Solved

Exchange 2010 Unable to modify default receive connector

Posted on 2013-06-01
7
1,160 Views
Last Modified: 2015-05-21
Getting this error trying to make a change to the default receive connector

I am using an account with organization management and full domain and enterprise admin permissions. I have made sure that inheritable permissions are applied on the account.

Does anyone have any troubleshooting ideas. Tried various fixes so far but cant get anything to work

_______________________________________________________________________________________________

Failed to save admin audit log for this cmdlet invocation.
Organization:  
Log content:
Subject: Domain.com/Users/exch_adm : Set-ReceiveConnector
Body:
Cmdlet Name: Set-ReceiveConnector
Object Modified: SERVER-EX01\Default SERVER-EX01
Parameter: Identity = SERVER-EX01\Default SERVER-EX01
Parameter: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Modified: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Original: PermissionGroups = ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Caller: Domain.com/Users/exch_adm
Succeeded: False
Error: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER-DC01.Domain.com. This error is not retriable. Additional information: Access is denied.\r\nActive directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.\r\n   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)\r\n   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)\r\n   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ReceiveConnector.SaveNewSecurityDescriptor(Boolean isEdge)\r\n   at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalProcessRecord()
Run Date: 2013-06-01T08:32:04
OriginatingServer: SERVER-EX01 (14.03.0123.002)
 
Error:
Exception thrown during AdminLogProvisioningHandler.Validate: Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The discovery mailbox, a hidden default mailbox that is required to search mailboxes, can't be found. It may have been inadvertently deleted. This mailbox must be re-created before you can search mailboxes.
   at Microsoft.Exchange.Data.Storage.Infoworker.MailboxSearch.MailboxDataProvider.GetDiscoveryMailbox(ADRecipientSession session)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogHelper.CheckArbitrationMailboxStatus(OrganizationId organizationId, ADUser& user, ExchangePrincipal& principal, String& errorMessage)
0
Comment
Question by:vmdude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39212792
If you have tried things then you need to say what they are, because otherwise people may just repeat things that you have done.

You are getting an error about the Discover Mailbox missing. It should be recreated to begin with: http://technet.microsoft.com/en-us/library/gg588318.aspx

Simon.
0
 
LVL 6

Author Comment

by:vmdude
ID: 39213188
Things I have tried

- Made sure inheritance was set on user account
- Made sure AdminSDHolder has inheritable permissions
- Created a new Exchange Administrator account (with org management, domain admin etc)
- Re-run setup /PrepareAD

This is a single domain and forest with no child domains.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214987
Have you tried with THE administrator account, or with the account used to originally install Exchange?
Are you still getting the error about the Discovery Mailbox being missing?

Simon.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 6

Author Comment

by:vmdude
ID: 39215719
Hi,

Yes I have tried with the main administrator account used to install Exchange.
All Exchange 2010 servers have now successfully been upgraded to SP3 and the Discovery Mailbox and all arbitration mailboxes are now displaying.

Now when I try to perform the operation I no longer get the error in the logs however the pop-up comes up with the following message

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-ReceiveConnector
Failed
Error:
Active Directory operation failed on DC.DOMAIN.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.




--------------------------------------------------------
OK
--------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
vmdude earned 0 total points
ID: 39215785
Found the answer

Needed to add inheritance at the following location via ADSI Edit

CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

nstall ADSI Edit and then start ADSI Edit.
Click Start, click Run, type adsiedit.msc, and then click OK.
Locate the object in question, right-click the object, and then click Properties.
On the Security tab, click Advanced.
Click Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.
Click OK two times to apply the change.
Wait for Active Directory replication to propagate the changes, or force Active Directory replication if it is necessary.
0
 
LVL 6

Author Closing Comment

by:vmdude
ID: 39232780
Because this is the answer and it fixed the exact problem I was facing
0
 

Expert Comment

by:tvogunleye
ID: 40789256
we cannot find the following CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
 in AD. how do we create it ?
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question