Solved

Exchange 2007 schema update prevents RUS working

Posted on 2009-07-02
3
982 Views
Last Modified: 2012-05-07
Hi

We've recently started to build an Exchange 2007 deployment as part of a coexistence model with Exchange 2003. So far, we've done the necessary steps beforehand (i.e. preparedomain, legacypermissions, preparead), and it all seemed to go through ok and replicate.

Now however, we have a problem when still creating accounts day to day that have a mailbox on the Exchange 2003 server. It will create the mailbox, however it won't create an entry in the global address list, and the 'email addresses' tab is empty of all information.

I have been searching all day, and have come up to a dead end all the time, using permissions and ADSIEdit to make changes with no avail. There's not much in the eventlog, apart from a few of these messages:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8270
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=F9978D4F3374194EA15D8B7B1484D251>
changetype: Modify
showInAddressBook:
:<>
msExchUserAccountControl:2
msExchALObjectVersion:328
objectGUID:F9978D4F3374194EA15D8B7B1484D251
-
 DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8022
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP Modify on directory DC01.xxxxxxxx.lan for entry '<GUID=F9978D4F3374194EA15D8B7B1484D251>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ].  DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm convinced it's a simple fix, but I can't for the life of me find it. I found this post at eventid:

It turns out the exchange domain servers group did not have full control over the recipient update service even though in exchange system manager I could change it to full control (when I did change it, it would snap back to special access after a few hours). Exchange system manager and the actual schema were not in sync. Per M259221, I had to add a registry entry to the RUS schema via ADSI Edit waited about an hour until it populated (and it only populated on one DC BTW) then within ADSI Edit granted the exchange domain servers full control of RUS and the errors disappeared"

But doesn't make much sense. This is meaning any new accounts cannot attach to their mailbox even though it exists. Please can anyone help??!
0
Comment
Question by:cormack12
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Expert Comment

by:sujmatp
ID: 24769624
Got to start
Run=> dsacls "dc=domain,DC=com"
Check for following permission
====================================
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for groupType
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Public Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Personal Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Exchange Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName


Allow AEGCHINA\Exchange Enterprise Servers        Manage Replication Topology
==========================================================

*if you are missing any of these permission then try to update the permission using following example. E.g Exchange Information permission is missing...
Got to start=> Run
Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;"
**************************
IF you get error

====================
No GUID Found for Exchange
The paramerter is incorrect
====================

Then run setup.com /preparelegacyexchangepermissions, /preparead using exchange 2007 installation files and then run the following command Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;" from run prompt.

This should fix your RUS problem.
0
 
LVL 1

Accepted Solution

by:
sujmatp earned 500 total points
ID: 24769639
AEGCHINA was the domain for the lab on which i ran the command. So it should be domain whereever it says AEGCHINA.
Apologize for the mistake!!!
0
 

Author Closing Comment

by:cormack12
ID: 31599205
Thanks - worked great, only had two special permissions in there :)
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question