I have been asked this question a fair bit recently by members of my team, or indeed staff whom have delegated rights to the ESM whom worry when the don’t see the new mailbox that they have created appear in the Exchange System Manager.
The most recent related question that I have been asked is “why is the only permission on the mailbox the self permission”, which prompted me to have a look around the web for some information, whereas I understand why the mailbox does not appear in the ESM and why the self permission is the sole permission upon creation I was hoping to find some resources on the web to distribute to my team.
I was very surprised to find that although I tracked down a very good explanation for the “self” permission, I could not find anything that really explains what happens when you go through the mailbox creation process, therefore I have decided to write my own explanation (and await the flogging from people that know better!)
Ok, a common misconception about creating a Mailbox is that when you have completed the Mailbox creation Wizard there is a nice shiny mailbox created in the store that you have chosen.
This is not the case, the Mailbox wizard at this stage only updates the following attributes in Active Directory with the values that are specific to you Exchange Organisation;
- homeMDB – Home Location of your Mailbox in the correct Exchange Database
- homeMTA – Your Native Message Transport Agent
- legacyExchangeDN – Used for compatibility with Exchange 5.5 systems
- mail – Your primary e-mail address
- mailNickname – Your mailbox alias
- msExchHomeServerName – The server which your mailbox is located on
- msExchMailboxGuid – GUID of the Primary samAccount for the mailbox
- msExchMailboxSecurityDescriptor – Defines mailbox rights
- proxyAddresses – Additional Addresses.
What then happens is the Recipient Update Service will run (usually every 15 minutes) and stamp the mail and proxy addresses to the account in Active Directory – at this stage there is still no physical mailbox in the Exchange store (which can be verified by check the mailbox list from the ESM).
In addition to the above if you check the “Exchange Advanced” tab and click ”Mailbox Rights” (you will need to turn on the Advanced Features of ADUC) you will see that the only permission on the mailbox at this point is the “self” permission.
This situation happens because the securityDescriptor object (msExchMailboxSecurityDescriptor) is not read from Active Directory until the user first logs on to the mailbox or the mailbox is sent an item of mail.
A common misconception is that the Recipient Update Service plays a part in both the mailbox creation and indeed the configuration of security permissions on the mailbox, however the RUS does not work out any permissions (as that is not its job) it is the store service that works these out when the user logs on or mail is received which co-incidentally is the point where the store process creates the mailbox in the database based upon the data that is contained in Active Directory for the account.
hey, I just tried importing .pst file to newly created mailbox on exchange 2007 and was unable to do that. I found out that was because the mailbox did not existed in store yet. So what is the fastest and most simple way to make mailbox appear in store asap after maiblox creation?
By: complexxL9 on June 22, 2009
at 8:57 pm
You mentioned that you were able to find a “very good explanation for the “self” permission”.
Could you post that too, or post the URL.
Thanks!!
By: rez on October 13, 2009
at 1:45 pm