'Cannot get the security descriptor of mailbox while connecting the disconnected mailbox'

 

Hello Folks,

 

I have gone through few cases with Exchange 2010 SP3 recently where I got the issue with some mailboxes which administrator was trying to reconnect after the user account was accidently deleted. And while connecting the mailbox, they get the error.

Connect-Mailbox -Identity '13a25282-6936-4ffe-a27f-472d0e1a2605' -Database 'DB1' -User 'domain\user' -Alias 'alias'

Cannot get the security descriptor of mailbox '13a25282-6936-4ffe-a27f-472d0e1a2605' in Exchange mailbox database 'bf71

5924-42ef-4dd2-bac4-8ba27005aa75'.

+ CategoryInfo : NotSpecified: (0:Int32) [Connect-Mailbox], MapiOperationException

+ FullyQualifiedErrorId : 953112A0,Microsoft.Exchange.Management.MapiTasks.ConnectMailbox

 

Other symptoms are that we somehow after deleting the restored account from AD and creating a new account might be able to connect the disconnected mailbox successfully but it will not work and throw the same error as we try to access the mailbox permission or change the permission.

 

One more symptom is that you might also see the same mailbox in Disconnected mailboxes and Recipient configuration as well.

 

Cause:

In such cases the issue arises when an administrator had user objects deleted and then partially restored somehow, or may be residing as leftovers in some container. Those objects had mailboxes that became disconnected when the objects were deleted. New AD objects were created to connect the mailboxes to, and reconnecting was successful. Then we have two objects with conflicting msExchMailboxGUID. And that is the reason we get the error while connecting the mailbox or while looking at the mailbox properties.

 

Resolution:

 

  1. We need to find out the duplicate account with msExchMailboxGUID
  2. To do that we need to use LDP.exe
  3. Run ldp.exe to search via msExchMailboxGUID and let me know the results.
  4. Start the Active Directory Administration Tool
    (LDP.exe).
  5. On the Connection menu, click Connect.
  6. In the Server box, type the name of a domain controller. Leave the default port selection as 389, unless you have set up your LDAP port configurations differently on the domain controller, and then click OK.On the Connection menu, click Bind.
  7. Type the user name, password, and domain information for a user who has access to view the Active Directory root tree, and then click OK.
  8. On the View menu, click Tree.
  9. Leave the BaseDN box blank, and then click OK. By default, this switches the focus to the BaseDN of the root Active Directory tree
  10. Expand the domain container (DC=example,DC=com), right-click the user's container, and then click Search.
  11. Copy the new msExchMailboxGUID entry from the error, And modify it as \82\52\a2\13\36\69\fe\4f\a2\7f\47\2d\0e\1a\26\05 (for details how to modify the GUID to be able to search it in ldp.exe see example below)
  12. Now search with this GUID with brackets (msexchangeguid=\82\52\a2\13\36\69\fe\4f\a2\7f\47\2d\0e\1a\26\05).
  13. We must see our results with multiple user accounts.
  14. Now we need to remove one of the account completely as it has got the same msexchMailboxGUID.
  15. Once we do that we should be able to successfully add our disconnected mailbox or if we want to use a new account then we can remove both of them.

 

How to modify the MxexchMailboxguid:

Suppose a GUID that resembles the following sample GUID:

13a25282-6936-4ffe-a27f-472d0e1a2605

 

  • From the first section of the GUID (13a25282) in two-character portions separated by backslash characters in reverse order. For example, type \82\52\a2\13
  • From the second section of the GUID (6936) in two-character portions separated by backslash characters in reverse order. For example, type \36\69
  • From the third section of the GUID (4ffe) in two-character portions separated by backslash characters in reverse order. For example, type \fe\4f.

 

Note: These last two section needs to type as they are

 

  • From the fourth section of the GUID (a27f)in two-character portions separated by backslash characters. For example, type a2\7f\.
  • From the fifth section of the GUID (472d0e1a2605) in two-character portions separated by backslash characters. For example, type 47\2d\0e\1a\26\05.

 

  • Add each of the retyped GUID sections together to form the msExchMailbox value. For example, the final GUID sections should appear as:

\82\52\a2\13\36\69\fe\4f\a2\7f\47\2d\0e\1a\26\05

 

  • It should look like: (msexchangeguid=\82\52\a2\13\36\69\fe\4f\a2\7f\47\2d\0e\1a\26\05)

 

 Abhishek Pandey