Mailbox auto-mapping is lost for migrated users after cross-forest migration
We noticed the mailbox auto-mapping will be missing after the cross-forest migration is completed.
But while looking into the mailbox permissions (sendas, send on behalf and full access) from the Exchange admin center we would be able to see the permission entry. But the users would have lost the mailbox automapping.
If we take one affected delegated user, remove and read the permission from EAC we can see the automapping will be fixed in few minutes. So where is the real problem?
So we started digging into the ADMT logs and found the below errors which were present in first ADMT migration job.
https://exchangequery.files.wordpress.com/2017/10/untitled3.png?w=983&h=120
So what is this msexchdelegatelistlink?
For the Auto-mapping to work for delegated users the msexchdelegatelistlink needs to be populated for the delegated user with the DN of the shared mailbox.
We can see this attribute for the affected user via Active Directory Users and Computer via attribute editor and it is empty.
https://exchangequery.files.wordpress.com/2017/10/whatsapp-image-2017-07-30-at-16-31-41.jpeg?w=600
If we look at this same user account in the source forest the value will be populated with the DN of the shared mailbox.
Solution:
Export the msexchdelegatelistlink from the source forest.
To export the msexchdelegatelistlink from the source forest we can use any of the below commands:
Get-ADUser -Filter {(mail -notlike ‘null’)} -Properties * | select name,mail,DistinguishedName,@{n=’DelegatedMailboxes’;e={$_.msExchDelegateListLink}} | export-csv -path c:\export\userDelegation_details.csv –NoTypeInformation –noclobber
Get-ADUser -Properties msExchDelegateListBL,msExchDelegateListLink -LDAPFilter “(msExchDelegateListBL=*)” | Select name,mail,@{n=’Distinguishedname’;e={$_.distinguishedname}},@{n= ‘alternate’;e={$_.msExchDelegateListLink}} | Export-csv userlist.csv –notypeinformation –noclobber
To filter this only for specific OU we can use the below:
Get-ADOrganizationalUnit -Identity ‘OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM’ | Get-ADUser -Properties msExchDelegateListBL,msExchDelegateListLink -LDAPFilter “(msExchDelegateListBL=*)” | Select name,mail,@{n=’Distinguishedname’;e={$_.distinguishedname}},@{n= ‘alternate’;e={$_.msExchDelegateListLink}} | Export-csv userlist.csv –notypeinformation –noclobber
Later, after we export the user msexchdelegatelistlink, we can import them from CSV to the target affected users with the below command:
import-csv “C:\test\delegate.csv” | % {get-aduser -identity $_.distinguishedname | set-aduser -add @{msExchDelegateListlink=$_.distinguishedname}}
After updating the AD attribute with the DN of the shared mailbox on the target accounts this will force auto mapping during the auto-discovery after next refresh interval.