1 of 2 Exchange 2010 R2 is have Access Denied Errors - INSUFF_ACCESS_RIGHTS on most operations. How do I resolve this?

I am is in the middle of an Exchange upgrade migration.  Currently we have the following...

Two Exchange 2003 running on Server 2003 in a cluster - ( ex01, ex02, excluster)
Two Server 2003 Domain Controllers
Two New Server 2008 R2 Domain Controllers
Two New Exchange 2010 mail servers running on Server 2008 R2 - ( exch01 and exch02)

Both Exchange 2010  mail servers have a DAG setup.

PROBLEM:
I am getting  Access Denied Errors for every  operation I try on exch01. BUT, all operations work on  exch02.  <- Knowing this, what can we safely rule out?

------------------------------------------------------------------------------------------------------------------------------------
EXAMPLE OPERATIONS FAILING:
------------------------------------------------------------------------------------------------------------------------------------
1.) MAILBOX CREATION...

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:06

Jumping Jack
Failed

Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
New-Mailbox -Name 'Jumping Jack' -Alias 'jjack' -OrganizationalUnit 'company.com/Users' -UserPrincipalName 'jjack@company.com' -SamAccountName 'jjack' -FirstName 'Jumping' -Initials '' -LastName 'Jack' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false

Elapsed Time: 00:00:00

------------------------------------------------------------------------------------------------------------------------------------
2.) NOT ABLE TO DELETE OR CREATE SEND CONNECTOR...

Action 'Remove' could not be performed on object 'SendConnector'.

SendConnector
Failed
Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-0315202A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.
------------------------------------------------------------------------------------------------------------------------------------

3.) CREATING A NEW DATABASE...

TEST2DB
Failed

Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Warning:
Mailbox database "TEST2DB" was not deleted because the following error occurred: Active Directory operation failed on bc-phx-dc01.company.com. The object 'CN=TEST2DB,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company Communications Corporation,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com' does not exist. .

Exchange Management Shell command attempted:
new-mailboxdatabase -Server 'BC-PHX-EXCH01' -Name 'TEST2DB' -EdbFilePath 'C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\TEST2DB\TEST2DB.edb' -LogFolderPath 'C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\TEST2DB'

Elapsed Time: 00:00:00
------------------------------------------------------------------------------------------------------------------------------------

HERE IS A LOG ENTRY FROM exch01...

og Name:      Application
Source:        MSExchangeRepl
Date:          8/1/2014 11:53:31 AM
Event ID:      4113
Task Category: Service
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      bc-phx-exch01.company.com
Description:
Database redundancy health check failed.
Database copy: mail_store_exch01_01
Redundancy count: 1

Error: The number of configured copies for database 'mail_store_exch01_01' (1) is less than the required redundancy count (2).

Name                 Status RealCopyQueu InspectorQue  ReplayQueue      CIState
                                       e           ue                          
----                 ------ ------------ ------------  -----------      -------
mail_store_ex       Mounted            0            0            0      Healthy
ch01_01\BC-PH                                                                  
X-EXCH01

===============
 Full Status
===============
Identity                         : mail_store_exch01_01\BC-PHX-EXCH01
Name                             : mail_store_exch01_01\BC-PHX-EXCH01
DatabaseName                     : mail_store_exch01_01
Status                           : Mounted
MailboxServer                    : BC-PHX-EXCH01
ActiveDatabaseCopy               : bc-phx-exch01
ActivationSuspended              : False
ActionInitiator                  : Unknown
ErrorMessage                     :
ErrorEventId                     :
ExtendedErrorInfo                :
SuspendComment                   :
SinglePageRestore                : 0
ContentIndexState                : Healthy
ContentIndexErrorMessage         :
CopyQueueLength                  : 0
ReplayQueueLength                : 0
LatestAvailableLogTime           :
LastCopyNotificationedLogTime    :
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 0
LastLogCopyNotified              : 0
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 0
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : True

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeRepl" />
    <EventID Qualifiers="49156">4113</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-01T18:53:31.000000000Z" />
    <EventRecordID>5599</EventRecordID>
    <Channel>Application</Channel>
    <Computer>bc-phx-exch01.company.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>mail_store_exch01_01</Data>
    <Data>1</Data>
    <Data>The number of configured copies for database 'mail_store_exch01_01' (1) is less than the required redundancy count (2).

Name                 Status RealCopyQueu InspectorQue  ReplayQueue      CIState
                                       e           ue                          
----                 ------ ------------ ------------  -----------      -------
mail_store_ex       Mounted            0            0            0      Healthy
ch01_01\BC-PH                                                                  
X-EXCH01

==============
 Full Status
===============
Identity                         : mail_store_exch01_01\BC-PHX-EXCH01
Name                             : mail_store_exch01_01\BC-PHX-EXCH01
DatabaseName                     : mail_store_exch01_01
Status                           : Mounted
MailboxServer                    : BC-PHX-EXCH01
ActiveDatabaseCopy               : bc-phx-exch01
ActivationSuspended              : False
ActionInitiator                  : Unknown
ErrorMessage                     :
ErrorEventId                     :
ExtendedErrorInfo                :
SuspendComment                   :
SinglePageRestore                : 0
ContentIndexState                : Healthy
ContentIndexErrorMessage         :
CopyQueueLength                  : 0
ReplayQueueLength                : 0
LatestAvailableLogTime           :
LastCopyNotificationedLogTime    :
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 0
LastLogCopyNotified              : 0
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 0
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : True

------------------------------------------------------------------------------------------------------------------------------------

REPLICATION HEALTH FOR BOTH EXCH01, EXCH02....

[PS] C:\Windows\system32>Test-ReplicationHealth

Server          Check                      Result     Error
------          -----                      ------     -----
BC-PHX-EXCH01   ClusterService             Passed
BC-PHX-EXCH01   ReplayService              Passed
BC-PHX-EXCH01   ActiveManager              Passed
BC-PHX-EXCH01   TasksRpcListener           Passed
BC-PHX-EXCH01   TcpListener                Passed
BC-PHX-EXCH01   DagMembersUp               Passed
BC-PHX-EXCH01   ClusterNetwork             Passed
BC-PHX-EXCH01   QuorumGroup                Passed
BC-PHX-EXCH01   FileShareQuorum            Passed

Server          Check                      Result     Error
------          -----                      ------     -----
BC-PHX-EXCH02   ClusterService             Passed
BC-PHX-EXCH02   ReplayService              Passed
BC-PHX-EXCH02   ActiveManager              Passed
BC-PHX-EXCH02   TasksRpcListener           Passed
BC-PHX-EXCH02   TcpListener                Passed
BC-PHX-EXCH02   DagMembersUp               Passed
BC-PHX-EXCH02   ClusterNetwork             Passed
BC-PHX-EXCH02   QuorumGroup                Passed
BC-PHX-EXCH02   FileShareQuorum            Passed


YOUR HELP WOULD GREATLY BE APPRECIATED.
jballiet5Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
If everything works on the second server and a reboot doesn't work, then I would consider it a bad build. That would mean removing Exchange and then wiping the box and rebuilding it. I work on the basis that Exchange should work straight out of the box, failure to do so means a rebuild so I can trust it.

If it didn't work on the second server I would have said permissions.

Simon.
0
jballiet5Author Commented:
Originally, the build worked fine.  Some corruption or configuration must be the issue.
0
Simon Butler (Sembee)ConsultantCommented:
Doesn't matter. It doesn't work now, and another server does.
That means the permissions are fine. Unless you are aware of a change that was made, rebuild the machine. I wouldn't want to leave a machine in production for three or more years where there was suspicion on the original build.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jballiet5Author Commented:
What is the recommended process for taking the host out if the DAG and off of the security domain.  Just reverse what has been done?
0
Simon Butler (Sembee)ConsultantCommented:
You need to remove the replicas, then remove the server from the DAG.
Once done, remove Exchange using add/remove programs. Only then drop it from the domain and reboot.

Simon.
0
Jakob DigranesSenior ConsultantCommented:
please make sure all clocks and times zones are set correctly on failing server
0
jballiet5Author Commented:
I solved the problem. Through troubleshooting another unrelated problem, I had removed the host from the "Exchange Trusted Subsystem" security group. When I added the host back, all access issues resolved.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jballiet5Author Commented:
I solved the problem. Through troubleshooting another unrelated problem, I had removed the host from the "Exchange Trusted Subsystem" security group. When I added the host back, all access issues resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.