Exchange 2007 schema update prevents RUS working

Hi

We've recently started to build an Exchange 2007 deployment as part of a coexistence model with Exchange 2003. So far, we've done the necessary steps beforehand (i.e. preparedomain, legacypermissions, preparead), and it all seemed to go through ok and replicate.

Now however, we have a problem when still creating accounts day to day that have a mailbox on the Exchange 2003 server. It will create the mailbox, however it won't create an entry in the global address list, and the 'email addresses' tab is empty of all information.

I have been searching all day, and have come up to a dead end all the time, using permissions and ADSIEdit to make changes with no avail. There's not much in the eventlog, apart from a few of these messages:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8270
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=F9978D4F3374194EA15D8B7B1484D251>
changetype: Modify
showInAddressBook:
:<>
msExchUserAccountControl:2
msExchALObjectVersion:328
objectGUID:F9978D4F3374194EA15D8B7B1484D251
-
 DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8022
Date:            02/07/2009
Time:            14:58:11
User:            N/A
Computer:      Mailserver1
Description:
LDAP Modify on directory DC01.xxxxxxxx.lan for entry '<GUID=F9978D4F3374194EA15D8B7B1484D251>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ].  DC=xxxxxxx,DC=lan

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm convinced it's a simple fix, but I can't for the life of me find it. I found this post at eventid:

It turns out the exchange domain servers group did not have full control over the recipient update service even though in exchange system manager I could change it to full control (when I did change it, it would snap back to special access after a few hours). Exchange system manager and the actual schema were not in sync. Per M259221, I had to add a registry entry to the RUS schema via ADSI Edit waited about an hour until it populated (and it only populated on one DC BTW) then within ADSI Edit granted the exchange domain servers full control of RUS and the errors disappeared"

But doesn't make much sense. This is meaning any new accounts cannot attach to their mailbox even though it exists. Please can anyone help??!
cormack12Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sujmatpCommented:
Got to start
Run=> dsacls "dc=domain,DC=com"
Check for following permission
====================================
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for groupType
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Public Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Personal Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for Exchange Information
                                                  WRITE PROPERTY
Allow AEGCHINA\Exchange Enterprise Servers        SPECIAL ACCESS for displayName


Allow AEGCHINA\Exchange Enterprise Servers        Manage Replication Topology
==========================================================

*if you are missing any of these permission then try to update the permission using following example. E.g Exchange Information permission is missing...
Got to start=> Run
Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;"
**************************
IF you get error

====================
No GUID Found for Exchange
The paramerter is incorrect
====================

Then run setup.com /preparelegacyexchangepermissions, /preparead using exchange 2007 installation files and then run the following command Dsacls "dc=domain,dc=com" /I:T /G "AEGCHINA\Exchange Enterprise Servers:WP;Exchange Information;" from run prompt.

This should fix your RUS problem.
0
sujmatpCommented:
AEGCHINA was the domain for the lab on which i ran the command. So it should be domain whereever it says AEGCHINA.
Apologize for the mistake!!!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cormack12Author Commented:
Thanks - worked great, only had two special permissions in there :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.