Why did an AD Connect upgrade using like for like settings disconnect mailboxes?

TechUser2020-6505 251 Reputation points
2021-09-28T08:29:23.66+00:00

Hi,
We upgraded AD Connect from an older version 1.5.3.0 on 2012 R2 to the latest version on Windows 2019. The upgrade was done using a swing migration with a PowerShell script to migrate the AD Connect settings (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version).

On the day of AD Connect upgrade, everything seemed fine (objects synced and users were accessing O365 as normal). The next day, a number of shared mailboxes stopped working (they were just inaccessible from Outlook and OWA).

On further review, the AD Connect upgrade, post sync seemed to have updated the msExchRemoteRecipientType for several thousand users.
We also noticed thousands of accounts with missing on premise AD attribute values for ms-Exch-Guid.

To fix the issue, we did the following:

  1. On our Exchange 2013 hybrid server use the Exchange PS cmdlet to set the GUID on-premise to match O365.
  2. Set the remote mailbox property for shared mailboxes “set-Remotemailbox -Type shared”.

Why did this happen in the first place given we've deliberately exported the settings and kept a like for like configuration?

Thanks

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,904 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,695 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 142.5K Reputation points MVP
    2021-09-28T11:50:04.193+00:00

    Sure the Exchange GUIDS werent already missing on those mailboxes?
    How were the shared malboxes created?

    Sounds like this issue:

    https://learn.microsoft.com/en-us/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes

    0 comments
  2. TechUser2020-6505 251 Reputation points
    2021-09-28T16:42:40.227+00:00

    Hi Andy,
    The shared mailboxes are created as follows:

    1. Create an account on premise and allow it so sync.
    2. Convert the mailbox to a shared mailbox in Exchange online (this is done using Exchange online, rather than a task executed on our hybrid servers).

    Unfortunately, our service desk who create the accounts can be inconsistent, for example, some shared mailboxes may still be licensed or linked back to enabled AD accounts.

    I'm not 100% sure that the GUIDs were missing before the AD Connect, upgrade (I'll need to check some older backups).

    I suspect the RemoteRecipientType was incorrectly set (as per your link), but what I'm not sure about is why didn't this issue occur with the old AD Connect which had been in place for a year or so? It only happened as soon as I upgraded to the latest version and did full sync.

    Thanks

    0 comments
  3. Andy David - MVP 142.5K Reputation points MVP
    2021-09-28T16:50:15.717+00:00

    Probably because a full sync was done and all the objects were re-evaluated.

    0 comments
  4. TechUser2020-6505 251 Reputation points
    2021-09-28T16:58:32.013+00:00

    So, if a shared mailbox was created incorrectly, delta syncs wouldn't necessarily change the mailboxes, however a full sync would re-evaluate all objects and then cause the shared mailboxes to revert to user mailboxes which would then cause the disconnect errors (as attached)?

    136021-ms-error.png