Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1046
  • Last Modified:

Exchange 2007 schema update prevents RUS working

Hi

We've recently started to build an Exchange 2007 deployment as part of a coexistence model with Exchange 2003. So far, we've done the necessary steps beforehand (i.e. preparedomain, legacypermissions, preparead), and it all seemed to go through ok and replicate.

Now however, we have a problem when still creating accounts day to day that have a mailbox on the Exchange 2003 server. It will create the mailbox, however it won't create an entry in the global address list, and the 'email addresses' tab is empty of all information.

I have been searching all day, and have come up to a dead end all the time, using permissions and ADSIEdit to make changes with no avail. There's not much in the eventlog, apart from a few of these messages:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8270
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=F9978D4F3374194EA15D8B7B1484D251>
changetype: Modify
showInAddressBook:
:<>
msExchUserAccountControl:2
msExchALObjectVersion:328
objectGUID:F9978D4F3374194EA15D8B7B1484D251
-
 DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8022
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP Modify on directory DC01.xxxxxxxx.lan for entry '<GUID=F9978D4F3374194EA15D8B7B1484D251>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ].  DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm convinced it's a simple fix, but I can't for the life of me find it. I found this post at eventid:

It turns out the exchange domain servers group did not have full control over the recipient update service even though in exchange system manager I could change it to full control (when I did change it, it would snap back to special access after a few hours). Exchange system manager and the actual schema were not in sync. Per M259221, I had to add a registry entry to the RUS schema via ADSI Edit waited about an hour until it populated (and it only populated on one DC BTW) then within ADSI Edit granted the exchange domain servers full control of RUS and the errors disappeared"

But doesn't make much sense. This is meaning any new accounts cannot attach to their mailbox even though it exists. Please can anyone help??!
0
cormack12
Asked:
cormack12
  • 2
1 Solution
 
sujmatpCommented:
Got to start
Run=> dsacls "dc=domain,DC=com"
Check for following permission
====================================
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for groupType
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Public Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Personal Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Exchange Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName


Allow AEGCHINA\Exchange Enterprise Servers        Manage Replication Topology
==========================================================

*if you are missing any of these permission then try to update the permission using following example. E.g Exchange Information permission is missing...
Got to start=> Run
Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;"
**************************
IF you get error

====================
No GUID Found for Exchange
The paramerter is incorrect
====================

Then run setup.com /preparelegacyexchangepermissions, /preparead using exchange 2007 installation files and then run the following command Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;" from run prompt.

This should fix your RUS problem.
0
 
sujmatpCommented:
AEGCHINA was the domain for the lab on which i ran the command. So it should be domain whereever it says AEGCHINA.
Apologize for the mistake!!!
0
 
cormack12Author Commented:
Thanks - worked great, only had two special permissions in there :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now