Solved

Exchange 2007 schema update prevents RUS working

Posted on 2009-07-02
3
963 Views
Last Modified: 2012-05-07
Hi

We've recently started to build an Exchange 2007 deployment as part of a coexistence model with Exchange 2003. So far, we've done the necessary steps beforehand (i.e. preparedomain, legacypermissions, preparead), and it all seemed to go through ok and replicate.

Now however, we have a problem when still creating accounts day to day that have a mailbox on the Exchange 2003 server. It will create the mailbox, however it won't create an entry in the global address list, and the 'email addresses' tab is empty of all information.

I have been searching all day, and have come up to a dead end all the time, using permissions and ADSIEdit to make changes with no avail. There's not much in the eventlog, apart from a few of these messages:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8270
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=F9978D4F3374194EA15D8B7B1484D251>
changetype: Modify
showInAddressBook:
:<>
msExchUserAccountControl:2
msExchALObjectVersion:328
objectGUID:F9978D4F3374194EA15D8B7B1484D251
-
 DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8022
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP Modify on directory DC01.xxxxxxxx.lan for entry '<GUID=F9978D4F3374194EA15D8B7B1484D251>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ].  DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm convinced it's a simple fix, but I can't for the life of me find it. I found this post at eventid:

It turns out the exchange domain servers group did not have full control over the recipient update service even though in exchange system manager I could change it to full control (when I did change it, it would snap back to special access after a few hours). Exchange system manager and the actual schema were not in sync. Per M259221, I had to add a registry entry to the RUS schema via ADSI Edit waited about an hour until it populated (and it only populated on one DC BTW) then within ADSI Edit granted the exchange domain servers full control of RUS and the errors disappeared"

But doesn't make much sense. This is meaning any new accounts cannot attach to their mailbox even though it exists. Please can anyone help??!
0
Comment
Question by:cormack12
  • 2
3 Comments
 
LVL 1

Expert Comment

by:sujmatp
ID: 24769624
Got to start
Run=> dsacls "dc=domain,DC=com"
Check for following permission
====================================
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for groupType
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Public Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Personal Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Exchange Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName


Allow AEGCHINA\Exchange Enterprise Servers        Manage Replication Topology
==========================================================

*if you are missing any of these permission then try to update the permission using following example. E.g Exchange Information permission is missing...
Got to start=> Run
Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;"
**************************
IF you get error

====================
No GUID Found for Exchange
The paramerter is incorrect
====================

Then run setup.com /preparelegacyexchangepermissions, /preparead using exchange 2007 installation files and then run the following command Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;" from run prompt.

This should fix your RUS problem.
0
 
LVL 1

Accepted Solution

by:
sujmatp earned 500 total points
ID: 24769639
AEGCHINA was the domain for the lab on which i ran the command. So it should be domain whereever it says AEGCHINA.
Apologize for the mistake!!!
0
 

Author Closing Comment

by:cormack12
ID: 31599205
Thanks - worked great, only had two special permissions in there :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now