Exchange 2010 Unable to modify default receive connector

Getting this error trying to make a change to the default receive connector

I am using an account with organization management and full domain and enterprise admin permissions. I have made sure that inheritable permissions are applied on the account.

Does anyone have any troubleshooting ideas. Tried various fixes so far but cant get anything to work

_______________________________________________________________________________________________

Failed to save admin audit log for this cmdlet invocation.
Organization:  
Log content:
Subject: Domain.com/Users/exch_adm : Set-ReceiveConnector
Body:
Cmdlet Name: Set-ReceiveConnector
Object Modified: SERVER-EX01\Default SERVER-EX01
Parameter: Identity = SERVER-EX01\Default SERVER-EX01
Parameter: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Modified: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Original: PermissionGroups = ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Caller: Domain.com/Users/exch_adm
Succeeded: False
Error: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER-DC01.Domain.com. This error is not retriable. Additional information: Access is denied.\r\nActive directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.\r\n   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)\r\n   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)\r\n   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ReceiveConnector.SaveNewSecurityDescriptor(Boolean isEdge)\r\n   at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalProcessRecord()
Run Date: 2013-06-01T08:32:04
OriginatingServer: SERVER-EX01 (14.03.0123.002)
 
Error:
Exception thrown during AdminLogProvisioningHandler.Validate: Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The discovery mailbox, a hidden default mailbox that is required to search mailboxes, can't be found. It may have been inadvertently deleted. This mailbox must be re-created before you can search mailboxes.
   at Microsoft.Exchange.Data.Storage.Infoworker.MailboxSearch.MailboxDataProvider.GetDiscoveryMailbox(ADRecipientSession session)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogHelper.CheckArbitrationMailboxStatus(OrganizationId organizationId, ADUser& user, ExchangePrincipal& principal, String& errorMessage)
LVL 6
vmdudeAsked:
Who is Participating?
 
vmdudeConnect With a Mentor Author Commented:
Found the answer

Needed to add inheritance at the following location via ADSI Edit

CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

nstall ADSI Edit and then start ADSI Edit.
Click Start, click Run, type adsiedit.msc, and then click OK.
Locate the object in question, right-click the object, and then click Properties.
On the Security tab, click Advanced.
Click Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.
Click OK two times to apply the change.
Wait for Active Directory replication to propagate the changes, or force Active Directory replication if it is necessary.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you have tried things then you need to say what they are, because otherwise people may just repeat things that you have done.

You are getting an error about the Discover Mailbox missing. It should be recreated to begin with: http://technet.microsoft.com/en-us/library/gg588318.aspx

Simon.
0
 
vmdudeAuthor Commented:
Things I have tried

- Made sure inheritance was set on user account
- Made sure AdminSDHolder has inheritable permissions
- Created a new Exchange Administrator account (with org management, domain admin etc)
- Re-run setup /PrepareAD

This is a single domain and forest with no child domains.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Simon Butler (Sembee)ConsultantCommented:
Have you tried with THE administrator account, or with the account used to originally install Exchange?
Are you still getting the error about the Discovery Mailbox being missing?

Simon.
0
 
vmdudeAuthor Commented:
Hi,

Yes I have tried with the main administrator account used to install Exchange.
All Exchange 2010 servers have now successfully been upgraded to SP3 and the Discovery Mailbox and all arbitration mailboxes are now displaying.

Now when I try to perform the operation I no longer get the error in the logs however the pop-up comes up with the following message

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-ReceiveConnector
Failed
Error:
Active Directory operation failed on DC.DOMAIN.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.




--------------------------------------------------------
OK
--------------------------------------------------------
0
 
vmdudeAuthor Commented:
Because this is the answer and it fixed the exact problem I was facing
0
 
tvogunleyeCommented:
we cannot find the following CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
 in AD. how do we create it ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.