Solved

Exchange 2010 Unable to modify default receive connector

Posted on 2013-06-01
7
1,111 Views
Last Modified: 2015-05-21
Getting this error trying to make a change to the default receive connector

I am using an account with organization management and full domain and enterprise admin permissions. I have made sure that inheritable permissions are applied on the account.

Does anyone have any troubleshooting ideas. Tried various fixes so far but cant get anything to work

_______________________________________________________________________________________________

Failed to save admin audit log for this cmdlet invocation.
Organization:  
Log content:
Subject: Domain.com/Users/exch_adm : Set-ReceiveConnector
Body:
Cmdlet Name: Set-ReceiveConnector
Object Modified: SERVER-EX01\Default SERVER-EX01
Parameter: Identity = SERVER-EX01\Default SERVER-EX01
Parameter: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Modified: PermissionGroups = AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Property Original: PermissionGroups = ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Caller: Domain.com/Users/exch_adm
Succeeded: False
Error: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER-DC01.Domain.com. This error is not retriable. Additional information: Access is denied.\r\nActive directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.\r\n   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)\r\n   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)\r\n   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)\r\n   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ReceiveConnector.SaveNewSecurityDescriptor(Boolean isEdge)\r\n   at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalProcessRecord()
Run Date: 2013-06-01T08:32:04
OriginatingServer: SERVER-EX01 (14.03.0123.002)
 
Error:
Exception thrown during AdminLogProvisioningHandler.Validate: Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The discovery mailbox, a hidden default mailbox that is required to search mailboxes, can't be found. It may have been inadvertently deleted. This mailbox must be re-created before you can search mailboxes.
   at Microsoft.Exchange.Data.Storage.Infoworker.MailboxSearch.MailboxDataProvider.GetDiscoveryMailbox(ADRecipientSession session)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogHelper.CheckArbitrationMailboxStatus(OrganizationId organizationId, ADUser& user, ExchangePrincipal& principal, String& errorMessage)
0
Comment
Question by:vmdude
  • 4
  • 2
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you have tried things then you need to say what they are, because otherwise people may just repeat things that you have done.

You are getting an error about the Discover Mailbox missing. It should be recreated to begin with: http://technet.microsoft.com/en-us/library/gg588318.aspx

Simon.
0
 
LVL 6

Author Comment

by:vmdude
Comment Utility
Things I have tried

- Made sure inheritance was set on user account
- Made sure AdminSDHolder has inheritable permissions
- Created a new Exchange Administrator account (with org management, domain admin etc)
- Re-run setup /PrepareAD

This is a single domain and forest with no child domains.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Have you tried with THE administrator account, or with the account used to originally install Exchange?
Are you still getting the error about the Discovery Mailbox being missing?

Simon.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Author Comment

by:vmdude
Comment Utility
Hi,

Yes I have tried with the main administrator account used to install Exchange.
All Exchange 2010 servers have now successfully been upgraded to SP3 and the Discovery Mailbox and all arbitration mailboxes are now displaying.

Now when I try to perform the operation I no longer get the error in the logs however the pop-up comes up with the following message

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-ReceiveConnector
Failed
Error:
Active Directory operation failed on DC.DOMAIN.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.




--------------------------------------------------------
OK
--------------------------------------------------------
0
 
LVL 6

Accepted Solution

by:
vmdude earned 0 total points
Comment Utility
Found the answer

Needed to add inheritance at the following location via ADSI Edit

CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

nstall ADSI Edit and then start ADSI Edit.
Click Start, click Run, type adsiedit.msc, and then click OK.
Locate the object in question, right-click the object, and then click Properties.
On the Security tab, click Advanced.
Click Allow inheritable permissions from the parent to propagate to this object and all child objects to re-enable permissions inheritance.
Click OK two times to apply the change.
Wait for Active Directory replication to propagate the changes, or force Active Directory replication if it is necessary.
0
 
LVL 6

Author Closing Comment

by:vmdude
Comment Utility
Because this is the answer and it fixed the exact problem I was facing
0
 

Expert Comment

by:tvogunleye
Comment Utility
we cannot find the following CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
 in AD. how do we create it ?
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now