[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 19008
  • Last Modified:

Exchange 2007 OWA: There was a problem accessing Active Directory

I'm having the following issue when attempting to access OWA for Exchange 2007. I have attempted the fixes that have previously been posted for this issue. The accounts are set to allow inheritable permissions, and the setup.com /preparead command has been executed. I've also created a new account and user mailbox that was originally setup in the Exchange 2k7 environment, and I still have this issue with that account. Any suggestions?

Url: https://<servername>:443/owa/lang.owa
User host address: <client IP address>

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on et3kdc01.FKNC.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
0
johnnyhk1
Asked:
johnnyhk1
  • 6
  • 6
  • 5
  • +9
1 Solution
 
kristinawCommented:
do you still have a server around with the 2003 esm on it? take a look at aduc, for both the security tab and the mailbox permissions tab. Make sure the NT AUTHORITY\Self right is present.

Kris.
0
 
johnnyhk1Author Commented:
Those permissions are present.
0
 
ATIGCommented:
can you CAS server  talk to your GC? Are you having dns problems?
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
johnnyhk1Author Commented:
Yes it can talk to the catalog and there are no name resolution issues.
0
 
kristinawCommented:
has setup /preparedomain been run? is this a single domain, is there a root/child domain type setup?

kris.
0
 
johnnyhk1Author Commented:
This is a single domain, and the setup.com /preparedomain command has been executed.
0
 
johnnyhk1Author Commented:
Obviously some permission(s) is missing and I'm having quite a bit of trouble tracking it down. Of course Outlook and Blackberry are able to connect to the mailbox cluster without any issues. It is only OWA that is problematic.
0
 
kristinawCommented:
i would try running setup /preparedomain again.

kris.
0
 
johnnyhk1Author Commented:
I have ran it 3 times so far out of desperation.
0
 
ATIGCommented:
This usually occurs when Allow inheritable permissions& is not checked on either an OU or user object in AD Users and Computers.

To confirm, open ADUC and click Advanced Features on the View menu. Open the properties of an affected user and go to the Security tab. Click the Advanced button and confirm if this setting is checked or not. If it is, then repeat the process for each OU container between the user object and the top-level container.

be sure that the top-level container includes the Exchange Servers group. This is required and must propagate down to the users for them to successfully access OWA.
0
 
johnnyhk1Author Commented:
The issue was with one of the base OUs. It was not inheriting permissions, but due to the needs of the environment it cannot inherit the permissions. I had to go into ADSI edit and give the Enterprise Exchange Servers group the rights to Write Exchange Information.
0
 
bjohnson_MNCommented:
One other solution, as I discovered at 2am this monring, is that if you have a forest root domain with child domains, it is possible that the child domains were not properly preped for the Exchange Schema changes.  I ran setup.com /preparedomain on one DC in each child domain (the exchange server in my domain is a member of the Forest Root) and Viola!
One again, here's the step by step...
1. Log into a DC in the domain with the ofending account
2. Insert your EXC07 media in the system (or expand the 32bit installer in a easy to locate location in the C Drive)
3. Navigate to the setup.com file and run it from the command line as such:
<path to file>\setup.com /prepairdomain
4. All good.  But remember to log in with domain admin priv's on the DC you are running this on.

Cheers!
B
0
 
ATIGCommented:
glad we got your going :)
0
 
ATIGCommented:
B, man you are tuff.... you would have had to go to PSS to get that and I got a B :(
0
 
bjohnson_MNCommented:
I guess I may be a new to posting here so if I did something wrong, let me know!!!
Cheers,
B
BTW... PSS and a B???  Explain???
0
 
ATIGCommented:
B- is the point award you gave me :)
PSS is microsoft support

I was saying I should have got an A point awad for this one :P
0
 
bjohnson_MNCommented:
OOOO... AITG... I will actually take it as a compliment then!
I actually figured that one out myself (I say it was the Cheddar Pringles).  No help from the PSS or anyone!  Also, i am not the original poster, just wanted to tack on my fix to the thread.

Cheers!
B
0
 
ATIGCommented:
oh, so my post telling you want rights need to be on what (OU inheritance) which happend to be the answer did not help... ok enjoy
0
 
bjohnson_MNCommented:
well not really, all of the rights inheritance was setup correctly, infact i did look at first like the domain was preped correctly (after really digging into the permissions which is what was posted everywhere else I looked).  I believe we had two different issues with the same set of symptoms and errors...
B
0
 
kristinawCommented:
lol, ok. atig, we'll just mark his name down in the 'book' ;)

kris.
0
 
bjohnson_MNCommented:
So Much Drama...  
0
 
mubhcaeb78Commented:
Also this can be a result of Security settings for SELF.

Check a user that can connect what is in the allow column.
Also compare the adv security of SELF.
0
 
MotechincCommented:
I ran into the same problem a few minutes ago and ran this cmdlet     set-mailbox "name" -ApplyMandatoryProperties    and I was able to get into OWA.  Here is the article that clued me in....http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html
Regards
0
 
ontariosystemsCommented:
Motechinc:  Your solution worked great for me.  This should be the accepted solution.  Thanks!!!
0
 
uaeabudhabi77Commented:
Set-Mailbox "username" -ApplyMandatoryProperties

just run the command, i had the same issue and now its okay
0
 
realmanageCommented:
I agree with Ontario. Motechinc should be the accepted solution.
His link and solution helped to both explain the problem and fix the problem.

Thanks Motechinc!
0
 
sfeder11554Commented:
The inheritance checkbox solved the problem that I was experiencing with one user.  Good catch
0
 
Aaron_DentonCommented:
I first tried set-mailbox "user" -ApplyMandatoryProperties but no settings were changed.

When I enabled Advanced View and took a look at the Security tab for the user object, I found that it was not inheriting permissions so the Exchange Enterprise Servers group did not have any write permissions as well as some others that appeared when I enabled inheritance.

One more point for the inheritance checkbox :-)
0
 
MCHCPAnalystCommented:
I've had this issue happen more than once, and have had to use both the cmdlet and the checkbox, so it seems to me that both solutions are valid. If one doesn't work for you, try the other!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 6
  • 5
  • +9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now