Solved

OWA Access Denied/AD Error

Posted on 2012-12-20
17
6,367 Views
Last Modified: 2013-01-03
As of lately I cannot link AD accounts to mailboxes. I get the below error:

       Access is denied.
The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted, or because you don't have the correct permissions.

I searched your forum and ran this test, but I am not sure what it is telling me. Is there anything else I can check.

[PS] C:\Windows>test-owaconnectivity -URL:https://mail.kalmancoionc.com/owa -mailboxcredential:(get-credential kalmanco
nc\jon.swan) -trustanysslcertificate
WARNING: [23:57:01.034] : The server didn't challenge for authentication or return the forms-based authentication page.
WARNING: [23:57:01.034] : The test received an unexpected response to an Outlook Web App request.
WARNING: [23:57:01.034] : Test failed for URL 'https://mail.kalmancoionc.com/owa/'.
0
Comment
Question by:dassr23
  • 10
  • 6
17 Comments
 

Author Comment

by:dassr23
ID: 38711986
to add, existing users are fine.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38712011
Are you getting this error while trying to access OWA for new users ?

- Rancy
0
 

Author Comment

by:dassr23
ID: 38712314
Yes just for new users.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38712490
Try this and see if this helps and user can work with Outlook or other devices ?

Set-Mailbox "User Name" -ApplyMandatorySettings

- Rancy
0
 
LVL 3

Expert Comment

by:jeorge
ID: 38712521
I'm not sure about the error messagae but i can say just refer these links..

At least in Exchange 2010, you can use the disable-mailbox cmdlet in the exchange shell:

Disable-Mailbox -Identity account-to-detach-from@yourdomain.com

The mailbox will immediately show up as a disconnected mailbox and can be connected to any account that does not have a mailbox associated with it. The AD account is not affected (other than to have its exchange properties removed, of course).

http://exchangeserverpro.com/exchange-2010-faq-manage-mailboxes-ad-users-computers

http://social.technet.microsoft.com/Forums/en-US/exchangesvradminlegacy/thread/d455d5ca-a936-484f-9247-8f6316a094cb/

http://technet.microsoft.com/en-us/library/bb123524(EXCHG.80).aspx

Well these link will allow you to check your setup from the begining.. you can again re- run the status again. Hope it helps for you.
0
 

Author Comment

by:dassr23
ID: 38713692
I tried to Set-mailbox and says users is not found on my PDC when I can see it in AD.

Here is some more info. Whoever installed exchange also made the exchange server a DC which a read is a "no-no". But its been working fine for two years.

If i create the mailbox on the exchange AD, i can add the mailbox via existing users but the mailbox wont work. cant email the user, log in via OWA (initial problem) or set it up in outlook.

If I create the account in the PDC, it doesn't see the user in AD when i try to add it as an existing mailbox even though the account is there.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38715199
Is the same Exchange Box a GC as well ??
Is there another DC\GC ? Who holds the FSMO roles ?

- Rancy
0
 

Author Comment

by:dassr23
ID: 38715903
My PDC AND Exhcange servers are GC's, but only the PDC holds the FSMO roles.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38715956
So all should be fine ideally ... i know not a recommended way but as it is should be fine

- Rancy
0
 

Author Comment

by:dassr23
ID: 38719578
That's what I think but it just started all of a sudden. It was not not update because I was able to create accounts after my last round of updates. I restarted the Exchange IS service then restarted the server, even update SP1 to rollup 8 but still no luck.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38719802
I would suggest you to go to SP2 RU4

- Rancy
0
 

Author Comment

by:dassr23
ID: 38720082
Do I need to install all prior updates to that or can I just go for that one?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38720146
You can simply install SP2 and then RU4

- Rancy
0
 

Author Comment

by:dassr23
ID: 38720270
Thanks ill be doing this on Friday and update the forum after.
0
 

Author Comment

by:dassr23
ID: 38728610
Here is an update. I keep failing to upgrade to SP2 because of the following error:

Connecting to "KalmanPDC01.kalmancoinc.com"Logging in as current user using SSPIImporting directory from file "C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf"Loading entries
1: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
Entry DN: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
Add error on entry starting on line 1: BusyThe server side error is: 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated successfully with atleast one replication partner.The extended server error is:000021A2: SvcErr: DSID-030A0AF2, problem 5001 (BUSY), data 0
0 entries modified successfully.An error has occurred in the program

I ran the fix in the article and verified it successful but the same error keeps popping up.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27572768.html

I ran a DCDIAG on my DC and it shoes the below replications errors. Could this be why the mailbox is not linking with the AD account?

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = KalmanPDC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\KALMANPDC01
      Starting test: Connectivity
         ......................... KALMANPDC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\KALMANPDC01
      Starting test: Advertising
         ......................... KALMANPDC01 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... KALMANPDC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... KALMANPDC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... KALMANPDC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... KALMANPDC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... KALMANPDC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... KALMANPDC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... KALMANPDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... KALMANPDC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... KALMANPDC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=ForestDnsZones,DC=kalmancoinc,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2012-12-28 20:51:08.
            The last success occurred at 2012-12-06 15:58:34.
            541 failures have occurred since the last success.
         [KALMANEXG01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=DomainDnsZones,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:02:28.
            The last success occurred at 2012-12-06 16:46:08.
            777 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: CN=Schema,CN=Configuration,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 20:51:10.
            The last success occurred at 2012-12-06 15:58:33.
            536 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: CN=Configuration,DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:02:25.
            The last success occurred at 2012-12-06 15:58:32.
            603 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,KALMANPDC01] A recent replication attempt failed:
            From KALMANEXG01 to KALMANPDC01
            Naming Context: DC=kalmancoinc,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2012-12-28 21:14:58.
            The last success occurred at 2012-12-06 16:54:18.
            35016 failures have occurred since the last success.
            The source remains down. Please check the machine.
         ......................... KALMANPDC01 failed test Replications
      Starting test: RidManager
         ......................... KALMANPDC01 passed test RidManager
      Starting test: Services
         ......................... KALMANPDC01 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x80060005
            Time Generated: 12/28/2012   20:35:10
            Event String:
            The Virtual Storage Filter Driver is disabled through the registry.
It is inactive for all disk drives.
         An Warning Event occurred.  EventID: 0x80000001
            Time Generated: 12/28/2012   20:35:17
            Event String:
            Failed to open handle to switch list configuration store key due to
error C0000034. Persistent Virtual Switches and Ports are not restored.
         An Error Event occurred.  EventID: 0x00000029
            Time Generated: 12/28/2012   20:35:21
            Event String:
            Hyper-V launch failed; Either VMX not present or not enabled in BIOS
.
         An Error Event occurred.  EventID: 0x00000020
            Time Generated: 12/28/2012   20:35:21
            Event String:
            Hyper-V launch failed; at least one of the processors in the system
does not appear to provide a virtualization platform supported by Hyper-V.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Warning Event occurred.  EventID: 0x80040020
            Time Generated: 12/28/2012   20:35:51
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An Error Event occurred.  EventID: 0xC0003AAD
            Time Generated: 12/28/2012   20:36:08
            Event String:
            An error occured while using SSL configuration for socket address 0.
0.0.0:443.  The error status code is contained within the returned data.
         An Error Event occurred.  EventID: 0xC0003AAD
            Time Generated: 12/28/2012   20:36:08
            Event String:
            An error occured while using SSL configuration for socket address [:
:]:443.  The error status code is contained within the returned data.
         An Warning Event occurred.  EventID: 0x8000A000
            Time Generated: 12/28/2012   20:36:13
            Event String:
            The Security System detected an authentication error for the server
ldap/KalmanPDC01.kalmancoinc.com. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to service the logo
n request.
         An Warning Event occurred.  EventID: 0x8000A000
            Time Generated: 12/28/2012   20:36:36
            Event String:
            The Security System detected an authentication error for the server
LDAP/KALMANPDC01. The failure code from authentication protocol Kerberos was "Th
ere are currently no logon servers available to service the logon request.
         An Warning Event occurred.  EventID: 0x00001696
            Time Generated: 12/28/2012   20:36:36
            Event String:
            Dynamic registration or deregistration of one or more DNS records fa
iled with the following error:
         An Warning Event occurred.  EventID: 0x000003FC
            Time Generated: 12/28/2012   20:36:53
            Event String:
            The Session Directory Computers group is empty. For the Terminal Ser
vices Session Broker service to work correctly, you must add the computer accoun
ts of terminal servers to this group.
         An Error Event occurred.  EventID: 0xC00003EE
            Time Generated: 12/28/2012   20:37:31
            Event String:
            Server for NFS is not configured for either Active Directory Lookup
or User Name Mapping.
         An Warning Event occurred.  EventID: 0x80003BC4
            Time Generated: 12/28/2012   20:38:29
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         An Warning Event occurred.  EventID: 0x80003BC5
            Time Generated: 12/28/2012   20:38:29
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         An Warning Event occurred.  EventID: 0x000727AA
            Time Generated: 12/28/2012   20:41:11
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/KalmanP
DC01.kalmancoinc.com; WSMAN/KalmanPDC01.
         An Error Event occurred.  EventID: 0x00004E8A
            Time Generated: 12/28/2012   20:41:15
            Event String:
            Unable to add the interface {E68B6187-DF8D-4E6C-8B8D-E6FBBCFF7280} w
ith the Router Manager for the IPV6 protocol. The following error occurred: Cann
ot complete this function.
         An Warning Event occurred.  EventID: 0x825A002F
            Time Generated: 12/28/2012   20:41:18
            Event String:
            Time Provider NtpClient: No valid response has been received from ma
nually configured peer 0x1 after 8 attempts to contact it. This peer will be dis
carded as a time source and NtpClient will attempt to discover a new peer with t
his DNS name. The error was: The peer is unreachable.
         An Warning Event occurred.  EventID: 0x80003BC4
            Time Generated: 12/28/2012   20:43:30
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         An Warning Event occurred.  EventID: 0x80003BC5
            Time Generated: 12/28/2012   20:43:30
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         ......................... KALMANPDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... KALMANPDC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kalmancoinc
      Starting test: CheckSDRefDom
         ......................... kalmancoinc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kalmancoinc passed test CrossRefValidation

   Running enterprise tests on : kalmancoinc.com
      Starting test: LocatorCheck
         ......................... kalmancoinc.com passed test LocatorCheck
      Starting test: Intersite
         ......................... kalmancoinc.com passed test Intersite

C:\Users\Administrator>dcdiag
0
 

Accepted Solution

by:
dassr23 earned 0 total points
ID: 38729476
What an effort!! After resolving this error which ended up being a DNS issue. I changed the DNS server to point to itself and did a flush. Then it was able to being replication to the exchange server.

 The replication generated an error (1722):
            The RPC server is unavailable

http://www.experts-exchange.com/Storage/Misc/Q_25369185.html

But after I fixed that, exchange would not start due to WinRM error. Uninstalled/Reinstalled that and did a WinRM quckcofig ans nod now all is well.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_27847374.html


In the end I did not upgrade to SP2. I will do that another day.

Case Closed.
0
 

Author Closing Comment

by:dassr23
ID: 38739486
I did research on my own through this forum and the internet to correct the problem.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now