Exchange 2010 GRT restore of individual emails fails with error: INF - Server status = 2810 (434238.xxx) INF - Status = MS-Exchange-Server policy restore error.

Article:TECH185312  |  Created: 2012-03-30  |  Updated: 2013-11-11  |  Article URL http://www.symantec.com/docs/TECH185312
Article Type
Technical Solution


Issue



Restore from an Exchange 2010 GRT backup image fails with error “unable to create a role assignment for ApplicationImpersonation” in the ncfgre log and INF - Server status = 2810 (434238.xxx) INF - Status = MS-Exchange-Server policy restore error in the Job Detail Summary log.


Error



Job Detail Summary log example:

09:03:31 (434238.001) (434238.001) INF - GRE EXITING WITH STATUS = 0
09:03:31 (434238.001) (434238.001) INF - GRE RESTORED 7 OF 8 FILES SUCCESSFULLY
09:03:31 (434238.001) (434238.001) INF - GRE KEPT 0 EXISTING FILES
09:03:31 (434238.001) (434238.001) INF - GRE PARTIALLY RESTORED 0 FILES

09:03:31 (434238.001) Status of restore from copy 1 of image created 28-3-2012 23:31:47 = the restore failed to recover the requested files

09:03:34 INF - Server status = 2810
09:03:36 (434238.xxx) INF - Status = MS-Exchange-Server policy restore error.

09:03:36 INF - Server status = 5

 

(NOTE! the following is an example of an error that can be resolved by following the steps in this document. The main error message to look out for is: "ERR - unable to create object for restore: \<path_to_object>")

 

Error seen in the ncfgre log:


27/03/2012 14:12:25.202 [Debug] NB 51216 ncfrai 158 PID:6828 TID:4840 File ID:352 [No context] 1 [[fsys\mb2] ] <FROM BEDS>Checking Permissions for EWS (../BEDSContext.cpp:124)
27/03/2012 14:12:25.280 [Debug] NB 51216 ncfrai 158 PID:6828 TID:4840 File ID:352 [No context] 1 [[fsys\shared] ] <FROM BEDS>EnsureEwsPermissions returned 80131501 (../BEDSContext.cpp:124)
27/03/2012 14:12:25.280 [Debug] NB 51216 ncfrai 158 PID:6828 TID:4840 File ID:352 [No context] 1 [[fsys\mb2] ] <FROM BEDS>FATAL: failed to aquire EWS ApplicationImpersonation rights (../BEDSContext.cpp:124)
....................................................................................................
27/03/2012 14:12:25.296 [Debug] NB 51216 ncfnbservercom 311 PID:6828 TID:4840 File ID:352 [No context] 1 [BRMObserverDepreciated::write] Sending to bpbrm: ERR - unable to create object for restore: \\dag01\Microsoft Information Store\H01-2048MB-01\Database, rai error = 6
(../BRMObserverDepreciated.cpp:475)


Cause



Cause A. If the NetBackup Service Account/Logon Account is having insufficient rights or does not have an active mailbox associated with it or it is hidden from the Global Address list.

Cause B. The role assignment for ApplicationImpersonation is not set on the NetBackup account. This role should automatically be created when the first restore job is performed. See the steps under "Solution" to confirm if the role has been set, and how to configure EWS impersonation if needed.

Cause C. Exchange Web Service (EWS) is not functioning properly.

Cause D. If there are different Exchange servers (i.e.: Exchange 2003 and Exchange 2010) in the environment and the migration has not been executed and the NetBackup Service Account/Logon Account is having an active mailbox in the Exchange 2003 server and not in Exchange 2010.

Cause E If there are issues with proxy setting on an Exchange 2010 CAS Server and if Local Bypass (check box) in Internet Explorer is not enabled.

Cause F If the NetBackup Service Account/Logon Account is formed as Domain\User rather than Domain@User.


Solution



Solution A:
1. Use a logon account in NetBackup or create a new account that is a Unique account in Active Directory with an activated mailbox on the Exchange server. A unique name is one that does not exist in the organization as a subset of characters in another mailbox name.
2. Ensure that the NetBackup logon account is added to  Administrators, Domain Admin, and Exchange Organization Admin group on all Exchange servers in the DAG.
3. The NetBackup logon account should be assigned the Exchange Full Administrators\Organization Management role in Exchange System Manager\ Exchange Management Console -> Tools/Role Based Access Control. Under Organizational Management, make sure the user account is found in the list of users.
4. Verify that the mailbox for NetBackup logon account is not hidden in the Global Address list.
6. Make sure the NetBackup Service Account (BESA) and the System Logon account are same.
7. Give the new user the relevant rights and also activate the mailbox by sending and receiving mail.
8. Restart all NetBackup services on the media server and the remote server.
9. Re-run the restore job
 

Solution B:

1.How to check if an account has the proper Role assignment

Run the following command from Exchange Management PowerShell to see if the role has been set:
Get-ManagementRoleAssignment -Role "SymantecEWSImpersonationRole"

This should return information on this role including the "RoleAssigneeName" which should list the NetBackup account (See Figure 1). If the role has not been set for the NetBackup account, EWS impersonation can be configured with the following sample PowerShell commands

Figure 1


This command will create a new role called SymantecEWSImpersonationRole:
New-ManagementRole -Name SymantecEWSImpersonationRole -Parent ApplicationImpersonation

After running this command, a new SymantecEWSImpersonationRoleAssignment will be assigned to user Administrator:
New-ManagementRoleAssignment -Role SymantecEWSImpersonationRole -User Administrator SymantecEWSImpersonationRoleAssignment

The new SymantecEWSImpersonationRoleAssignment has been associated with the user Administrator. After configuring this Role, re-run the restore job.
 

SOLUTION C:


Confirm that EWS is functioning properly:

If the restore job still fails after confirming the steps above, run the following command to verify that EWS is functioning properly. Logon to the Exchange 2010 that holds the Client Access server (CAS) role using the same account that is used in NetBackup and run the following command from a PowerShell prompt:
 test-webservicesconnectivity -MailboxCredential $(get-credential) -TrustAnySSLCertificate  | FL

To see the output in a text file run the following command 

Test-webservicesconnectivity -MailboxCredential $(get-credential) -TrustAnySSLCertificate | FL >C:\EWStest.txt

A PowerShell Credentials window will appear if the command is entered properly. Please enter the credentials for the NetBackup service account. Review the output for any failures. Microsoft will need to be contacted to help resolve issues with EWS.
 

Solution D:
1.Migrate the NetBackup Logon Account to Exchange 2010 server.
2.Re-run the restore job.

 

Solution E:

1. Reset proxy on Exchange 2010 CAS server(s) and Media server using following command:

NETSH WINHTTP RESET PROXY

2. Now attempt the restore job again.

3. If the job still fails then follow the steps below:

a. On Exchange 2010 CAS server(s) go to Tools - Internet Options - Connections - LAN settings window.
b. Enable the "Use a Proxy server for LAN and add the IP address and Port.
c. Click "Advanced" Tab on same window and set the Proxy address and Port in HTTP box.
d. Under "Exceptions" add the *.domain name and click OK on "Proxy Settings" window.
e. Enable "Bypass proxy server for local addresses" under LAN settings window.
 f. Run the following command using Windows PowerShell:
   NETSH WINHTTP IMPORT PROXY SOURCE=IE

This results in the following:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>netsh winhttp show proxy
Current WinHTTP proxy settings:
    Proxy Server(s) : IP ADDRESS:PORT
    Bypass List     :  *.DOMAIN;<local>

g. Now re-run the restore job. 

h. If the issue persists, disable proxy settings on the Exchange 2010 CAS server(s), restart the NetBackup services and then re-run the job.

i. If the restore works with proxy disabled then the issue is with network configuration which has to be investigated by the customer.

 

Solution F:

Change the NetBackup Service Account/Logon Account from Domain\User Name to Domain@User Name or FQDN@User Name.

FQDN-Fully Qualified Domain Name.




Article URL http://www.symantec.com/docs/TECH185312


Terms of use for this information are found in Legal Notices