XADM: Workarounds for Problems with Mbconn.exe (301585)

WORKAROUND

To work around the Mbconn problems that are listed in the "Symptoms" section of this article, use the workarounds in the following sections (as applicable):

Mbconn Sets Uppercase LegacyExchangeDN Delimiters

An Outlook client will not process free/busy information correctly if the legacyExchangeDN attribute of the owning user object has uppercase delimiters. For example, a typical legacyExchangeDN looks similar to this:

/o=Organization/ou=Site/cn=Recipients/cn=User

An MBCONN-generated legacyExchangeDN will look similar to this:

/O=Organization/OU=Site/CN=Recipients/CN=User

The Fbfix.exe tool can be used to automatically correct this problem. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

286783 XADM: Error Message Updating Free and Busy Data in Exchange 2000

Alternatively, you can export and import the affected objects by using Ldifde.exe, which is installed by default on Windows 2000 server.

Generate an LDIF format export file that contains all of the user objects that must be changed. You can do this on a per domain basis. If your Active Directory domain name is headquarters.mycompany.com, and a domain controller in that domain is called DC01, the following Ldifde command will export all objects in the domain that have a legacyExchangeDN value:
LDIFDE -F E:\LEGACY.LDF -D "DC=HEADQUARTERS,DC=MYCOMPANY,DC=COM" -R "(LEGACYEXCHANGEDN=*)"
In the preceding command, the -L parameter restricts the output for each object to only the legacyExchangeDN value, thus making it easy to edit the file for re-import.

This command should generate an export file that contains several entries similar to the following:
dn: CN=Doe\, John,OU=Corporate,DC=Headquarters,DC=Mycompany,DC=com
changetype: add
legacyExchangeDN: /O=Organization/OU=Corporate/CN=Recipients/CN=JohnD
dn: CN=Doe\, Jane,OU=Corporate,DC=Headquarters,DC=Mycompany,DC=com
changetype: add
legacyExchangeDN: /O=Organization/OU=Corporate/CN=Recipients/CN=JaneD
Edit the file for re-import.

It is much easier to change the export file into a proper import file if you have a text editor that supports search and replace across line breaks. Notepad does not support this capability, but Microsoft Word does. The instructions given here for editing the file are for Word, but may work in other editors.

The LDIF file syntax for making modifications to existing objects is quite different from the syntax for adding objects. The export is in the "add" format, and must be transformed to the "modify" format.

Each record must be changed from this format:
dn: CN=Doe\, John,OU=Corporate,DC=Headquarters,DC=Mycompany,DC=com
changetype: add
legacyExchangeDN: /O=Organization/OU=Corporate/CN=Recipients/CN=JohnD
to this format:
dn: CN=Doe\, John,OU=Corporate,DC=Headquarters,DC=Mycompany,DC=com
changetype: modify
replace: legacyExchangeDN
legacyExchangeDN: /o=Organization/ou=Corporate/cn=Recipients/cn=JohnD
Specifically, you must make the following changes:
- You must change the changetype value from add to modify.
- You must add a line beneath the changetype line that reads replace: legacyExchangeDN.
- You must change the /O=, /OU=, and /CN= characters in the legacyExchangeDN to lowercase.
- You must add a hyphen on a line by itself after each entry, and there must be an additional blank line separating entries.
NOTE: The LDIF import format must be strictly adhered to; even minor deviations cause errors when you try to import the file. There must be one space and only one space after each colon in each entry. If you need to break long lines, you must indent the continuation of each line exactly one space. At the end of the file, the last entry must also contain a hyphen, and a blank line under the hyphen, or the file does not import correctly.

Many text editors, including Word, use the characters ^p to represent line breaks. ("^p" does not stand for "CONTROL+P", but for the caret (^) character followed by a lower case p.) The following table uses the ^p convention to represent a line break, and defines each search and replace change needed in Word to transform the file:
```
Search for . . .              Replace with. . . 

/O=                           /o=

/OU=                          /ou=

/CN=                          /cn=

^p^p                          ^p-^p^p

changetype: add^p             changetype: modify^preplace: legacyExchangeDN^p
					
```
IMPORTANT: If you use Word or another word processing program to edit the file, be sure to save the file as plain text. Inspect the file in Notepad after you save the file to be sure that the file is readable and is formatted correctly as plain text.
Import EXPORT.LDF back into Active Directory by using the following command:

LDIFDE -I -F LEGACY.LDF

All objects should import successfully. If there are any problems, Ldifde reports the line on which a problem was encountered. Investigate such problems by carefully examining the affected record in the import file. For most errors, Ldifde stops the import procedure at the first error, even if records after the error are good. If the cause of an error is not immediately obvious, it may be more efficient to remove the problem record, finish the import, and then manually modify the object that did not import by using ADSIEdit or Ldp.

You can verify that all objects were modified by running the ldifde command that you used previously to export the objects. You should no longer be able to find uppercase /O, /OU or /CN values in the file.

After you modify the legacyExchangeDN values, you need to stop and restart all Exchange 2000 services, including the system attendant.

Mbconn Quits Suddenly After You Type a Log File Name in the Browse Dialog Box

Mbconn automatically generates a log file of Mbconn operations in the folder that Mbconn.exe resides in. If this location is not writeable (for example, if Mbconn.exe is on a read-only share), Mbconn prompts you to select a different log file location. A standard file selection dialog box is displayed. Regardless of the location or file name that you select, Mbconn quits unexpectedly.

To work around this problem, either copy Mbconn to a writeable location, or click Cancel in the file browse dialog box to use Mbconn without logging.

Mbconn Quits Suddenly After You Browse for an Export File Location

When you create an export file, if you click the file Browse button, Mbconn quits suddenly.

To work around this problem, type the file name, and then click Generate to create an export file.

Mbconn Does Not Enumerate Exchange Databases

After you define the domain controller and Exchange computer to which you want Mbconn to connect, you may receive either of the following error messages:

No private databases found on this Exchange Server

-or-

Mailbox Reconnect

Connection to server failed.
ExServer : Exchange1
DC : DC1

HRESULT : ERROR_DS_NO_SUCH_OBJECT
AD Error : 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=domain,DC=com'

There is no such object on the server.

This problem can occur if the administrator is not logged on with a Microsoft Windows account that belongs to the parent domain of the Active Directory Configuration container. The Configuration container is created as a sub-container of the first domain that is installed in an Active Directory forest. If the forest contains multiple trees, it may not be obvious which tree holds the Configuration container. To discover which domain is the parent of the Configuration container:

Start the Active Directory Sites and Services administrative console.
Click the Sites object, and then open its properties.
Click the Object tab. If the parent domain is domain.com, it is listed on the tab in the following format:
domain.com/Configuration/Sites

To work around this problem and use Mbconn, you must log on to Windows with an account from this domain, regardless of the location of the domain controller or Exchange 2000 server with which you are working.

Mbconn Reports That Reconnection Does Not Work Even If Reconnection Succeeds

If Mbconn successfully reconnects a mailbox to a user, but Mbconn may still report that all reconnections did not work. If an administrator starts Exchange System Manager, and then runs the Cleanup Agent to verify the connection state of all of the mailboxes, the Cleanup Agent does not work, and you receive the following error message:

An internal processing error has occurred. Try restarting the Exchange System Manager or the Microsoft Exchange Information Store service, or both.

ID no: c1041724

The following error message is logged simultaneously in the Application event log:

Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 9562
Date: 6/14/2001
Time: 6:30:42 PM
User: N/A
Computer: EXCHANGE1
Description: Failed to read attribute msExchUserAccountControl from Active Directory for /O=MICROSOFT/OU=EXCHANGE/CN=RECIPIENTS/CN=COMMONNAME.

If you try to reconnect a single failed user in the Mailboxes window in Exchange System Manager, you may receive the following error message:

The operation cannot be performed because this mailbox was already reconnected to an existing user.

If you restart services or System Manager, it does not clear the error. In most cases, approximately 10 minutes pass before the mailboxes become accessible. (When you can run the Cleanup Agent again successfully, the reconnection process has completed.)

You can use Ldifde to examine the homeMDB and mailNickname attributes of a user. If these attributes exist, the Mbconn portion of the reconnection process actually succeeded. To use Ldifde to examine the homeMDB and mailNickname attributes of a user, you must know the distinguished name of the user account. In its preview mode, Mbconn displays the distinguished name of the user account that Mbconn intends to link with a mailbox. For example, if you run the following command

LDIFDE -F CON -D "CN=Common Name,OU=Container,DC=Domain,DC=COM" -L homeMDB,mailNickname

the following is a sample of the output that is generated:

E:\>LDIFDE -F CON -D "cn=Common Name,ou=Container,dc=domain,dc=com" -L homeMDB,mailNickname
Connecting to "dc1.domain.com"
Logging in as current user using SSPI
Exporting directory to file con
Searching for entries...
Writing out entries.dn: CN=Common Name,OU=Container,DC=domain,DC=com
changetype: add
homeMDB:
CN=Private Information Store (DC1),CN=First Storage Group,CN=InformationStore,CN=DC1,CN=Servers,
CN=Exchange,CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,
DC=domain,DC=com
mailNickname: CommonName
1 entries exported

The command has completed successfully

NOTE: Regardless of whether you find the homeMDB and mailNickname attributes for the user, Ldifde should report "1 entries exported." If Ldifde reports "No entries found," Ldifde was unable to read the user object from the directory. You may have typed the distinguished name incorrectly, you may not have sufficient permissions to view the object, or you may not have escaped characters that require escape. (For additional information about characters that require escape, see the "Export File Reports Errors During Active Directory Import" section of this article.)

If the homeMDB and mailNickname attributes are present, and you can run the Cleanup Agent successfully, it is possible that the Recipient Update Service cannot complete the reconnection process by stamping additional attributes on the user object. If user objects do not have a proxyAddresses attribute, the Recipient Update Service has not yet processed the object.

To work around this problem and avoid most apparent reconnection problems, add the following line to each record in the Mbconn export file:

msExchUserAccountControl: 0

For additional information about the msExchUserAccountControl value, see the "Export File Reports Errors During Active Directory Import" section.

Export File Reports Errors During Active Directory Import

The following is the general format of each LDIF record in the export file:

dn: CN=Common Name,OU=Container,DC=Domain,DC=com
changetype: add
UserAccountControl: 66048
displayName: Common Name
cn: Common Name
objectclass: user
samAccountName: CommonName
givenName: Common
sn: Name

The following is the typical command syntax for importing the file:

LDIFDE.EXE -I -K -F MBCONN.TXT

If syntax or formatting errors occur during import, Ldifde stops the import and reports the line in the file at which the problem record begins. (For example, an error in the first record is reported as an error at line 1.) If an entry already exists in Active Directory, the second attempt to import the file results in an error unless you use the -K switch. You cannot modify previously created entries by adding attributes to a record and re-importing the record. The LDIF standard does provide for modifications of existing directory objects, but the format and syntax are very different from the format for creating records.

In general, to troubleshoot an LDIF import, you need to locate the line that contains the record that is in error, and then examine the record for a specific problem.

The following are common problems that are encountered in Mbconn export files:

Characters in the distinguished name may not be escaped properly. The following characters must be escaped when used in a distinguished name:
- comma (,)
- equal sign (=)
- plus (+)
- backslash (\)
- semicolon (;)
- quotation marks (")
- angle brackets (< >)
This problem most commonly occurs because of commas in CN values (such as "CN=Last, First" instead of "CN=First Last"). The LDIF format uses a comma as a delimiter between the segments of a fully distinguished name. To use a comma within a segment, you must escape the comma with a backslash (for example, "Last\, First").
The sn (surname) field may be blank. The mailbox table in a database does not contain givenName and sn fields; therefore, Mbconn determines as best it can what the values should be, assuming that a space in the CN indicates a division. If there is no space in the CN, Mbconn treats the entire CN as the givenName, and leaves the sn blank. Because any attribute that is designated in an LDIF import file must have a value, the import does not work. To work around this problem, perform a search and replace to give all blank sn attributes a generic surname.
There may be illegal characters in the samAccountName. A samAccountName must contain no more than 20 characters and cannot include a space or any of the following characters:
- asterisk (*)
- equal sign (=)
- plus (+)
- brackets ([ ])
- backslash (\)
- vertical bar (|)
- semicolon (;)
- colon (:)
- quotation marks (")
- comma (,)
- angle brackets (< >)
- period (.)
- slash mark (/)
- question mark (?)
Mbconn constructs the samAccountName from the CN; therefore, most CNs that contain characters that require escape also contain illegal samAccountNames.

The following batch file can correct these three problems for most MBconn export files. The batch file is double spaced, with a blank line between each single line in the file. This formatting allows you to easily identify lines that may have wrapped improperly on your display.

This batch file does four things:

Adds the escape character to the DN value, as necessary.
Strips illegal characters from the samAccountName.
Adds the msExchUserAccountControl value to each record.
Removes the givenName, sn, and cn lines from each record. (If you want to keep these lines, you can edit the batch file to preserve them.)

This batch file runs on Microsoft Windows 2000 or Microsoft Windows NT 4.0, as long as the default command line extensions are enabled.

There are two mandatory parameters: the name of the Mbconn export file, and a new file name for the changes, for example:

E:\>MBCONNFIX.BAT MBCONN.TXT MBCONNFIX.TXT

Clip and paste the batch file into a plain text editor, and then save the batch file as Mbconnfix.bat.

:MBCONNFIX.BAT

@echo off

setlocal

set infile=%1

set outfile=%2

if exist %outfile% del %outfile%

echo Please Wait...

for /f "delims=" %%A in (%infile%) do call :DO_EACH_LINE "%%A"

start notepad %outfile%

goto :EOF

:DO_EACH_LINE

REM     Strip quotes from around the line

set line=%1

set line=%line:"=%

REM     Escape or remove illegal and odd characters

if "%line:~0,4%"=="dn: " GOTO :FIXDN

if "%line:~0,16%"=="samAccountName: " GOTO :FIXSAM

if "%line:~0,4%"=="sn: " GOTO :FIXSN

REM    The next two lines remove cn and givenName lines from the ldif file

if "%line:~0,4%"=="cn: " GOTO :EOF

if "%line:~0,11%"=="givenName: " GOTO :EOF

echo %line%>>%outfile%

goto :EOF

:FIXDN

set line=%line:+=\+%

set line=%line:\=\\%

set line=%line:;=\;%

set line=%line:"=\"%

set line=%line:<=\<%

set line=%line:>=\>%

set line=%line:,=\,%

set line=%line:\,OU=,OU%

set line=%line:\,DC=,DC%

set line=%line:\,CN=,CN%

echo %line%>>%outfile%

goto :EOF

:FIXSAM

set line=%line:samAccountName: =%

set line=%line:+=%

set line=%line:[=%

set line=%line:]=%

set line=%line:\=%

set line=%line:|=%

set line=%line:;=%

set line=%line::=%

set line=%line:"=%

set line=%line:,=%

set line=%line:<=%

set line=%line:.=%

set line=%line:>=%

set line=%line:/=%

set line=%line:?=%

set line=%line: =%

set line=samAccountName: %line%

echo %line%>>%outfile%

goto :EOF

:FIXSN

rem      To keep the sn line in the ldif file, un-rem the next two lines

rem if "%line%"=="sn: " set line=sn: Surname

rem echo %line%>>%outfile%

echo msExchUserAccountControl: ^0>>%outfile%

echo.>>%outfile%

goto :EOF

XADM: Workarounds for Problems with Mbconn.exe (301585)

SYMPTOMS

RESOLUTION