wrong username/password Combination for RM_ExchangeInterface Service.
That is the one doing the Calls when talking to Exchange ....
You should see RMAgentPS at your Exchange Servers PS when trying to do a GLR
PS: On Vacation, too :-)
AaronSmith1
9 Posts
0
April 3rd, 2015 10:00
I checked and the "Replication Manager Exchange Interface" service is set to Log On as the backup user I created. This whole thing is just damned peculiar. What I can't seem to figure out is WHERE it's getting the idea to use those credentials. I've gone in to the client configuration for the mail server in Networker and set the Remote Access user/password to the Backup user, no change. I checked and discovered that I hadn't set the backup user as an Administrator in Networker so I fixed that, no change. I started thinking "Well, I install the Networker client software while logged in as the domain administrator (but entered the exchange backup user credentials during the install when asked) so I uninstalled NMM and then RE-installed it while logged in as the exchange backup user...STILL no change. There has been a great amount of cursing directed at Networker from my desk the past few days.
AaronSmith1
9 Posts
0
April 3rd, 2015 10:00
Yes to both.
I went through the NMM requirements in both the NMM 8.2.1 documentation and the Exchange NMM 8.2.1 documentation line by line and checked absolutely everything. I still find it odd that the backup *user* has to be in the Exchange Servers AD security group (because, you know, it's not a server...) but I did it anyway. I re-installed NMM while logged in as the exchange backup user, but I didn't re-install the Networker client itself on that server. I might give that a try next.
sddc_guy
159 Posts
0
April 3rd, 2015 10:00
Have you tried logging in to the BackupUsers Mailbox with OWA yet ?
If Mailbox is not initialized ( Login owa, send mail or similar ) tah might cause the issue as well ...
BTW: did you also set ms-exch-store-admin Extended right ?
sddc_guy
159 Posts
1
April 3rd, 2015 10:00
INSTALL BOTH AS ADMINISTRATOR OF THE MACHINE.
I normally Switch my install to the NMMBackupUser once EVERYTHING is installed,
last step as Admin: Turn off UAC, then Reboot and log in as NMMBackupUser
AaronSmith1
9 Posts
0
April 3rd, 2015 11:00
Yeah, I get where you're coming from, though I'm less concerned with admin (which is just me and one co-worker) mis clicking something than I am with a process seeking elevated privileges. But I'm not sure this applies though as it doesn't seem like the action is being blocked, just that a process running *as* the exchange backup user is stubbornly trying to instead use a different set of credentials for whatever it's attempting to do.
I don't believe we have any GPO's that would be unsetting Login as Service. I have set domain users with Log in As Service locally on other domain systems and not had a problem, and I did verify that the exchange backup user has that permission set locally. I know *I* haven't created any such GPO, and if my colleague has, he hasn't mentioned it.
I'd be interested in looking at those deployment scripts, maybe I missed something
sddc_guy
159 Posts
0
April 3rd, 2015 11:00
Just an Idea: Does a GPO unset login as Service for your user ?
AaronSmith1
9 Posts
1
April 3rd, 2015 11:00
The exchange backup user *is* a local administrator on the machine (the documentation states that it must be), and I *had* originally installed both Networker and NMM as a domain administrator and still had the problem. The only reason I was considering doing an install as the exchange backup user was in case the installation process somehow tagged the logged in, installing user as the user to use for various operations. That seems...silly...but I've been beating my head against this for so long that I'm starting to grasp at straws. I'm rather reluctant to disable UAC on a production system. I shouldn't have to make my server less secure in order to be able to run commercial software on it.
sddc_guy
159 Posts
0
April 3rd, 2015 11:00
not going to philosophical on this one, but having an admin right click before doing something, does not make him think more about what he is doing.
UAC IS NOT a security Feature, it is only helping to have People not do stuff accidentially.
having that said, we Need to log in as Administrator from Remote to the Exchange Server. Even that we are Admin, we get Prompt for Admin Approval.... that is blocking us sometimes from doing things ....
there is a good reason why the Exchange Team came with RBAC.
JITJEA is not deployed widely, but that might help to Close the Open Holes of a Windows box.
because even if UAC is turned on, once i Open Powershell as Admin, i have The Powers Hell
If you are interested you might want to look at my deployemnt scripts i use as Best Practice for Exchange with NMM . . .
sddc_guy
159 Posts
0
April 4th, 2015 02:00
Just download the labbuildr.zip from here https://community.emc.com/blogs/bottk/2014/06/16/announcement-labbuildr-released
if you look at the /scripts/exchange, you will find the Exchange Deployment scripts.
Tommyl1
3 Posts
0
January 13th, 2016 01:00
Hi.
We had close to same error and solution was Disabling UAC on server before installing
First step should be: Disable UAC , Thanx Karsten Boot
Running:
Windows server 2012 R2
Ms Exchange 2013 CU11 [15.00.01156.6] (Not supported ref config checker)
Messaging API and Collaboration Data Objects 1.2.1, Version: 6.5.8320.0
Networker client 8.2.2.1.939 x64
Networker module 8.2.2.1.939 x64