Microsoft Exchange common causes for Access Denied errors when backing up individual items to Tape or restoring individual items from Disk when using Granular Restore Technology (GRT).
Problem
Microsoft Exchange common causes for Access Denied errors when backing up individual items to Tape or restoring individual items from Disk when using Granular Restore Technology (GRT).
DETAILS:
Granular Restore Technology (GRT) enables individual items to be backed up and restored across several Backup Exec for Windows Servers Remote Agents. Exchange GRT functionality involves using MAPI (Messaging API) to impersonate individual users from a single account in order to gain access to the individual mailboxes so that a catalog of the contents can be created.
In a GRT-to-Tape backup, or GRT-to-Disk restore, this process of cataloging the mailbox contents occurs after the Information Store (or individual Storage Groups depending on how the Selection List was created) has been completely backed up. The store is "staged" and the Exchange environment is simulated so that Backup Exec may effectively use GRT to access the mailboxes and create the catalogs in the case of a backup, or read the catalogs in the case of a restore.
Error Message
- V-79-57344-33928 - Access Denied. Cannot backup directory Storage_Group and its subdirectories.
0xe00002fe - Cannot log on to MAPI with the specified credentials. Review the resource credentials for the job, and then run the job again.
OR
- Exchange Information Store Backup fails with the error "Access is denied" and it shows the below error in the Job Log
Completed status: Failed
Final error: 0xe0008488 - Access is denied.
Final error category: Security Errors - Access Denied. Cannot backup directory mailbox database and its subdirectories.
Cause
The above errors occur if the logon account being used in the backup job has insufficient rights or because of the presence of one or more disabled Active Directory User Accounts which still have mailboxes in the mailbox store. Backup Exec uses the MAPI subsystem on the Exchange server to create the granular restore selections for Exchange Information Store database items, which in turn queries Active Directory. This only occurs when the backup job is directed to tape (as opposed to a Backup to Disk folder).
If a user's account has been disabled, Backup Exec is unable to get the information for that user's mailbox from Active Directory and an Access is Denied error is returned. This can also happen if the System Logon Account is not defined in the Backup Exec console.
Solution
- The account that is required for this process must have very specific permissions and attributes to allow this complex process to take place:
- The account must be an Exchange Full Administrator (Exchange 2003), an Exchange Organization Administrator (Exchange 2007) at the top level of Exchange or a member of Exchange´s Organization Management group (Exchange 2010 or later).
- The account must be a member of the Local Administrator's group on the Exchange Server, a Local Administrator on the Exchange Server.
- The account must have an active mailbox on the Exchange Server.
- The account must have received e-mail via the mailbox.
- The account must have sent e-mail via the mailbox.
- The account must be named so that it is unique within the first 5 characters.
- The account must be visible to the Global Address List, not hidden from it.
- Make sure the System logon account in Backup exec and the account assigned to the Backup Exec services are the same.
- Confirm that the Backup/Restore job is set to use the system logon account and that it is configured as DOMAIN\USER.
- Confirm that in Active Directory, that USER´s account has "Account Name", "Logon Account Name" and "Display Name" that match each other. (name and fields may vary according to AD version).
- Exchange Management console (Exchange 2010 or later) or Exchange Management Tools (Exchange 2007) have to be installed on BE media server as well as in mail server with the exact same version and upgrades running on each of them.
- Change the Backup Exec System Logon Account (SLA) to be the same ID that is used for the Exchange backup. The SLA should also match the ID used as the Backup Exec services.
- From Backup exec console Click Network -> Logon Account, ensure that a "System Logon Account" is present. If not create a "System Logon Account" by clicking the System Account button.
- To resolve the failure when user accounts or mailboxes have been disabled and when running a GRT (Granular Restore Technology) Backup to tape perform one or more of the following steps:
- Assign "Full Mailbox Access" and "Associated External Account" rights to SELF for the disabled mailbox.
- Reactivate the mailbox by reconnecting it to an active user account in the Active Directory.
- Purge the mailbox from the Mailbox store.
- Perform the backup to a Backup to Disk (B2D) Folder instead of a tape device.
- Ensure that the resource credentials for the Exchange Server and Information Store has sufficient privileges to backup Exchange resources.