[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7543
  • Last Modified:

OWA Access Denied/AD Error

As of lately I cannot link AD accounts to mailboxes. I get the below error:

       Access is denied.
The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted, or because you don't have the correct permissions.

I searched your forum and ran this test, but I am not sure what it is telling me. Is there anything else I can check.

[PS] C:\Windows>test-owaconnectivity -URL:https://mail.kalmancoionc.com/owa -mailboxcredential:(get-credential kalmanco
nc\jon.swan) -trustanysslcertificate
WARNING: [23:57:01.034] : The server didn't challenge for authentication or return the forms-based authentication page.
WARNING: [23:57:01.034] : The test received an unexpected response to an Outlook Web App request.
WARNING: [23:57:01.034] : Test failed for URL 'https://mail.kalmancoionc.com/owa/'.
0
dassr23
Asked:
dassr23
  • 10
  • 6
1 Solution
 
dassr23Author Commented:
to add, existing users are fine.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Are you getting this error while trying to access OWA for new users ?

- Rancy
0
 
dassr23Author Commented:
Yes just for new users.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Try this and see if this helps and user can work with Outlook or other devices ?

Set-Mailbox "User Name" -ApplyMandatorySettings

- Rancy
0
 
jeorgeCommented:
I'm not sure about the error messagae but i can say just refer these links..

At least in Exchange 2010, you can use the disable-mailbox cmdlet in the exchange shell:

Disable-Mailbox -Identity account-to-detach-from@yourdomain.com

The mailbox will immediately show up as a disconnected mailbox and can be connected to any account that does not have a mailbox associated with it. The AD account is not affected (other than to have its exchange properties removed, of course).

http://exchangeserverpro.com/exchange-2010-faq-manage-mailboxes-ad-users-computers

http://social.technet.microsoft.com/Forums/en-US/exchangesvradminlegacy/thread/d455d5ca-a936-484f-9247-8f6316a094cb/

http://technet.microsoft.com/en-us/library/bb123524(EXCHG.80).aspx

Well these link will allow you to check your setup from the begining.. you can again re- run the status again. Hope it helps for you.
0
 
dassr23Author Commented:
I tried to Set-mailbox and says users is not found on my PDC when I can see it in AD.

Here is some more info. Whoever installed exchange also made the exchange server a DC which a read is a "no-no". But its been working fine for two years.

If i create the mailbox on the exchange AD, i can add the mailbox via existing users but the mailbox wont work. cant email the user, log in via OWA (initial problem) or set it up in outlook.

If I create the account in the PDC, it doesn't see the user in AD when i try to add it as an existing mailbox even though the account is there.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is the same Exchange Box a GC as well ??
Is there another DC\GC ? Who holds the FSMO roles ?

- Rancy
0
 
dassr23Author Commented:
My PDC AND Exhcange servers are GC's, but only the PDC holds the FSMO roles.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So all should be fine ideally ... i know not a recommended way but as it is should be fine

- Rancy
0
 
dassr23Author Commented:
That's what I think but it just started all of a sudden. It was not not update because I was able to create accounts after my last round of updates. I restarted the Exchange IS service then restarted the server, even update SP1 to rollup 8 but still no luck.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I would suggest you to go to SP2 RU4

- Rancy
0
 
dassr23Author Commented:
Do I need to install all prior updates to that or can I just go for that one?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can simply install SP2 and then RU4

- Rancy
0
 
dassr23Author Commented:
Thanks ill be doing this on Friday and update the forum after.
0
 
dassr23Author Commented:
Here is an update. I keep failing to upgrade to SP2 because of the following error:

Connecting to "KalmanPDC01.kalmancoinc.com"Logging in as current user using SSPIImporting directory from file "C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf"Loading entries
1: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
Entry DN: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
Add error on entry starting on line 1: BusyThe server side error is: 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated successfully with atleast one replication partner.The extended server error is:000021A2: SvcErr: DSID-030A0AF2, problem 5001 (BUSY), data 0
0 entries modified successfully.An error has occurred in the program

I ran the fix in the article and verified it successful but the same error keeps popping up.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27572768.html

I ran a DCDIAG on my DC and it shoes the below replications errors. Could this be why the mailbox is not linking with the AD account?

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = KalmanPDC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\KALMANPDC01
      Starting test: Connectivity
         ......................... KALMANPDC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\KALMANPDC01
      Starting test: Advertising
         ......................... KALMANPDC01 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... KALMANPDC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... KALMANPDC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... KALMANPDC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... KALMANPDC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... KALMANPDC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... KALMANPDC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... KALMANPDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... KALMANPDC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... KALMANPDC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=ForestDnsZones,DC=kalmancoinc,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2012-12-28 20:51:08.
            The last success occurred at 2012-12-06 15:58:34.
            541 failures have occurred since the last success.
         [KALMANEXG01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=DomainDnsZones,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:02:28.
            The last success occurred at 2012-12-06 16:46:08.
            777 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 20:51:10.
            The last success occurred at 2012-12-06 15:58:33.
            536 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: CN=Configuration,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:02:25.
            The last success occurred at 2012-12-06 15:58:32.
            603 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:14:58.
            The last success occurred at 2012-12-06 16:54:18.
            35016 failures have occurred since the last success.
            The source remains down. Please check the machine.
         ......................... KALMANPDC01 failed test Replications
      Starting test: RidManager
         ......................... KALMANPDC01 passed test RidManager
      Starting test: Services
         ......................... KALMANPDC01 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x80060005
            Time Generated: 12/28/2012   20:35:10
            Event String:
            The Virtual Storage Filter Driver is disabled through the registry.
It is inactive for all disk drives.
         An Warning Event occurred.  EventID: 0x80000001
            Time Generated: 12/28/2012   20:35:17
            Event String:
            Failed to open handle to switch list configuration store key due to
error C0000034. Persistent Virtual Switches and Ports are not restored.
         An Error Event occurred.  EventID: 0x00000029
            Time Generated: 12/28/2012   20:35:21
            Event String:
            Hyper-V launch failed; Either VMX not present or not enabled in BIOS
.
         An Error Event occurred.  EventID: 0x00000020
            Time Generated: 12/28/2012   20:35:21
            Event String:
            Hyper-V launch failed; at least one of the processors in the system
does not appear to provide a virtualization platform supported by Hyper-V.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Error Event occurred.  EventID: 0xC0003AAD
            Time Generated: 12/28/2012   20:36:08
            Event String:
            An error occured while using SSL configuration for socket address 0.
0.0.0:443.  The error status code is contained within the returned data.
         An Error Event occurred.  EventID: 0xC0003AAD
            Time Generated: 12/28/2012   20:36:08
            Event String:
            An error occured while using SSL configuration for socket address [:
:]:443.  The error status code is contained within the returned data.
         An Warning Event occurred.  EventID: 0x8000A000
            Time Generated: 12/28/2012   20:36:13
            Event String:
            The Security System detected an authentication error for the server
ldap/KalmanPDC01.kalmancoinc.com. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to service the logo
n request.
         An Warning Event occurred.  EventID: 0x8000A000
            Time Generated: 12/28/2012   20:36:36
            Event String:
            The Security System detected an authentication error for the server
LDAP/KALMANPDC01. The failure code from authentication protocol Kerberos was "Th
ere are currently no logon servers available to service the logon request.
         An Warning Event occurred.  EventID: 0x00001696
            Time Generated: 12/28/2012   20:36:36
            Event String:
            Dynamic registration or deregistration of one or more DNS records fa
iled with the following error:
         An Warning Event occurred.  EventID: 0x000003FC
            Time Generated: 12/28/2012   20:36:53
            Event String:
            The Session Directory Computers group is empty. For the Terminal Ser
vices Session Broker service to work correctly, you must add the computer accoun
ts of terminal servers to this group.
         An Error Event occurred.  EventID: 0xC00003EE
            Time Generated: 12/28/2012   20:37:31
            Event String:
            Server for NFS is not configured for either Active Directory Lookup
or User Name Mapping.
         An Warning Event occurred.  EventID: 0x80003BC4
            Time Generated: 12/28/2012   20:38:29
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         An Warning Event occurred.  EventID: 0x80003BC5
            Time Generated: 12/28/2012   20:38:29
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         An Warning Event occurred.  EventID: 0x000727AA
            Time Generated: 12/28/2012   20:41:11
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/KalmanP
DC01.kalmancoinc.com; WSMAN/KalmanPDC01.
         An Error Event occurred.  EventID: 0x00004E8A
            Time Generated: 12/28/2012   20:41:15
            Event String:
            Unable to add the interface {E68B6187-DF8D-4E6C-8B8D-E6FBBCFF7280} w
ith the Router Manager for the IPV6 protocol. The following error occurred: Cann
ot complete this function.
         An Warning Event occurred.  EventID: 0x825A002F
            Time Generated: 12/28/2012   20:41:18
            Event String:
            Time Provider NtpClient: No valid response has been received from ma
nually configured peer 0x1 after 8 attempts to contact it. This peer will be dis
carded as a time source and NtpClient will attempt to discover a new peer with t
his DNS name. The error was: The peer is unreachable.
         An Warning Event occurred.  EventID: 0x80003BC4
            Time Generated: 12/28/2012   20:43:30
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         An Warning Event occurred.  EventID: 0x80003BC5
            Time Generated: 12/28/2012   20:43:30
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         ......................... KALMANPDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... KALMANPDC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kalmancoinc
      Starting test: CheckSDRefDom
         ......................... kalmancoinc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kalmancoinc passed test CrossRefValidation

   Running enterprise tests on : kalmancoinc.com
      Starting test: LocatorCheck
         ......................... kalmancoinc.com passed test LocatorCheck
      Starting test: Intersite
         ......................... kalmancoinc.com passed test Intersite

C:\Users\Administrator>dcdiag
0
 
dassr23Author Commented:
What an effort!! After resolving this error which ended up being a DNS issue. I changed the DNS server to point to itself and did a flush. Then it was able to being replication to the exchange server.

 The replication generated an error (1722):
            The RPC server is unavailable

http://www.experts-exchange.com/Storage/Misc/Q_25369185.html

But after I fixed that, exchange would not start due to WinRM error. Uninstalled/Reinstalled that and did a WinRM quckcofig ans nod now all is well.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_27847374.html


In the end I did not upgrade to SP2. I will do that another day.

Case Closed.
0
 
dassr23Author Commented:
I did research on my own through this forum and the internet to correct the problem.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 10
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now