Exchange 2010 restore job fails with the error "The resource credentials for the restore job were unable to create a role assignment for ApplicationImpersonation. Review the credentials to ensure that it has the rights that are required for ApplicationImpersonation."
0xe0000389 - The resource credentials for the restore job were unable to create a role assignment for ApplicationImpersonation. Review the credentials to ensure that it has the rights that are required for ApplicationImpersonation.
V-79-57344-905 - The resource credentials for the restore job were unable to create a role assignment for ApplicationImpersonation.
V-79-57344-905 - Unable to open the item Database - skipped
If the Backup Exec logon account does not have a mailbox associated with it.
If the Backup Exec mailbox is hidden from the GAL (Global Address List).
If the role assignment for ApplicationImpersonation is not set on the Backup Exec account (This role should automatically be created when the first restore job is performed).
If the Exchange Web Service (EWS) is not functioning properly.
If the Exchange installation is not fully patched to the latest version
During redirect restore mailbox, user's Alias name was used instead of Display name.
Part 1 : Permissions and Roles required for backing up Exchange 2010.
- Make sure that the BESA(Backup Exec Service Account, as opposed to the BE Logon Account) or the account used for Backup and Restore of Exchange 2010 has below permissions :
- Should be a member of (built in) Administrators (group) in Active Directory.
- Should be a member of Domain Admins in Active Directory.
- Should be a member of Backup Operators in Active Directory.
- Should be a member of Organization Management in RBAC(Role Based Access Control).
- Should be a member of Symantec EWS Impersonation Role in Exchange. Refer to Part 2 for details.
- Make sure the BESA (Backup Exec Service Account) or the account used for Backup and Restore of Exchange 2010 has a unique and active mailbox associated with it.
- Make sure that EWS (Exchange Web Service) is functioning properly.
- Restart all of the Backup Exec Services on the Media Server.
- Restart the Backup Exec Remote Agent Service on the Exchange Server.
If the Exchange Server is in a DAG make sure that the Backup Exec Remote Agent is installed on all the nodes in the DAG as well as all servers with the CAS (Client Access Server) Role.
Ensure that the Backup Exec Remote Agent Services is running on Local System Account on all the nodes in DAG.
Part 2: How to check if an account has the proper Role assignment.
- Run the following command from Exchange PowerShell to check whether the role exists or not :
Get-ManagementRoleAssignment -Role "SymantecEWSImpersonationRole".
This should return information on this role including the "RoleAssineeName" which should list Backup Exec account (See Figure 1). If the role does not exist or has not been set for the Backup Exec account, refer to below instruction.
- Command to create a new role called SymantecEWSImpersonationRole:
New-ManagementRole -Name SymantecEWSImpersonationRole -Parent ApplicationImpersonation.
- Command to assign a user to SymantecEWSImpersonationRoleAssignment:
New-ManagementRoleAssignment -Role SymantecEWSImpersonationRole -User Username "SymantecEWSImpersonationRoleAssignment".
The new SymantecEWSImpersonationRoleAssignment has been associated with the respective user. After configuring this Role, the restore job should now complete successfully.
Part 3: Confirm that EWS is functioning properly:
If the restore job still fails after confirming the steps above, run the following command to verify that EWS is functioning properly. Logon to the Exchange 2010 server that holds the Client Access (CAS) role, and run the following command from the Exchange PowerShell to test the EWS connectivity.
Command to test the EWS connectivity :
test-webservicesconnectivity -MailboxCredential $(get-credential) -TrustAnySSLCertificate | FL.
A PowerShell Credentials window will appear.. Please enter the credentials for the Backup Exec service account. Review the output for any failures. Microsoft will need to be contacted to help resolve issues with EWS.
Part 4: During redirect restore mailbox, user's Alias name was used instead of Display name:
Display name of the mailbox user name should be added in Microsoft Exchange Redirect restore window, i.e under Restore Job Properties, Microsoft Exchange redirection, Restore to mailbox name should be Display name instead of alias name under Redirect mailbox sets.
Microsoft Exchange 2010
Backup Exec 2010
Backup Exec 2012
Windows Server 2008 R2