Exchnage 2010 Installation Error

I am trying to transition from exchange 2003 to 2010

I have a Windows 2003 sp2 domain
Exchange 2003 is in native mode and my forest and domain are at 2003 level
from my new Exchange 2010 box (Windows 2008 R2)
I ran setup /prepareAD   no problem

however When I come to actuall iinstall Exchange 2010  I get an AD permissions error

I am logged in as the domain administrator

He is the error from the exchange setup log file:

The following 1 error(s) occurred during task execution:
[04/16/2010 13:39:32.0440] [1] 0.  ErrorRecord: Active Directory operation failed on lanier01.laniertech.edu. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[04/16/2010 13:39:32.0440] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on lanier01.laniertech.edu. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[04/16/2010 13:39:32.0440] [1] [ERROR] The following error was generated when "$error.Clear(); initialize-AdminGroupPermissions -DomainController $RoleDomainController" was run: "Active Directory operation failed on lanier01.laniertech.edu. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
[04/16/2010 13:39:32.0440] [1] [ERROR] Active Directory operation failed on lanier01.laniertech.edu. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[04/16/2010 13:39:32.0440] [1] [ERROR] The user has insufficient access rights.


Any ideas would be helpful

Steve
sdawe70Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
You are getting....

Insufficient access rights to perform the operation and (INSUFF_ACCESS_RIGHTS)

So you might want to try resetting the Active Directory security settings...then run prepare AD and prepare domain again

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sdawe70Author Commented:
I followed the advice and checked the allow inheriable permissions on the administrator account

Now when i try tp run set /preparead     I get the same error:



Configuring Microsoft Exchange Server

    Organization Preparation         ......................... FAILED
     The following error was generated when "$error.Clear(); initialize-AdminGro
upPermissions -DomainController $RoleDomainController" was run: "Active Director
y operation failed on lanier01.laniertech.edu. This error is not retriable. Addi
tional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF
_ACCESS_RIGHTS), data 0
".


The Exchange Server setup operation did not complete. Visit http://support.micro
soft.com and enter the Error ID to find more information.

Exchange Server setup encountered an error.

E:\e2k10install>
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Is your user member of schema admins? Also make sure that your user be member of Exchange Organization Administration group.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

sdawe70Author Commented:
I am using the domain administrator account to do the install

I checked and it is a member of the exchange org admin group and the schema admin group

i am still getting the same error


0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
go to the domain controller computer account, security tab, and give enterprise and domain admins full control (if they already have it post the result)
0
sdawe70Author Commented:
they already have access to the domain controller computer account
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Someone might of mucked with the AD permissions...you might want to run a reset to set back to default then run perpare again
http://www.windowsitpro.com/article/permissions/q-how-can-i-reset-the-default-permissions-on-an-active-directory-ad-object-100913.aspx
 
0
abhiyCommented:
It seems that the Authenticated Users have deny on "All Address Lists"

Use ADSIEDIT.MSC > CONFIGURATION > SERVICES > MICROSOFT EXCHANGE > Exchagne Org Name > Address List Container >All Address Lists > Properties > Security Tab > Advance Button

In advance permissions window verify that "Authenticated Users" and "Everyone" groups do not have deny for permissions, "Delete, Create All Child Object, Create Address List Objects".
If Deny is there for the security groups then remove Deny and apply changes.

now run the setup or /PrepareAD

let me know if this helps....
0
sdawe70Author Commented:
I have tried all this and it still did not work.

I have called MS tech support.  The Exchange team went t hrough AD and nothhing has worked at this point. THey transfered me to the AD team and we are still working on it.

We have done everything from rebuilding the Exchange 2010 box to manual adding all permission throughout AD to creatong a new user with the installation permission.

setup /preparead still failing at 26%
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
keep us posted! :)
0
sdawe70Author Commented:
The Solution:

  Apparently inthe actual public folders themseleves, a deny access had been placed on the administrator account.  Becuase the public folder could not be read PrepareAD failed, even though the permissions in ADSI edit looked correct the explicit deny on the public folder itself stopped the process from working.
0
sdawe70Author Commented:
THis solution was not complete but the permissions issue while not in AD was in the public folders.

A B was given because I want to award credit were due but none where fully correct because we were looking at permissions in the wrong place.  See my last post for the solution from MS tech support.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.