Hi,
think I've already found the issue, but I wanted to document it here anyways, as my searches on the internet weren't really fruitful in finding this. Also if people have stuff to add - that would be more than welcome.
The issue is quite simple, there are a lot of shared mailboxes the customer can no longer open from Outlook. They currently use Outlook 2016 from the 365 program. Opening the same shared mailboxes in OWA works just fine. Guessing it might work just fine with Outlook 2013, but don't have one handy. Not sure when this issue started. The root cause seems to have existed for quite some time. Probably an upgrade of Outlook (2013->2016) or office patches.
Error Outlook throws: the set of folders cannot be opened the attempt to log on to microsoft exchange has failed
Created some new shared mailboxes, they open just fine in Outlook. Compared AD attributes and found the issue to be the legacyExchangeDN. On the shared mailboxes with issues these contain and old administrative group. The group still exists in AD (can be seen through adsiedit.msc) and contains, amongst a few other things, links to the public folders (they still run an exchange 2010 server for this and a 2012 R2 DC because of this as the exchange 2010 is still on an old CU for SP3). The new administrative group used by 2010 and higher doesn't contain links to the public folders.
Don't know if it matters (it probably does) but the old group has no servers in it.
Anyways if we change the legacyExchangeDN from say:
"/o=customer-name/ou=old_administrative_group/cn=recipients/cn=_shared_mailbox_name " (this one oddly had an additional space at the end -- don't ask -- I don't know ;)).
"/o=CUSTOMER-NAME/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=_shared_mailbox_name"
(I removed the additional space at the end as well, others don't have it and I don't like it).
Don't know why, but on the new mailboxes the customer name is in caps, I just copied the first part from a new one to the old one.
To ensure stuff remained working I added to proxyAddresses a line:
"X500:/o=customer-name/ou=old_administrative_group/cn=recipients/cn=_shared_mailbox_name " as Outlook uses these addresses below the surface and I know from O365 migrations that might hurt replying and people using auto-complete (old NK2) addresses.
We inherited this customer, their Exchange seems (well is) a mess. Previous attempts to migrate the public folders have failed. This is our next project to look at. Might have to do with this as well, ran a search in AD with:
Get-ADObject -Filter 'legacyExchangeDN -like "/o=customer-name/ou=old_administrative_group/*"' -Properties Name, legacyExchangeDN, ProxyAddresses | Select-Object -Property Name, CN,legacyExchangeDN, proxyAddresses | Export-Csv 'C:\20210224-Exchange-legacyDN-Export.csv'
It resulted in a 500kB CSV file, which seems to contain all the public folders more or less too.
Simple things like get-mailbox result in errors of a few old mailboxes pointing to exchange servers that as far as we can determine have been removed 8 years ago. Probably removed them by using adsiedit as I have never been able to cleanly remove an exchange server whilst it still contained mailboxes and have migrated quite a few environments.
Been fixing quite some stuff the last couple of weeks including home databases, OAB pointers and some other stuff that wasn't right.
Anyways, I'm now writing a script to find all the legacyExchangeDNs pointing to the old one, altering them like above, adding it as X500 and logging it so we can revert if necesary. Not sure yet if I'll just do the (shared) mailboxes only for now or just take the leap and alter all the public folders too. Something tells me it might solve some of the public folder migration issues as well as the exchange 2010 actually is part of the "Exchange Administrative Group (FYDIBOHF23SPDLT)" and not the old administrative group.
Any thoughts / advise would be more than welcome. Otherwise just hope this will help someone.
