Exchange 2012 create mailbox problem


Hi,

Have ran into a problem with creating exchange mailboxes. It works ok
for all accounts except when the user has a ' in the name part of the
DN. Obvoiusly we create the AD account in the following form:

cn=Joanne d'Arc,ou=,ou=... etc. this works great.

when we later should mailbox enable this mailbox the cmdlet bombs out:


Code:
--------------------
DirXML Log Event -------------------
Driver: \IDV\res\DriverSet\AD-Org
Channel: Subscriber
Object: \IDV\Active\Users\chrdar
Status: Error
Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
At line:1 char:363
Enable-Mailbox
-Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
-Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=blah,DC=domain,DC=com'
-DomainController 'bigserver.blah.domain.com <<<< '
is missing the terminator: '.
--------------------


obviously due to the ' in the DN.
Question: Can the ' as string delimiter be replaced by " or is the
solution to actually strip out the ' form fullname (that we user in the
DN)?

br
//anders


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=47935

  • Or escape it with a backslash.

    You could try the Escape Destination DN() token in the Argument Builder,
    verb section.

    Bet commas have the same issue for you as well.



    > Have ran into a problem with creating exchange mailboxes. It works ok
    > for all accounts except when the user has a ' in the name part of the
    > DN. Obvoiusly we create the AD account in the following form:
    >
    > cn=Joanne d'Arc,ou=,ou=... etc. this works great.
    >
    > when we later should mailbox enable this mailbox the cmdlet bombs out:
    >
    >
    > Code:
    > --------------------
    > DirXML Log Event -------------------
    > Driver: \IDV\res\DriverSet\AD-Org
    > Channel: Subscriber
    > Object: \IDV\Active\Users\chrdar
    > Status: Error
    > Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
    > At line:1 char:363
    > Enable-Mailbox
    > -Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
    > -Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
    > CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
    > CN=Configuration,DC=blah,DC=domain,DC=com'
    > -DomainController 'bigserver.blah.domain.com <<<< '
    > is missing the terminator: '.
    > --------------------
    >
    >
    > obviously due to the ' in the DN.
    > Question: Can the ' as string delimiter be replaced by " or is the
    > solution to actually strip out the ' form fullname (that we user in the
    > DN)?
    >
    > br
    > //anders
    >
    >



  • Exhcange 2010 it should state. Nothing else.


    --
    abergvall
    ------------------------------------------------------------------------
    abergvall's Profile: https://forums.netiq.com/member.php?userid=278
    View this thread: https://forums.netiq.com/showthread.php?t=47935

  • On Tue, 11 Jun 2013 15:24:03 0000, abergvall wrote:

    > Have ran into a problem with creating exchange mailboxes. It works ok
    > for all accounts except when the user has a ' in the name part of the
    > DN.


    What happens if you escape the embedded single quote, like Joanne d\'Arc


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support provided via email.

  • On 11/06/2013 17:24, abergvall wrote:
    >
    > Hi,
    >
    > Have ran into a problem with creating exchange mailboxes. It works ok
    > for all accounts except when the user has a ' in the name part of the
    > DN. Obvoiusly we create the AD account in the following form:
    >
    > cn=Joanne d'Arc,ou=,ou=... etc. this works great.
    >
    > when we later should mailbox enable this mailbox the cmdlet bombs out:
    >
    >
    > Code:
    > --------------------
    > DirXML Log Event -------------------
    > Driver: \IDV\res\DriverSet\AD-Org
    > Channel: Subscriber
    > Object: \IDV\Active\Users\chrdar
    > Status: Error
    > Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
    > At line:1 char:363
    > Enable-Mailbox
    > -Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
    > -Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
    > CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
    > CN=Configuration,DC=blah,DC=domain,DC=com'
    > -DomainController 'bigserver.blah.domain.com <<<< '
    > is missing the terminator: '.
    > --------------------
    >
    >
    > obviously due to the ' in the DN.
    > Question: Can the ' as string delimiter be replaced by " or is the
    > solution to actually strip out the ' form fullname (that we user in the
    > DN)?
    >
    > br
    > //anders
    >
    >

    There is no need to use the DN
    (http://technet.microsoft.com/en-us/library/jj614576.aspx).
    You can use the following instead:

    ADObjectID
    GUID
    Distinguished name (DN)
    Domain\SamAccountName
    User principal name (UPN)
    LegacyExchangeDN
    Email Address
    User alias
  • > On 11/06/2013 17:24, abergvall wrote:
    >> Have ran into a problem with creating exchange mailboxes. It works ok
    >> for all accounts except when the user has a ' in the name part of the
    >> DN. Obvoiusly we create the AD account in the following form:
    >>
    >> cn=Joanne d'Arc,ou=,ou=... etc. this works great.
    >>
    >> when we later should mailbox enable this mailbox the cmdlet bombs out:
    >>


    As plenty of other people have said, you must escape the DN (see my
    reply to a near-identical problem last year which includes example code)
    forums.netiq.com/showthread.php

  • Hello,

    checked your link, and found that we are indeed using the fullNameMap
    setting on the driver, and the rule for escaping is in place.
    It's just not working :(
    engine and RL is 4.02 AD driver shim is... the one that came with 4.02.

    Time for testing.
    br
    /A


    --
    abergvall
    ------------------------------------------------------------------------
    abergvall's Profile: https://forums.netiq.com/member.php?userid=278
    View this thread: https://forums.netiq.com/showthread.php?t=47935


  • Created a test user for the fun of it:


    Code:
    --------------------
    [06/12/13 09:56:57.190]:ad-org ST: Evaluating selection criteria for rule 'Use Full Name for naming user objects'.
    [06/12/13 09:56:57.190]:ad-org ST: (if-class-name equal "User") = TRUE.
    [06/12/13 09:56:57.191]:ad-org ST: (if-global-variable 'FullNameMap' equal "true") = TRUE.
    [06/12/13 09:56:57.191]:ad-org ST: Rule selected.
    [06/12/13 09:56:57.191]:ad-org ST: Applying rule 'Use Full Name for naming user objects'.
    [06/12/13 09:56:57.191]:ad-org ST: Action: do-set-op-dest-dn(arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))).
    [06/12/13 09:56:57.191]:ad-org ST: arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))
    [06/12/13 09:56:57.192]:ad-org ST: token-text("CN=")
    [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    [06/12/13 09:56:57.192]:ad-org ST: token-attr("Full Name")
    [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    [06/12/13 09:56:57.192]:ad-org ST: Arg Value: "Jean O D'Arc".
    [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    [06/12/13 09:56:57.192]:ad-org ST: token-text(",")
    [06/12/13 09:56:57.193]:ad-org ST: token-dest-dn(length="-2")
    [06/12/13 09:56:57.193]:ad-org ST: Token Value: "OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    [06/12/13 09:56:57.193]:ad-org ST: Arg Value: "CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    [06/12/13 09:56:57.193]:ad-org ST:Policy returned:
    [06/12/13 09:56:57.194]:ad-org ST:
    [06/12/13 09:56:57.194]:ad-org ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.0.2.1">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <add cached-time="20130612075656.919Z" class-name="User" dest-dn="CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=Blah,DC=domain,DC=com" event-id="se10offedir01#20130612075656#6#1:20b029e9-c0bd-4a44-fe85-e929b020bdc0" qualified-src-dn="O=Active\OU=Users\CN=jeadar" src-dn="\IDV\Active\Users\jeadar" src-entry-id="164065" timestamp="1371023812#27">
    <add-attr attr-name="CN">
    <value naming="true" timestamp="1371023809#74" type="string">jeadar</value>


    --------------------


    Looks like the *token-escape-for-dest-dn* isn't really doing anything :(


    --
    abergvall
    ------------------------------------------------------------------------
    abergvall's Profile: https://forums.netiq.com/member.php?userid=278
    View this thread: https://forums.netiq.com/showthread.php?t=47935

  • On 6/12/2013 4:14 AM, abergvall wrote:
    >
    > Created a test user for the fun of it:
    >
    >
    > Code:
    > --------------------
    > [06/12/13 09:56:57.190]:ad-org ST: Evaluating selection criteria for rule 'Use Full Name for naming user objects'.
    > [06/12/13 09:56:57.190]:ad-org ST: (if-class-name equal "User") = TRUE.
    > [06/12/13 09:56:57.191]:ad-org ST: (if-global-variable 'FullNameMap' equal "true") = TRUE.
    > [06/12/13 09:56:57.191]:ad-org ST: Rule selected.
    > [06/12/13 09:56:57.191]:ad-org ST: Applying rule 'Use Full Name for naming user objects'.
    > [06/12/13 09:56:57.191]:ad-org ST: Action: do-set-op-dest-dn(arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))).
    > [06/12/13 09:56:57.191]:ad-org ST: arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-text("CN=")
    > [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-attr("Full Name")
    > [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: Arg Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: token-text(",")
    > [06/12/13 09:56:57.193]:ad-org ST: token-dest-dn(length="-2")
    > [06/12/13 09:56:57.193]:ad-org ST: Token Value: "OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    > [06/12/13 09:56:57.193]:ad-org ST: Arg Value: "CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    > [06/12/13 09:56:57.193]:ad-org ST:Policy returned:
    > [06/12/13 09:56:57.194]:ad-org ST:
    > [06/12/13 09:56:57.194]:ad-org ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.0.2.1">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <add cached-time="20130612075656.919Z" class-name="User" dest-dn="CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=Blah,DC=domain,DC=com" event-id="se10offedir01#20130612075656#6#1:20b029e9-c0bd-4a44-fe85-e929b020bdc0" qualified-src-dn="O=Active\OU=Users\CN=jeadar" src-dn="\IDV\Active\Users\jeadar" src-entry-id="164065" timestamp="1371023812#27">
    > <add-attr attr-name="CN">
    > <value naming="true" timestamp="1371023809#74" type="string">jeadar</value>
    >
    >
    > --------------------
    >
    >
    > Looks like the *token-escape-for-dest-dn* isn't really doing anything :(


    Ya, I have seen that happen as well.

    You can manually fix this with Replace All tokens, just remember the
    fields are Regex's, so it is replace all \' with \\\' or the like.
    Should also do commas while you are there, as \, with \\\, or somesuch.

    Simulator will let you test this quick.

  • On 12.06.2013 10:14, abergvall wrote:
    >
    > Created a test user for the fun of it:
    >
    >
    > Code:
    > --------------------
    > [06/12/13 09:56:57.190]:ad-org ST: Evaluating selection criteria for rule 'Use Full Name for naming user objects'.
    > [06/12/13 09:56:57.190]:ad-org ST: (if-class-name equal "User") = TRUE.
    > [06/12/13 09:56:57.191]:ad-org ST: (if-global-variable 'FullNameMap' equal "true") = TRUE.
    > [06/12/13 09:56:57.191]:ad-org ST: Rule selected.
    > [06/12/13 09:56:57.191]:ad-org ST: Applying rule 'Use Full Name for naming user objects'.
    > [06/12/13 09:56:57.191]:ad-org ST: Action: do-set-op-dest-dn(arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))).
    > [06/12/13 09:56:57.191]:ad-org ST: arg-dn("CN=" token-escape-for-dest-dn(token-attr("Full Name")) "," token-dest-dn(length="-2"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-text("CN=")
    > [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
    > [06/12/13 09:56:57.192]:ad-org ST: token-attr("Full Name")
    > [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: Arg Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
    > [06/12/13 09:56:57.192]:ad-org ST: token-text(",")
    > [06/12/13 09:56:57.193]:ad-org ST: token-dest-dn(length="-2")
    > [06/12/13 09:56:57.193]:ad-org ST: Token Value: "OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    > [06/12/13 09:56:57.193]:ad-org ST: Arg Value: "CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
    > [06/12/13 09:56:57.193]:ad-org ST:Policy returned:
    > [06/12/13 09:56:57.194]:ad-org ST:
    > [06/12/13 09:56:57.194]:ad-org ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.0.2.1">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <add cached-time="20130612075656.919Z" class-name="User" dest-dn="CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=Blah,DC=domain,DC=com" event-id="se10offedir01#20130612075656#6#1:20b029e9-c0bd-4a44-fe85-e929b020bdc0" qualified-src-dn="O=Active\OU=Users\CN=jeadar" src-dn="\IDV\Active\Users\jeadar" src-entry-id="164065" timestamp="1371023812#27">
    > <add-attr attr-name="CN">
    > <value naming="true" timestamp="1371023809#74" type="string">jeadar</value>
    >
    >
    > --------------------
    >
    >
    > Looks like the *token-escape-for-dest-dn* isn't really doing anything :(


    I apologise, I had though this would be handled by the
    escape-for-dest-dn token but upon further investigation, it seems I was
    mistaken.

    According to both Microsoft and RFC 2253, the single quote character is
    not on the list of reserved characters for a LDAP DN

    This has to be why the token-escape-for-dest-dn doesn't do anything with
    the single quote character.

    It's only Powershell that chokes on extra the single quote. This really
    points to a bug in the AD driver shim code.

    --
    ----------------------------------------------------------------------
    Alex McHugh
    NetIQ Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support is provided via email.
  • On 12.06.2013 11:51, Geoffrey Carman wrote:
    > On 6/12/2013 4:14 AM, abergvall wrote:
    >> Looks like the *token-escape-for-dest-dn* isn't really doing anything :(

    >
    > Ya, I have seen that happen as well.
    >
    > You can manually fix this with Replace All tokens, just remember the
    > fields are Regex's, so it is replace all \' with \\\' or the like.
    > Should also do commas while you are there, as \, with \\\, or somesuch.
    >
    > Simulator will let you test this quick.


    The RFC says that implementations MAY escape other characters, but this
    seems quite excessive. Also I'm not sure if it would work in all scenarios.

    --
    ----------------------------------------------------------------------
    Alex McHugh
    NetIQ Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support is provided via email.