Re: accessing saweb problem

pmsbony · ‎01-29-2003

I have inherited a version of unity (2.46 I beleive from what I can tell) but am unable to access the saweb utility to create some new subscribers.

I beleive it because the one user setup with admin right to access this has since had his exchange mailbox deleted, I tried recreating it and also tried pointing his Nt account at a different mailbox I knew was a subscriber. Neither of these worked.

I tried to create a new unity admin account from the configmgr utility as documented in a technote somewhere and kept getting errors in the log saying 'unable to logon to DOH' .

I would try the grantunityaccess tool to allow my user account to gain access but for some reason the executable does not seem to be present in the commserver folder and I have searched on the rest of the server and found nothing.

Our setup is that we have the unity server on one machine running W2k ansd Exchange 5.5. The actual mailboxes are held on a seperate exchange server running nt4 and exchange 5.5. the exchange on the unity box simply replicates with the main exchange server and has no actual mailboxes.

any help would be greatly appreciated

lindborg · ‎01-29-2003

Yeah, Unity 2.x did not have a SID History table and so the GrantUnityAccess tool was not present - that wasn't introduced until 3.0(1).

there's a couple ways to try and back-door into a 2.x system depending on what state it's in. If the Example Administrator account is still there and associated with an administrator Class of Service you can simply assign that account in Exchange to the NT account you're logging in as, wait for the resynch cycle (about 10 minutes give or take) and then try to get into the SA with that account - it'll associate the login accoutn with Example Admin who has rights in the SA and your in - at which point you can create some new accounts with admin rights.

If the Example admin account is gone or was stripped of it's admin rights then things get a bit trickier.

The instructions for the ConfigMgr thing only work if you're logged in as the account that's associated with the AvCsMgr service in the SCM - this is likely why you're getting the "failed to logon to the DOH" error messages - I'm guessing you weren't logged in as an account with rights to bind to the DOH running in the AvCsMgr process. You can try that route again logged in as that account.

If _that_ doesn't fly still then we have to go all old school on you and get into DOHPropTest with the super-secret password, pick a subscriber account and go manually map them to an admin COS - if someone toasted the admin COS (or removed SA access rights from it - I've seen unhappy departing emplyees pull this stunt before) we'll have to manually edit the COS definition itself to allow SA access. This would probably best be done with a remote connection if you can swing one... WTS or direct dial in to a modem via pcAnywhere would work.

That said, usually the first method works...

pmsbony · ‎01-29-2003

Okay, I think I am getting somewhere. I got the configmgr thingy to run, but what it did seems was create an NT account. My understanding from the technote was that it would create an exchange account/mailbox that I could then associate with a relevant network logon (the one used to install unity) to allow me to access the saweb pages.

I am probably getting something very wrong here but it is a little confusing, can you clarify?

cheers

pete

lindborg · ‎01-29-2003

I'm not sure which tech note you're looking at but the ConfigMgr will create the Example Administrator account I mentioned if it's not in Exchange already - if it's there you're good to go - map the NT account you're logged in as to it's Exchange account and try to access the SA.

pmsbony · ‎01-30-2003

I have tried it twice now and all it does is create an NT User account. Here is what I am doing.

1. log in as account with rights to connect to DOH

2. run configmgr.exe

3. select the file defaultdatabase.dcs from the defaultconfiguration/eng/ directort

4. select create subscriber

5. enter a name (I used unityadmin)

6. click run

after about 20-30 seconds it says it completed okay, and checking exchange there is no new account created but if I check the user lists then the name entered at step 5 has been created as a user.

To confirm what I need to put in at step 5, does the name I enter need to have an account already?

cheers

pete

lindborg · ‎01-30-2003

The create subscriber function is designed to make the installation account (that already has an NT account and an Exchange account) a Unity subscriber - it's intent is not to create a new Exchange account for you so I think perhaps your expectations are not correct there. This way the person doing the installation can access the SA at the end of the install process.

I assume you've already tried to bind to the Example Admin account if it's there as suggested in an earlier post. This really should be your first course of action before trying to use ConfigMgr.

pmsbony · ‎01-30-2003

I see what you mean, i have tried it again have tried it for three different existing accounts.

1. the account all the services are running under (exchadmin) it says it went okay, but a look at the log file says that the user/mail user is already a subscriber but when you try to run saweb you get the error saying that user domain/exchadmin is not a unity subscriber

2. the same happens when running it for another admin account and also for my own personal admin level account.

I am stumped, I wonder if for somereason the fact that the domain name is being included with the user details and the Nt user name stored in unity does not include that info and is therefore saying they do not match?

I am now v. confused. Just to clarify that the example administrator mailbox is been wiped, the actual user account still exists though. would it help if I recreated the mailbox and then ran configmgr?

sorry to be a pain

pete

lindborg · ‎01-30-2003

At this point I'd probably have to get into your system and see what's going on - without a 2.4.5 system here to bang on (I'd have to go deep into the archived CDs to get that going) I'm running a little blind.

With remote access via WTS or pcANYWHERE I can get into DOHPropTest and back door one of your exisitng subscriber accounts such that they have SA access (hopefully).

ping me directly at lindborg@cisco.com if I can get in there.

pmsbony · ‎02-04-2003

All very strange, i have done the mapping of admin COS to an existing subscriber account but am still having no joy, just getting the message saying the windows account is not associated with a unity subscriber.

Running the dbwalker tool on the system reveals no obvious errors on the accounts i have tried to do this to, i am assuming that there is some problem with the mapping of the domain account to the specific subscriber but I have no idea what it is. the exchange servers we have (one on the unity box replicating with one on our main mail server) appear to be in sync with one another so I cannot make much sense of it. I have fiddled with the IIS settings so that the UN/pw authentication is sent both with or without the domain name and neither makes a difference, I tried logging on locally to the unity box and using the local admin account to access the saweb stuff, but still no joy.

It is getting near to the point when I will need to start using the company hammer :-) to get to the root of the problem.

I know you have already been a very good help but if you have any further ideas I would be grateful.

peter