I have ran a backup for the microsoft exchange, now i am testing the restore. We have deleted an email from the inbox. Now I have selected restore application item, microsoft exchange mailbox, the veeam explorer for microsoft exchange opened, I went to the mailbox, selected the email and started the restore. Step by step i added the target mailbox that i want to restore to, selected the onprem microsoft exchange server, i specified the admin user that has access to the exchange server, it didnt automatically populate, so i added the mailbox server manually and selected restore to original folder, is that correct? It is stuck at validating for a while
I am following the guide step by step : https://helpcenter.veeam.com/docs/vbr/userguide/restore_to_onprem.html?ver=13
Exchange Mailbox Restore Issue
Best answer by mhakmd
I did the following,
Creating a new role veeam.restore adding it to organizational management, giving it veeam impersonation role
This single command below:
- creates AD user
- creates Exchange mailbox
- enables login
New-Mailbox -Name "Veeam Restore" -UserPrincipalName veeam.restore@<exchange_server> -Alias veeam.restore -OrganizationalUnit "Users" -Password (ConvertTo-SecureString "Test1234" -AsPlainText -Force)
Add-RoleGroupMember "Organization Management" -Member veeam.restore
New-ManagementRoleAssignment -Name "Veeam-Impersonation" -Role ApplicationImpersonation -User veeam.restore
Enable mailbox for veeam.restore
Enable-Mailbox -Identity veeam.restore
Add user as applicationimpersonation
New-ManagementRoleAssignment -Name "VeeamImpersonation" -Role "ApplicationImpersonation" -User Administrator
Check that user is added
Get-ManagementRoleAssignment -Role ApplicationImpersonation
Instead of full IIS reset, you can restart only EWS app pool:
Open IIS Manager → Application Pools → restart: MSExchangeServicesAppPool
Restart-WebAppPool MSExchangeServicesAppPool
Get-WebAppPoolState MSExchangeServicesAppPool
after that the restore worked
I have ran a backup for the microsoft exchange, now i am testing the restore. We have deleted an email from the inbox. Now I have selected restore application item, microsoft exchange mailbox, the veeam explorer for microsoft exchange opened, I went to the mailbox, selected the email and started the restore. Step by step i added the target mailbox that i want to restore to, selected the onprem microsoft exchange server, i specified the admin user that has access to the exchange server, it didnt automatically populate, so i added the mailbox server manually and selected restore to original folder, is that correct? It is stuck at validating for a while
I am following the guide step by step : https://helpcenter.veeam.com/docs/vbr/userguide/restore_to_onprem.html?ver=13
when i try to use the current account instead of the administrator accessing exchange, it tells me “"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'".”
+21Yeah, following that is the right steps but if it does not progress, I would contact Support to open a ticket to get them to check the logs.
+11hi
check port Ports - Veeam Backup & Replication User Guide
check permission requirments Permissions - Veeam Backup & Replication User Guide
Check system prerequisite System Requirements - Veeam Backup & Replication User Guide
- Is the Veeam server and its connectivity with Active Directory and the Exchange server correct?
- Check configure delegation
- I hope the error comes from the Veeam MAPI/EWS proxy when it tries Kerberos first (SPNEGO Negotiate) and Exchange answers with NTLM only — so the security context cannot be established.
So authentication never reaches MAPI/EWS → Veeam cannot mount mailbox DB.
These are the possible causes of the error you encountered: Kerberos missing/wrong SPN, Delegation account not trusted for delegation, TLS wrong IIS binding/certificate, Exchange MAPI/EWS auth misconfigured, Veeam using hostname not matching SPN.
- Are you using Veeam 12 or 13? Is the Veeam server up to date with the latest patch
- Which version of Exchange Onprem are you using and Installed CU?
In the Extended Protection version (Exchange 2019 CU12+ environments)
When enabled, recent Veeam versions < build do not pass authentication.
Temporarily disable to confirm:
Set-OrganizationConfig -ExtendedProtectionTokenChecking None
iisreset- Check DNS resolution “nslookup” from VBR of your CAS
- Test onnectivity fron veeam to CAS
Test-WebServicesConnectivity -ClientAccessServer <CAS>- Check SPN (is used to list all Service Principal Names (SPNs) currently registered for that particular server.)
setspn -L <ExchangeServerName>
- If it does not return the correct SPN because it is not registered, proceed with its creation.
exemple:
setspn -S HTTP/mail.domain.local EXCHANGE01- reset IIS
iisreset
- Check IIS authentication on Exchange
Get-MapiVirtualDirectory | fl Identity,IISAuthenticationMethods
Get-WebServicesVirtualDirectory | fl Identity,*auth*The command must return IISAuthenticationMethods: {Negotiate, NTLM}
I did the following,
Creating a new role veeam.restore adding it to organizational management, giving it veeam impersonation role
This single command below:
- creates AD user
- creates Exchange mailbox
- enables login
New-Mailbox -Name "Veeam Restore" -UserPrincipalName veeam.restore@<exchange_server> -Alias veeam.restore -OrganizationalUnit "Users" -Password (ConvertTo-SecureString "Test1234" -AsPlainText -Force)
Add-RoleGroupMember "Organization Management" -Member veeam.restore
New-ManagementRoleAssignment -Name "Veeam-Impersonation" -Role ApplicationImpersonation -User veeam.restore
Enable mailbox for veeam.restore
Enable-Mailbox -Identity veeam.restore
Add user as applicationimpersonation
New-ManagementRoleAssignment -Name "VeeamImpersonation" -Role "ApplicationImpersonation" -User Administrator
Check that user is added
Get-ManagementRoleAssignment -Role ApplicationImpersonation
Instead of full IIS reset, you can restart only EWS app pool:
Open IIS Manager → Application Pools → restart: MSExchangeServicesAppPool
Restart-WebAppPool MSExchangeServicesAppPool
Get-WebAppPoolState MSExchangeServicesAppPool
after that the restore worked
+21Glad to hear you got this one resolved and thanks for sharing the solution.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.