Re: Permission Wizard cant find mailstore

bigcappa1 · ‎11-27-2009

Hi,

Got a bit of an unusual one with one of my Unity servers. Got a call from Local IT that VM was not beign delivered, checked it out and all VM were still in MTA folder, tried to reset the MTA service but didnt make any difference, Tried to run Wizard but it could not see any mailstore so would not run. Checked the services and noticed a few of them that login with the message store login had stopped, tried to restart them but they kept failing, after some investigation the issue to the event errors I was getting suggested reboot or registry key changes, settled for the reboot. After reboot Unity would not start at all, I tried to then login to the Unity using the message store account and could not get in. So got our AD guys to confirm the password and reset it. Logged back in as the install account and I reset the services again and they still didnt work, so re applied the login details to the message store services and viola, all the VM in the MTA folder, so it would appear the message store password had either been changed or corrupted. Confirmation that the VM was being delivered to the mailbox was recieved but I still had a niggle all was not correct.

Ran the PW in report mode and it kept crashing (creating a Dr Watson) when it scanned the message store account permissions, previous to this when I got to the mailstore option it could not see it. I then tried to run it in normal mode but it stops before I get to the third screen saying that the install account (the one we have always used to run PW) could not find the mailstore, please correct this issue and run it again. I also tried the message store wizard which will not run either.

I checked the SQL database and the mailstore is there, the VM is being delivered to the mailbox when recieved so why cant the PW see the mailstore. COuld the PW be corrupt. Has anyone seen this sort of thing

Sorry about the length just want to give an udnerstanding of how I came about this.

Thanks

Paul

Ginger Dillon · ‎11-27-2009

Hi Paul -

Only voice messages from external callers come through the UnityMTA folder, and this is controlled by the Unity_servername mailbox. So you could see voice messages being delivered from subscriber to subscriber using just the Exchange server. The unity_servername mailbox is created when you run the Message Store config wizard and this could have a corrupted MAPI profile or had its password altered as well. Before doing the steps I've outlined below, you could try restarting the AvUMRSyncsvr service. Test sending a voice message from your cell phone to see if that gets to the subscriber. You would also see the remaining messages moved out of the UnityMTA folder to your subscribers inboxes.

Here are some steps you can take to correct the problem if voicemail is still not working:

1. It sounds like Exchange is working OK. But if you are running Exchange onbox (meaning voicemail only), make sure all of your Exchange services are running before continuing - especially the Exchange information store service and the MTA.

2. Make sure the unityinstall account is still a Domain Admin and Exchange Full Admin before running the permissions wizard. If group membership for this account needs to be adjusted, make sure you logoff/log back on the Unity server first. Another thing to check in AD is that all Unity accounts have the right permissions and have inheritance enabled - have your AD folks check the Security Tab - Advanced settings on each Unity account.

3. Run the Services configuration wizard from the Unity server logged on as unityinstall to reset the passwords of all accounts and make sure all of your Unity Services start.

4. You rerun the Message Store Configuration Wizard logged on as unityinstall by going into Control Panel, select Add/Remove programs. Select the program and select the Modify option. If you still don't see the Exchange information stores, either the Exchange services are not operational or you still have a permissions problem.

Hope this helps! I would definitely contact TAC on this to help get your Unity server back working again.

Ginger

bigcappa1 · ‎12-01-2009

Ginger,

I think its point 2 you make, I had a look at the AD accounts and the install account is missing the Domain Admin and Exchange membership. Running the wizard before has not been an issue, so I suspect something has dramatically changed. Once our AD services have re-applied the permissions I will try again and then mark you response accordingly. Thank you very much for the guidance

The server itself seems all of and as I say it can still see Exchange but for some reason the install account has lost some membership of specific groups. Hopefully get this sorted soon

Many thanks

Paul

bigcappa1 · ‎12-08-2009

Ginger,

Aplogies for the delay but just got it sorted out. Turned out our AD guys had removed the install account from the Domain Admin And Exchange Admin groupd as they felt it was too big a security hole. If we need to run any of the tools we need to get them to put them back into these groups. Bit of an inconvience I know but we have to live with it.

But you were spot with it being an account thing. So thanks onc eagain

Cheers

Paul

Ginger Dillon · ‎12-08-2009

Hi Paul -

Thanks for your nice status note - glad I was able to help :-) As you have found out, supporting Unity requires a relationship of trust with the AD and voice team. In a previous work environment, having AD experience helped me establish this relationship, but also I found a combination of Cisco documentation and established "Change policy" made it much easier. Every time I needed to run the Unity permissions wizard or install a Unity server, I submitted a change request that "enabled" the permissions Unity needed to do its thing. Once the change was completed, I removed in this case the Unity install account from the added permissions. Unity upgrades were always tested, including schema updates, in a test forest that mirrored the production environment. If your workplace has such a lab environment, I encourage you to get a Unity demo server installed there - can be a virtualized environment too. The Cisco doc I am referring to is in this link - http://www.cisco.com/en/US/docs/voice_ip_comm/unity/white/paper/5xcudatadirectory.html

If you haven't already, share this doc with your AD team. I'm sure they want your voice application to work well and this doc may help them understand how Unity works with Active Directory and its dependencies.

Happy Holidays! Ginger