Link to home
Start Free TrialLog in
Avatar of johnnyhk1
johnnyhk1Flag for United States of America

asked on

Exchange 2007 OWA: There was a problem accessing Active Directory

I'm having the following issue when attempting to access OWA for Exchange 2007. I have attempted the fixes that have previously been posted for this issue. The accounts are set to allow inheritable permissions, and the setup.com /preparead command has been executed. I've also created a new account and user mailbox that was originally setup in the Exchange 2k7 environment, and I still have this issue with that account. Any suggestions?

Url: https://<servername>:443/owa/lang.owa
User host address: <client IP address>

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on et3kdc01.FKNC.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Avatar of kristinaw
kristinaw
Flag of United States of America image

do you still have a server around with the 2003 esm on it? take a look at aduc, for both the security tab and the mailbox permissions tab. Make sure the NT AUTHORITY\Self right is present.

Kris.
Avatar of johnnyhk1

ASKER

Those permissions are present.
can you CAS server  talk to your GC? Are you having dns problems?
Yes it can talk to the catalog and there are no name resolution issues.
has setup /preparedomain been run? is this a single domain, is there a root/child domain type setup?

kris.
This is a single domain, and the setup.com /preparedomain command has been executed.
Obviously some permission(s) is missing and I'm having quite a bit of trouble tracking it down. Of course Outlook and Blackberry are able to connect to the mailbox cluster without any issues. It is only OWA that is problematic.
i would try running setup /preparedomain again.

kris.
I have ran it 3 times so far out of desperation.
ASKER CERTIFIED SOLUTION
Avatar of ATIG
ATIG
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The issue was with one of the base OUs. It was not inheriting permissions, but due to the needs of the environment it cannot inherit the permissions. I had to go into ADSI edit and give the Enterprise Exchange Servers group the rights to Write Exchange Information.
Avatar of bjohnson_MN
bjohnson_MN

One other solution, as I discovered at 2am this monring, is that if you have a forest root domain with child domains, it is possible that the child domains were not properly preped for the Exchange Schema changes.  I ran setup.com /preparedomain on one DC in each child domain (the exchange server in my domain is a member of the Forest Root) and Viola!
One again, here's the step by step...
1. Log into a DC in the domain with the ofending account
2. Insert your EXC07 media in the system (or expand the 32bit installer in a easy to locate location in the C Drive)
3. Navigate to the setup.com file and run it from the command line as such:
<path to file>\setup.com /prepairdomain
4. All good.  But remember to log in with domain admin priv's on the DC you are running this on.

Cheers!
B
glad we got your going :)
B, man you are tuff.... you would have had to go to PSS to get that and I got a B :(
I guess I may be a new to posting here so if I did something wrong, let me know!!!
Cheers,
B
BTW... PSS and a B???  Explain???
B- is the point award you gave me :)
PSS is microsoft support

I was saying I should have got an A point awad for this one :P
OOOO... AITG... I will actually take it as a compliment then!
I actually figured that one out myself (I say it was the Cheddar Pringles).  No help from the PSS or anyone!  Also, i am not the original poster, just wanted to tack on my fix to the thread.

Cheers!
B
oh, so my post telling you want rights need to be on what (OU inheritance) which happend to be the answer did not help... ok enjoy
well not really, all of the rights inheritance was setup correctly, infact i did look at first like the domain was preped correctly (after really digging into the permissions which is what was posted everywhere else I looked).  I believe we had two different issues with the same set of symptoms and errors...
B
lol, ok. atig, we'll just mark his name down in the 'book' ;)

kris.
So Much Drama...  
Also this can be a result of Security settings for SELF.

Check a user that can connect what is in the allow column.
Also compare the adv security of SELF.
I ran into the same problem a few minutes ago and ran this cmdlet     set-mailbox "name" -ApplyMandatoryProperties    and I was able to get into OWA.  Here is the article that clued me in....http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html
Regards
Motechinc:  Your solution worked great for me.  This should be the accepted solution.  Thanks!!!
Set-Mailbox "username" -ApplyMandatoryProperties

just run the command, i had the same issue and now its okay
I agree with Ontario. Motechinc should be the accepted solution.
His link and solution helped to both explain the problem and fix the problem.

Thanks Motechinc!
The inheritance checkbox solved the problem that I was experiencing with one user.  Good catch
I first tried set-mailbox "user" -ApplyMandatoryProperties but no settings were changed.

When I enabled Advanced View and took a look at the Security tab for the user object, I found that it was not inheriting permissions so the Exchange Enterprise Servers group did not have any write permissions as well as some others that appeared when I enabled inheritance.

One more point for the inheritance checkbox :-)
I've had this issue happen more than once, and have had to use both the cmdlet and the checkbox, so it seems to me that both solutions are valid. If one doesn't work for you, try the other!