Bulletin ID	A2E_216
Last Review	02/23/2011
Revision	1.1
Previous IDs	None
Obsoletes	None

Error: MAPI_E_LOGON_FAILED Location 5

Summary

This is a general error message that can have several causes.

Symptom

In the Add2Exchange Console, in the A2E Toolbox and in Add2Exchange Recovery and Migration Manager, when attempting to pick the mailbox for a relationship, an error similar to the following appears:

An error occurred while attempting to logon to:
Exchange Server: (server name)
Mailbox: (mailbox identifier)
Please verify that the account is valid and has the appropriate permissions.
Description: [Collaboration Data Objects - [MAPIELOGON_FAILED (800401111)]]
Number: 2147221231
Location: 5
Build: (build number)

Description

Note: You must log in as the service account to run the Add2Exchange program, and no other account probably has the permission level to run this correctly. You can not run a shortcut to the exe as another user since it is installed only for the Add2Exchange Service Account.

The location 5 failure to log in message occurs for several reasons and when the error occurs determines the fix.

The most common reason is that the service account is hidden from the global address list. Unhide it if it is hidden in Exchange Management Console, Exchange System Manager, or (AD in Exchange 2003) and then log off and on and try to open the Add2Exchange Console again.

If this is the first time the service account has been used, another possibility is that the service account mailbox has not been initialized. Open the mailbox in either OWA or Outlook and try again.

After these steps, try to get past the error.  If it does not fix it, go to the next Tip.

Incorrect permissions are another cause. Check the permissions for the service account. Instructions are available here: 

http://guides.diditbetter.com/a2e-guide/manual_exchange_2007_and_2010_configuration.htm

Try to get past the issue.  If not, continue.

Continuing on permissions, but assuming the permissions are correct but the Exchange Configuration may be incorrect, it is possible that the Exchange Organ Admin (or Exchange Admin in 2007) or the group Public Folder Admin does not have rights to the Exchange server, which is not a standard Exchange configuration.

By including one or more of those groups as an A2E Service Account membership it makes it so the A2E Service Account does not have rights anymore as an express deny.

This can be tested by running the Logon Test located in the Zip file.  If when running this test the logon test can not evaluate to the Exchange Server, with an error such as "The name could not be matched to a name in the Address List"  or "the Name can not be resolved"   for the Add2exchange Service account (or anyone else), normally you would just the Service account  permissions.

On Exchange 2007 or Exchange 2010

Normally we have to run this first:

http://support.diditbetter.com/kb/A2E_214.aspx

But in this case Exchange is not set up with the default permissions for those groups.  You have two options:

We can either remove the A2E Service Account from those groups  - (but still have to run the Preinstaller – and THEN remove them)

Then log back off and back on and continue.  This is not the ideal solution because the Exchange server is still set up incorrectly for management by any account which supposedly has the correct permissions.

It would be best to fix the underlying issue.  See this blog.

http://blogs.msdn.com/b/dgoldman/archive/2008/04/03/how-to-prepare-your-organization-for-exchange-2007-address-list-segregation.aspx

 

If the above tip still fails, ADD the Groups back to the Add2Exchange Service  Account, log off and back on and try the next tip:

When MSExchangeSA (Exchange System Attendance service) is stopped, the Directory Service Referral Interface is also stopped, then Exchange will not give the right response to redirect the client to the GC server for referral.

On the Exchange server, go to System Service and find Exchange System Attendance service. Double click to open its properties, on the Recovery tab, select the Restart the service when First Failure. Then restart this service.

Try the test again.

Another common reason for failure to log on is Exchange (2007 or 2010) has been updated recently and you have not rebooted the exchange environment afterwards. This is essential, even if MS does not tell you to do this. See the next point before the reboot

Recently there was an update to Exchange which required an update to CDO. If you do not have the latest version of the standalone CDO installed ONLY needed on the replication server where Add2Exchange is installed, this is the communication protocol we talk to Exchange with, and you must obtain it and uninstall the older version and install the newer version to take advantage of the changes Microsoft has made. If installed on a 2003 Exchange Server, this is not the case, since it uses the builtin CDO of Exchange 2003, this is tip is not relevant.

If this is an Exchange 2007 or 2010 install, when you download the newer version, please make sure you updated your installed version of CDO, or Collaboration Data Objects, located in the preinstaller directory in the zipped download of Add2Exchange.

To update CDO, stop the Add2Exchange Service and put Add2exchange Service on manual, uninstall the old version of Collaboration Data Objects from Add/Remove Programs and then install the newer version. It is best practices to reboot after the uninstall of CDO and before the reinstall for proper registration. If you have a pending reboot for Exchange after an update from the previous tip, do it now. The date of the current CDO.dll file is 10/7/2010 as of Feb 2011. All CDO is version 1.21, the date and time is the only true way you can tell the versions apart. The correct file as of this date is located here: [ftp://ftp.diditbetter.com/Exchange/ExchangeMapiCdo.EXE](ftp://ftp.diditbetter.com/Exchange/ExchangeMapiCdo.EXE)

If this is an Exchange 2007 or 2010 install, make sure you have run the Preinstaller on the Exchange server as your administrator, located in the downloaded zip file. If you do not have Add2Exchagne on this box, you do not need to install CDO on this box when it tells you it is not installed. Also, if the Add2Exchange Service account already exists, please select the checkbox that the Account already exists. http://support.diditbetter.com/kb/A2E_214.aspx

Try the test again.

Finally, the version of Add2Exchange may not be current as is the case with the version in the message above. We guarantee the version of Add2Exchange from our WEBSITE works with the current Microsoft Critical Service packs in effect at the time. To make sure you have the latest version of Add2Exchange, please subscribe to our RSS feed: http://www.diditbetter.com/RSS.aspx

You can always look here to find the latest version: http://support.diditbetter.com/downloads.aspx.

Be sure to follow these guidelines to upgrade Add2Exchange: http://support.diditbetter.com/kb/A2E_194.aspx and be sure you have valid software subscription so you get the current version for free.

Also be sure to pick the right (same) edition of Add2Exchange to download and use, either Standard or Enterprise. There is no downgrades available. Installing Enterprise over the Standard edition requires a crossgrade.

If you are getting this error when trying to make a relationship

These are the most common fixes. Try these first.

These are some other fixes:

Go to Exchange 2010 Exchange Management Console and manually adding the Add2Exchange Service account or A2E security group with full mailbox rights.

Make sure your Exchange organization allows for inheritance or you will need to do this for every account you need to replicate to or from

On exchange 2010, in some environments, you must use the fqdn (fully qualified domain name) for exchange server name to avoid the error. Do this when prompted to change the exchange server name. Be sure the service account is in the format service account, not domain\service account.

We can assist remotely if you want or need to escalate this to premium support, starting at $149, or a block of 4 hours for $399.

Finally, if none of the above work, the legacy exchange DN and home MTA resolutions:

In some cases, Exchange migrations may leave invalid Active Directory attributes on some mailboxes, preventing Add2Exchange from logging onto the affected mailboxes. The error above can be seen when you are choosing accounts during relationship creation, in the Toolbox or during Disaster Recovery.

Fixing this issue entails correcting the legacyExchangeDN attribute of the affected account (s) within Active Directory. We have created a utility to assist in correcting the invalid legacyExchangeDN. A manual solution is also discussed.

We are not sure of ALL of the circumstances which may cause this issue, but research indicates that this issue only appears on mailboxes which originated with Exchange 5.5 that have been migrated to Exchange 2007/2010.

This may be due to mailboxes which have had the owner identified as the primary account for more than one mailbox. The wrong mailbox information may have been copied to the exchangeLegacyDN attribute because multiple mailboxes had their information specified there, overwriting the correct information.

In any case, the resolution is to correct the attribute in Active Directory.

In order to resolve this issue, the correct legacyExchangeDN must be set on the Active Directory record of the account that is experiencing the logon failure.

There may be multiple accounts with this issue. If you have determined the accounts which need to be fixed, this resolution details how to fix them by selecting them and correcting them singly or in batch. If you think you may have many accounts with the issue, determine the list of accounts beforehand so you may choose them and fix them at the same time. The utility can be run several times without any adverse effects.

There are three parts to the solution:

1. Verify that the legacyExchangeDN attribute is wrong
2. Determine the correct legacyExchangeDN attribute
3. Set the legacyExchangeDN to the correct value

There is a manual method of doing this, as well as an automated tool we have provided to assist with bulk fixes. If you have several accounts experiencing this issue, it is recommended that you use the automated tool.

Automated Resolution

Verify legacyExchangeDN Issue

# Determine an account within the same Exchange Administrative Group which is functioning correctly for Add2Exchange
# Log onto one of your domain controllers
# Open ADSI Edit
* On Windows Server 2008 and above, ADSI Edit is available under Start > Administrative Tools
* On Windows Server 2003, ADSI Edit is available from the Run dialog as adsiedit.msc. If it is not available, download the Windows Server 2003 Service Pack 1 32-bit Support Tools from http://www.microsoft.com/en-us/download/details.aspx?id=7911.

1. Navigate to the working user
2. Right-click and select Properties
3. Find the legacyExchangeDN attribute
4. Double-click the attribute and copy the value to Notepad
5. Navigate to the broken user
6. Right-click and select Properties
7. Find the legacyExchangeDN attribute
8. Double-click the attribute and copy the value to Notepad

If the two values differ in the organization (the /o= part) or the administrative group (the /ou= part), then you need to fix the legacyExchangeDN.

Run the LegacyExchangeDN Tool

1. Download the latest A2EDiags from ftp://ftp.diditbetter.com/a2ediags/a2ediags.exe
2. Double-click the self-extracting exe
3. Navigate to the extracted directory
4. Double-click A2EDiags.bat
5. From the list, double-click Fix Exchange Legacy DN
6. Follow the instructions presented

The change should take effect immediately.

If the tool fails, then use the Manual Resolution method given next.

If you are fixing a large number of accounts, you may still need to use the ADModify.NET tool instead of ADSI Edit. ADModify.NET is available in the diags subdirectory of the A2EDiags folder.

Manual Resolution

Verify legacyExchangeDN Issue

# Determine an account within the same Exchange Administrative Group which is functioning correctly for Add2Exchange
# Log onto one of your domain controllers
# Open ADSI Edit
* On Windows Server 2008 and above, ADSI Edit is available under Start> Administrative Tools
* On Windows Server 2003, ADSI Edit is available from the Run dialog as adsiedit.msc. If it is not available, download the Windows Server 2003 Service Pack 1 32-bit Support Tools from http://www.microsoft.com/en-us/download/details.aspx?id=7911.

1. Navigate to the working user
2. Right-click and select Properties
3. Find the legacyExchangeDN attribute
4. Double-click the attribute and copy the value to Notepad
5. Navigate to the broken user
6. Right-click and select Properties
7. Find the legacyExchangeDN attribute
8. Double-click the attribute and copy the value to Notepad

If the two values differ in the organization (the /o= part) or the administrative group (the /ou= part), then you need to fix the legacyExchangeDN.

Determine the correct legacyExchangeDN attribute

You can copy the /o= (organization)/ou= (administrative group) parts from the functioning user to the non-functioning user, provided that they are in the same administrative group (as instructed above).

A correct legacyExchangeDN should look something like the following, with your own organization and administrative group substituted appropriately:

/o=First Organization/ou=First Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username

Set the correct legacyExchangeDN attribute

If you still have ADSI Edit open, you may:

1. Navigate to the problem user
2. Right-click and select Properties
3. Find the legacyExchangeDN attribute
4. Double-click the attribute
5. Paste the correct legacyExchangeDN
6. Click OK

The change should take effect immediately.

Applies To

• Add2Exchange Enterprise
• Add2Exchange Standard
• Exchange 2007
• Exchange 2010