?
Solved

Exchange 2010 Unable to modify default receive connector

Posted on 2013-06-01
7
Medium Priority
?
1,178 Views
Last Modified: 2015-05-21
Getting this error trying to make a change to the default receive connector

I am using an account with organization management and full domain and enterprise admin permissions. I have made sure that inheritable permissions are applied on the account.

Does anyone have any troubleshooting ideas. Tried various fixes so far but cant get anything to work

_______________________________________________________________________________________________

Failed to save admin audit log for this cmdlet invocation.
Organization:  
Log content:
Subject: Domain.com/Users/exch_adm : Set-ReceiveConnector
Body:
Cmdlet Name: Set-ReceiveConnector
Object Modified: SERVER-EX01\Default SERVER-EX01
Parameter: Identity = SERVER-EX01\Default SERVER-EX01
Parameter: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Modified: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Original: PermissionGroups = ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Caller: Domain.com/Users/exch_adm
Succeeded: False
Error: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER-DC01.Domain.com. This error is not retriable. Additional information: Access is denied.\r\nActive directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.\r\n   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)\r\n   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)\r\n   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ReceiveConnector.SaveNewSecurityDescriptor(Boolean isEdge)\r\n   at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalProcessRecord()
Run Date: 2013-06-01T08:32:04
OriginatingServer: SERVER-EX01 (14.03.0123.002)
 
Error:
Exception thrown during AdminLogProvisioningHandler.Validate: Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The discovery mailbox, a hidden default mailbox that is required to search mailboxes, can't be found. It may have been inadvertently deleted. This mailbox must be re-created before you can search mailboxes.
   at Microsoft.Exchange.Data.Storage.Infoworker.MailboxSearch.MailboxDataProvider.GetDiscoveryMailbox(ADRecipientSession session)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogHelper.CheckArbitrationMailboxStatus(OrganizationId organizationId, ADUser& user, ExchangePrincipal& principal, String& errorMessage)
0
Comment
Question by:vmdude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39212792
If you have tried things then you need to say what they are, because otherwise people may just repeat things that you have done.

You are getting an error about the Discover Mailbox missing. It should be recreated to begin with: http://technet.microsoft.com/en-us/library/gg588318.aspx

Simon.
0
 
LVL 6

Author Comment

by:vmdude
ID: 39213188
Things I have tried

- Made sure inheritance was set on user account
- Made sure AdminSDHolder has inheritable permissions
- Created a new Exchange Administrator account (with org management, domain admin etc)
- Re-run setup /PrepareAD

This is a single domain and forest with no child domains.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214987
Have you tried with THE administrator account, or with the account used to originally install Exchange?
Are you still getting the error about the Discovery Mailbox being missing?

Simon.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 6

Author Comment

by:vmdude
ID: 39215719
Hi,

Yes I have tried with the main administrator account used to install Exchange.
All Exchange 2010 servers have now successfully been upgraded to SP3 and the Discovery Mailbox and all arbitration mailboxes are now displaying.

Now when I try to perform the operation I no longer get the error in the logs however the pop-up comes up with the following message

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-ReceiveConnector
Failed
Error:
Active Directory operation failed on DC.DOMAIN.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.




--------------------------------------------------------
OK
--------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
vmdude earned 0 total points
ID: 39215785
Found the answer

Needed to add inheritance at the following location via ADSI Edit

CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

nstall ADSI Edit and then start ADSI Edit.
Click Start, click Run, type adsiedit.msc, and then click OK.
Locate the object in question, right-click the object, and then click Properties.
On the Security tab, click Advanced.
Click Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.
Click OK two times to apply the change.
Wait for Active Directory replication to propagate the changes, or force Active Directory replication if it is necessary.
0
 
LVL 6

Author Closing Comment

by:vmdude
ID: 39232780
Because this is the answer and it fixed the exact problem I was facing
0
 

Expert Comment

by:tvogunleye
ID: 40789256
we cannot find the following CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
 in AD. how do we create it ?
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question