johnnyhk1
asked on
Exchange 2007 OWA: There was a problem accessing Active Directory
I'm having the following issue when attempting to access OWA for Exchange 2007. I have attempted the fixes that have previously been posted for this issue. The accounts are set to allow inheritable permissions, and the setup.com /preparead command has been executed. I've also created a new account and user mailbox that was originally setup in the Exchange 2k7 environment, and I still have this issue with that account. Any suggestions?
Url: https://<servername>:443/owa/lang. owa
User host address: <client IP address>
Exception
Exception type: Microsoft.Exchange.Data.St orage.Stor agePermane ntExceptio n
Exception message: There was a problem accessing Active Directory.
Call stack
Microsoft.Exchange.Data.St orage.Exch angePrinci pal.Save()
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Di spatchLang uagePostLo cally(OwaC ontext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Di spatchLang uagePostRe quest(OwaC ontext owaContext)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Pr epareReque stWithoutS ession(Owa Context owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.In ternalDisp atchReques t(OwaConte xt owaContext)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Di spatchRequ est(OwaCon text owaContext)
System.Web.HttpApplication .SyncEvent ExecutionS tep.System .Web.HttpA pplication .IExecutio nStep.Exec ute()
System.Web.HttpApplication .ExecuteSt ep(IExecut ionStep step, Boolean& completedSynchronously)
Inner Exception
Exception type: Microsoft.Exchange.Data.Di rectory.AD OperationE xception
Exception message: Active Directory operation failed on et3kdc01.FKNC.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Call stack
Microsoft.Exchange.Data.Di rectory.AD Session.An alyzeDirec toryError( PooledLdap Connection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Di rectory.AD Session.Ex ecuteModif icationReq uest(ADRaw Entry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Di rectory.AD Session.Sa ve(ADObjec t instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.St orage.Exch angePrinci pal.Save()
Inner Exception
Exception type: System.DirectoryServices.P rotocols.D irectoryOp erationExc eption
Exception message: The user has insufficient access rights.
Call stack
System.DirectoryServices.P rotocols.L dapConnect ion.Constr uctRespons e(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.P rotocols.L dapConnect ion.SendRe quest(Dire ctoryReque st request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Di rectory.Po oledLdapCo nnection.S endRequest (Directory Request request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Di rectory.AD Session.Ex ecuteModif icationReq uest(ADRaw Entry entry, DirectoryRequest request, ADObjectId originalId)
Url: https://<servername>:443/owa/lang.
User host address: <client IP address>
Exception
Exception type: Microsoft.Exchange.Data.St
Exception message: There was a problem accessing Active Directory.
Call stack
Microsoft.Exchange.Data.St
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
System.Web.HttpApplication
System.Web.HttpApplication
Inner Exception
Exception type: Microsoft.Exchange.Data.Di
Exception message: Active Directory operation failed on et3kdc01.FKNC.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Call stack
Microsoft.Exchange.Data.Di
Microsoft.Exchange.Data.Di
Microsoft.Exchange.Data.Di
Microsoft.Exchange.Data.St
Inner Exception
Exception type: System.DirectoryServices.P
Exception message: The user has insufficient access rights.
Call stack
System.DirectoryServices.P
System.DirectoryServices.P
Microsoft.Exchange.Data.Di
Microsoft.Exchange.Data.Di
ASKER
Those permissions are present.
can you CAS server talk to your GC? Are you having dns problems?
ASKER
Yes it can talk to the catalog and there are no name resolution issues.
has setup /preparedomain been run? is this a single domain, is there a root/child domain type setup?
kris.
kris.
ASKER
This is a single domain, and the setup.com /preparedomain command has been executed.
ASKER
Obviously some permission(s) is missing and I'm having quite a bit of trouble tracking it down. Of course Outlook and Blackberry are able to connect to the mailbox cluster without any issues. It is only OWA that is problematic.
i would try running setup /preparedomain again.
kris.
kris.
ASKER
I have ran it 3 times so far out of desperation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue was with one of the base OUs. It was not inheriting permissions, but due to the needs of the environment it cannot inherit the permissions. I had to go into ADSI edit and give the Enterprise Exchange Servers group the rights to Write Exchange Information.
One other solution, as I discovered at 2am this monring, is that if you have a forest root domain with child domains, it is possible that the child domains were not properly preped for the Exchange Schema changes. I ran setup.com /preparedomain on one DC in each child domain (the exchange server in my domain is a member of the Forest Root) and Viola!
One again, here's the step by step...
1. Log into a DC in the domain with the ofending account
2. Insert your EXC07 media in the system (or expand the 32bit installer in a easy to locate location in the C Drive)
3. Navigate to the setup.com file and run it from the command line as such:
<path to file>\setup.com /prepairdomain
4. All good. But remember to log in with domain admin priv's on the DC you are running this on.
Cheers!
B
One again, here's the step by step...
1. Log into a DC in the domain with the ofending account
2. Insert your EXC07 media in the system (or expand the 32bit installer in a easy to locate location in the C Drive)
3. Navigate to the setup.com file and run it from the command line as such:
<path to file>\setup.com /prepairdomain
4. All good. But remember to log in with domain admin priv's on the DC you are running this on.
Cheers!
B
glad we got your going :)
B, man you are tuff.... you would have had to go to PSS to get that and I got a B :(
I guess I may be a new to posting here so if I did something wrong, let me know!!!
Cheers,
B
BTW... PSS and a B??? Explain???
Cheers,
B
BTW... PSS and a B??? Explain???
B- is the point award you gave me :)
PSS is microsoft support
I was saying I should have got an A point awad for this one :P
PSS is microsoft support
I was saying I should have got an A point awad for this one :P
OOOO... AITG... I will actually take it as a compliment then!
I actually figured that one out myself (I say it was the Cheddar Pringles). No help from the PSS or anyone! Also, i am not the original poster, just wanted to tack on my fix to the thread.
Cheers!
B
I actually figured that one out myself (I say it was the Cheddar Pringles). No help from the PSS or anyone! Also, i am not the original poster, just wanted to tack on my fix to the thread.
Cheers!
B
oh, so my post telling you want rights need to be on what (OU inheritance) which happend to be the answer did not help... ok enjoy
well not really, all of the rights inheritance was setup correctly, infact i did look at first like the domain was preped correctly (after really digging into the permissions which is what was posted everywhere else I looked). I believe we had two different issues with the same set of symptoms and errors...
B
B
lol, ok. atig, we'll just mark his name down in the 'book' ;)
kris.
kris.
So Much Drama...
Also this can be a result of Security settings for SELF.
Check a user that can connect what is in the allow column.
Also compare the adv security of SELF.
Check a user that can connect what is in the allow column.
Also compare the adv security of SELF.
I ran into the same problem a few minutes ago and ran this cmdlet set-mailbox "name" -ApplyMandatoryProperties and I was able to get into OWA. Here is the article that clued me in....http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html
Regards
Regards
Motechinc: Your solution worked great for me. This should be the accepted solution. Thanks!!!
Set-Mailbox "username" -ApplyMandatoryProperties
just run the command, i had the same issue and now its okay
just run the command, i had the same issue and now its okay
I agree with Ontario. Motechinc should be the accepted solution.
His link and solution helped to both explain the problem and fix the problem.
Thanks Motechinc!
His link and solution helped to both explain the problem and fix the problem.
Thanks Motechinc!
The inheritance checkbox solved the problem that I was experiencing with one user. Good catch
I first tried set-mailbox "user" -ApplyMandatoryProperties but no settings were changed.
When I enabled Advanced View and took a look at the Security tab for the user object, I found that it was not inheriting permissions so the Exchange Enterprise Servers group did not have any write permissions as well as some others that appeared when I enabled inheritance.
One more point for the inheritance checkbox :-)
When I enabled Advanced View and took a look at the Security tab for the user object, I found that it was not inheriting permissions so the Exchange Enterprise Servers group did not have any write permissions as well as some others that appeared when I enabled inheritance.
One more point for the inheritance checkbox :-)
I've had this issue happen more than once, and have had to use both the cmdlet and the checkbox, so it seems to me that both solutions are valid. If one doesn't work for you, try the other!
Kris.