[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

1 of 2 Exchange 2010 R2 is have Access Denied Errors - INSUFF_ACCESS_RIGHTS on most operations. How do I resolve this?

Posted on 2014-08-01
8
Medium Priority
?
1,344 Views
Last Modified: 2014-08-20
I am is in the middle of an Exchange upgrade migration.  Currently we have the following...

Two Exchange 2003 running on Server 2003 in a cluster - ( ex01, ex02, excluster)
Two Server 2003 Domain Controllers
Two New Server 2008 R2 Domain Controllers
Two New Exchange 2010 mail servers running on Server 2008 R2 - ( exch01 and exch02)

Both Exchange 2010  mail servers have a DAG setup.

PROBLEM:
I am getting  Access Denied Errors for every  operation I try on exch01. BUT, all operations work on  exch02.  <- Knowing this, what can we safely rule out?

------------------------------------------------------------------------------------------------------------------------------------
EXAMPLE OPERATIONS FAILING:
------------------------------------------------------------------------------------------------------------------------------------
1.) MAILBOX CREATION...

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:06

Jumping Jack
Failed

Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
New-Mailbox -Name 'Jumping Jack' -Alias 'jjack' -OrganizationalUnit 'company.com/Users' -UserPrincipalName 'jjack@company.com' -SamAccountName 'jjack' -FirstName 'Jumping' -Initials '' -LastName 'Jack' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false

Elapsed Time: 00:00:00

------------------------------------------------------------------------------------------------------------------------------------
2.) NOT ABLE TO DELETE OR CREATE SEND CONNECTOR...

Action 'Remove' could not be performed on object 'SendConnector'.

SendConnector
Failed
Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-0315202A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.
------------------------------------------------------------------------------------------------------------------------------------

3.) CREATING A NEW DATABASE...

TEST2DB
Failed

Error:
Active Directory operation failed on bc-phx-dc01.company.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

Warning:
Mailbox database "TEST2DB" was not deleted because the following error occurred: Active Directory operation failed on bc-phx-dc01.company.com. The object 'CN=TEST2DB,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company Communications Corporation,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com' does not exist. .

Exchange Management Shell command attempted:
new-mailboxdatabase -Server 'BC-PHX-EXCH01' -Name 'TEST2DB' -EdbFilePath 'C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\TEST2DB\TEST2DB.edb' -LogFolderPath 'C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\TEST2DB'

Elapsed Time: 00:00:00
------------------------------------------------------------------------------------------------------------------------------------

HERE IS A LOG ENTRY FROM exch01...

og Name:      Application
Source:        MSExchangeRepl
Date:          8/1/2014 11:53:31 AM
Event ID:      4113
Task Category: Service
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      bc-phx-exch01.company.com
Description:
Database redundancy health check failed.
Database copy: mail_store_exch01_01
Redundancy count: 1

Error: The number of configured copies for database 'mail_store_exch01_01' (1) is less than the required redundancy count (2).

Name                 Status RealCopyQueu InspectorQue  ReplayQueue      CIState
                                       e           ue                          
----                 ------ ------------ ------------  -----------      -------
mail_store_ex       Mounted            0            0            0      Healthy
ch01_01\BC-PH                                                                  
X-EXCH01

===============
 Full Status
===============
Identity                         : mail_store_exch01_01\BC-PHX-EXCH01
Name                             : mail_store_exch01_01\BC-PHX-EXCH01
DatabaseName                     : mail_store_exch01_01
Status                           : Mounted
MailboxServer                    : BC-PHX-EXCH01
ActiveDatabaseCopy               : bc-phx-exch01
ActivationSuspended              : False
ActionInitiator                  : Unknown
ErrorMessage                     :
ErrorEventId                     :
ExtendedErrorInfo                :
SuspendComment                   :
SinglePageRestore                : 0
ContentIndexState                : Healthy
ContentIndexErrorMessage         :
CopyQueueLength                  : 0
ReplayQueueLength                : 0
LatestAvailableLogTime           :
LastCopyNotificationedLogTime    :
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 0
LastLogCopyNotified              : 0
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 0
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : True

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeRepl" />
    <EventID Qualifiers="49156">4113</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-01T18:53:31.000000000Z" />
    <EventRecordID>5599</EventRecordID>
    <Channel>Application</Channel>
    <Computer>bc-phx-exch01.company.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>mail_store_exch01_01</Data>
    <Data>1</Data>
    <Data>The number of configured copies for database 'mail_store_exch01_01' (1) is less than the required redundancy count (2).

Name                 Status RealCopyQueu InspectorQue  ReplayQueue      CIState
                                       e           ue                          
----                 ------ ------------ ------------  -----------      -------
mail_store_ex       Mounted            0            0            0      Healthy
ch01_01\BC-PH                                                                  
X-EXCH01

==============
 Full Status
===============
Identity                         : mail_store_exch01_01\BC-PHX-EXCH01
Name                             : mail_store_exch01_01\BC-PHX-EXCH01
DatabaseName                     : mail_store_exch01_01
Status                           : Mounted
MailboxServer                    : BC-PHX-EXCH01
ActiveDatabaseCopy               : bc-phx-exch01
ActivationSuspended              : False
ActionInitiator                  : Unknown
ErrorMessage                     :
ErrorEventId                     :
ExtendedErrorInfo                :
SuspendComment                   :
SinglePageRestore                : 0
ContentIndexState                : Healthy
ContentIndexErrorMessage         :
CopyQueueLength                  : 0
ReplayQueueLength                : 0
LatestAvailableLogTime           :
LastCopyNotificationedLogTime    :
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 0
LastLogCopyNotified              : 0
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 0
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : True

------------------------------------------------------------------------------------------------------------------------------------

REPLICATION HEALTH FOR BOTH EXCH01, EXCH02....

[PS] C:\Windows\system32>Test-ReplicationHealth

Server          Check                      Result     Error
------          -----                      ------     -----
BC-PHX-EXCH01   ClusterService             Passed
BC-PHX-EXCH01   ReplayService              Passed
BC-PHX-EXCH01   ActiveManager              Passed
BC-PHX-EXCH01   TasksRpcListener           Passed
BC-PHX-EXCH01   TcpListener                Passed
BC-PHX-EXCH01   DagMembersUp               Passed
BC-PHX-EXCH01   ClusterNetwork             Passed
BC-PHX-EXCH01   QuorumGroup                Passed
BC-PHX-EXCH01   FileShareQuorum            Passed

Server          Check                      Result     Error
------          -----                      ------     -----
BC-PHX-EXCH02   ClusterService             Passed
BC-PHX-EXCH02   ReplayService              Passed
BC-PHX-EXCH02   ActiveManager              Passed
BC-PHX-EXCH02   TasksRpcListener           Passed
BC-PHX-EXCH02   TcpListener                Passed
BC-PHX-EXCH02   DagMembersUp               Passed
BC-PHX-EXCH02   ClusterNetwork             Passed
BC-PHX-EXCH02   QuorumGroup                Passed
BC-PHX-EXCH02   FileShareQuorum            Passed


YOUR HELP WOULD GREATLY BE APPRECIATED.
0
Comment
Question by:jballiet5
  • 4
  • 3
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40235408
If everything works on the second server and a reboot doesn't work, then I would consider it a bad build. That would mean removing Exchange and then wiping the box and rebuilding it. I work on the basis that Exchange should work straight out of the box, failure to do so means a rebuild so I can trust it.

If it didn't work on the second server I would have said permissions.

Simon.
0
 

Author Comment

by:jballiet5
ID: 40235500
Originally, the build worked fine.  Some corruption or configuration must be the issue.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40237520
Doesn't matter. It doesn't work now, and another server does.
That means the permissions are fine. Unless you are aware of a change that was made, rebuild the machine. I wouldn't want to leave a machine in production for three or more years where there was suspicion on the original build.

Simon.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:jballiet5
ID: 40240008
What is the recommended process for taking the host out if the DAG and off of the security domain.  Just reverse what has been done?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40246608
You need to remove the replicas, then remove the server from the DAG.
Once done, remove Exchange using add/remove programs. Only then drop it from the domain and reboot.

Simon.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40254541
please make sure all clocks and times zones are set correctly on failing server
0
 

Accepted Solution

by:
jballiet5 earned 0 total points
ID: 40263864
I solved the problem. Through troubleshooting another unrelated problem, I had removed the host from the "Exchange Trusted Subsystem" security group. When I added the host back, all access issues resolved.
0
 

Author Closing Comment

by:jballiet5
ID: 40272093
I solved the problem. Through troubleshooting another unrelated problem, I had removed the host from the "Exchange Trusted Subsystem" security group. When I added the host back, all access issues resolved.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question