How to Generate Active Directory Accounts By Using the Mailbox Information in the Mailbox Database
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Exchange mailboxes consist of two components:
Active Directory directory service user account
Mailbox data that is stored in the Exchange mailbox database
The data that is stored in the mailbox database includes a limited amount of information about the user account with which the mailbox is associated. In a disaster scenario where the Active Directory database is lost and no Active Directory backups or system state backups from your domain controllers are available, you may be able to re-create the user accounts by using the information that was stored in the mailbox database. In Microsoft Exchange Server 2003 and Exchange 2000 Server, this task was accomplished by using the Mailbox Reconnect tool (Mbconn.exe). For more information about Mbconn.exe, see Microsoft Knowledge Base article 271886, How to use the Mbconn utility to generate Active Directory accounts for information store mailboxes.
Because you cannot use Mbconn.exe with Exchange Server 2007, you must use Exchange Management Shell scripts to gather the necessary data from the disconnected mailboxes. You can then save the data to a Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file, which can then be imported into Active Directory. To import the LDIF file to Active Directory, you must use the LDAP Data Interchange Format Data Exchange (LDIFDE) tool. LDIFDE is installed by default on a computer running Microsoft Windows Server 2003.
This topic explains how to use Exchange Management Shell scripts and the LDIFDE tool to generate lost Active Directory user accounts by using the mailbox information that is stored in the mailbox databases.
Important
The script in this procedure is a sample. Although you can use the script as it is written, you can also modify it to meet the needs of your organization.
Before You Begin
To perform this procedure, the account you use must be delegated the following:
Exchange Recipient Administrator role
Account Operator role for the applicable Active Directory containers
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Also, before you perform this procedure, confirm the following:
An Exchange 2007 server with the Mailbox server role has been installed.
Exchange 2007 mailbox databases have been restored and mounted on this server.
A new Active Directory forest has been created.
No user accounts that match the mailboxes in the restored mailbox databases exist in the new Active Directory forest.
Procedure
The procedure for generating the user accounts from mailbox data consists of the following steps:
Use Exchange Management Shell scripts to gather the necessary data from the disconnected mailboxes, and then save the data to an LDIF file. This step is described in the first procedure.
Use the LDIFDE tool to import the LDIF file to Active Directory, which generates the user accounts in Active Directory. This step is described in the second procedure.
Use the Exchange Management Shell to connect all the mailboxes to the user accounts that were generated by importing the LDIF file to Active Directory. This step is described in the third procedure.
Note
All of the steps in this topic must be performed on the Exchange server that hosts the restored mailbox databases.
To use Exchange Management Shell scripts to gather the necessary data from the disconnected mailboxes and save the data to an LDIF file for import to Active Directory
Use the following script to gather the necessary data from the disconnected mailboxes and save it to an LDIF file. Copy the following code into a text file called CreateLdifFromDisconnectedMailboxes.ps1, and then save the file to the Scripts folder that exists under the folder in which Exchange is installed. In a typical installation, this would be C:\Program Files\Microsoft\Exchange Server\Scripts.
Param( [string] $ContainerDN, [string] $Database = "", [bool] $append = $false ) #function to validate input parameters function ValidateParams { $validInputs = $true $errorString = "" if ($ContainerDN -eq "") { $validInputs = $false $errorString += "`nMissing Parameter: The -ContainerDN parameter is required. Please pass in a valid container in which to create the user accounts." } if (!$ContainerDN.Contains(",")) { $validInputs = $false $errorString += "`nInvalid Container DN. Make sure to enclose the entire DN in double quotes or it will not be parsed properly." } if (!$validInputs) { Write-error "$errorString" } return $validInputs } #function to get the display name and alias from mailbox data in the Exchange store function ExtractDisplayNameAndAlias($obj) { [string[]]$legacyDNSplit = $obj.LegacyDN.Split('/') $alias = $legacyDNSplit[$legacyDNSplit.Length-1].Remove(0,3).ToLower() $output = "dn: CN=" + $obj.DisplayName + "," + $ContainerDN + "`r`nchangetype: add`r`nuserAccountControl: 544`r`nmsExchUserAccountControl: 0`r`npwdLastSet: -1`r`ndisplayName: " + $obj.DisplayName + "`r`nobjectClass: user`r`nsAMAccountName: " + $alias + "`r`n" write-output $output | out-file -filePath "c:\ldifout.ldf" -append -noClobber } # Function that returns true if the incoming argument is a help request function IsHelpRequest { param($argument) return ($argument -eq "-?" -or $argument -eq "-help"); } # Function that displays the help related to this script following # the same format provided by get-help or <cmdletcall> -? function Usage { @" NAME: CreateLdifFromDisconnectedMailboxes.ps1 SYNOPSIS: Finds all disconnected mailboxes on the local server and creates an LDIF file with an entry for each disconnected mailbox user. Use the LDIFDE utility to import this LDIF file to Active Directory, which generates the user accounts. You can then reconnect Mailboxes to these accounts by using the Connect-Mailbox cmdlet. You can specify a particular database, or specify no database to search all databases on the local server. This script is mainly used for disaster recovery scenarios where all data except the mailbox databases have been lost. In these scenarios, without a backup of Active Directory, you must re-create the user accounts so they can be connected to existing mailboxes. This is the main objective of this script. SYNTAX: CreateLdifFromDisconnectedMailbox -ContainerDN <AD Container DN> -Database <Identity of Database> -Append `$false|`$true AD Container DN is a valid Active Directory container in distinguished name format. This value must be enclosed in quotes. Database is the Identity parameter of the database. You can retrieve the Identity value for all databases on the local server by running the following cmdlet: get-mailboxdatabase -server Server01 | fl Identity Setting -append to `$true tells the script to append data to the current c:\ldifout.ldf file instead of overwriting it. This is the recommended setting if you are piping output from other cmdlets to this script. If the -append switch is not included, the script runs automatically in overwrite mode. EXAMPLES: "Specifying Database ID" CreateLdifFromDisconnectedMailbox -ContainerDN "CN=Users,DC=Domain,DC=com" -Database "SERVER\Storage Group\Database" "Run Against All Stores on Local Server" CreateLdifFromDisconnectedMailbox -ContainerDN "CN=Users,DC=Domain,DC=com" "Pipe output of another cmdlet into this script" get-mailboxdatabase -server SERVER | foreach {CreateLdifFromDisconnectedMailboxes -ContainerDN "CN=Users,DC=domain,DC=com" -Database `$_.Identity -append `$true} "@ } ################################################################ ##########################BEGIN SCRIPT########################## ################################################################ #Check if this is a help request $args | foreach { if (IsHelpRequest $_) { Usage; exit; } } #Delete existing LDIF file if it is there and append is set to false if(!$append){$a = remove-item c:\ldifout.ldf -ea SilentlyContinue} #Validate all input parameters $ifValidParams = ValidateParams; if (!$ifValidParams) { exit; } #find all disconnected mailboxes and get required information if ($Database -ne "") { write "Getting disconnected mailboxes for database $Database" $getmbxcmd = get-mailboxstatistics -Database $Database | where {$_.DisconnectDate -ne $null} } else { write "Getting disconnected mailboxes for all databases on local server." $getmbxcmd = get-mailboxstatistics | where {$_.DisconnectDate -ne $null} } #Make sure at least one disconnected mailbox is found; if not, exit script if ($getmbxcmd -eq $null) {write "No disconnected mailboxes found.";exit} #loop through each disconnected mailbox and write entries to the output file foreach ($entry in $getmbxcmd) { ExtractDisplayNameAndAlias $entry } write "LDIF file successfully written to C:\ldifout.ldf."Start the Exchange Management Shell, and then run the following command:
CreateLdifFromDisconnectedMailboxes -ContainerDN "<DN of container to place users>"Important
The <DN of container to place users> value passed to the ContainerDN parameter must be the distinguished name (DN) of a valid Active Directory container, and it must be included inside double quotes. For example, to place the new user accounts in the Users organizational unit (OU) in the contoso.com domain, you should use the value "CN=Users,DC=contoso,DC=com".
The preceding command processes all mailbox databases on the server on which it is run. If you prefer to run the script against a specific mailbox database, you can use the Database parameter to specify the database you want.
The output of the script is saved in the ldifout.ldf file on the root of the drive C. By default, the script will overwrite this file if one already exists. You can also have the script append to an existing file by setting the Append parameter to
$true.For more information about the syntax that is used in the script, run the following command:
CreateLdifFromDisconnectedMailboxes -?
To use the LDIFDE tool to import the LDIF file to Active Directory
At the command prompt, type ldifde.exe -i -f C:\ldifout.ldf, and then press ENTER.
Start Active Directory Users and Computers.
If the import is successful, the users should appear in the container that you specified when you ran the script. If the user accounts are present, proceed to the next procedure.
To use the Exchange Management Shell to connect the mailboxes
Start the Exchange Management Shell.
Run the following command to connect all mailboxes on a specific mailbox database. This command example assumes that you are connecting all mailboxes that are stored in the mailbox database MBX1 in the storage group SG1 on the server Server01:
Get-MailboxStatistics | Where {$_.DisconnectDate -ne $null} | Connect-Mailbox -Database "Server01\SG1\MBX1"Repeat Step 2 for any additional mailbox databases that are located on the server.
Restart the Internet Information Services (IIS) Admin Service (IISAdmin).
Note
If the Client Access server role is installed on a server other than the server for which you are performing the recovery operation, restart the IIS Admin Service on that server instead.
Restart the Microsoft Exchange Information Store service (MSExchangeIS).
Verify that the users can now log on to their mailboxes.
If you are having difficulty resolving this issue, contact Microsoft Product Support. For information about contacting support, visit the Contact Us page of the Microsoft Help and Support Web site.
For More Information
To learn more about disaster recovery in Exchange 2007, see Disaster Recovery.
To learn more about what you can do to prepare for a disaster, see Best Practices for Minimizing the Impact of a Disaster.
For detailed steps about how you can use the Mbconn.exe tool to achieve the same result in Exchange 2003 or Exchange 2000, see Microsoft Knowledge Base article 271886, How to use the Mbconn utility to generate Active Directory accounts for information store mailboxes.