Solved

Exchange 2013 New Mailbox Problem 4003

Posted on 2014-11-20
15
758 Views
Last Modified: 2015-05-05
Having an issue attempting to create a new mailbox on Exchange 2013 with CU5.  It pops up The error listed below. I am able to create a user in AD then create a mailbox for the user with no problems.  Creating the user through exchange is a problem.  I have ran setup /prepareAD and setup /prepareDomain, restarted servers, ensured the license key was entered created new exchange Administrators and still am presented with the error below. Originally the server had no health monitoring mailboxes, I was able to get exchange to create those so they are no longer missing. Not really sure what to look at next.

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on . This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation) at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewADTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Management.Common.NewUserBase.InternalProcessRecord() at Microsoft.Exchange.Management.RecipientTasks.NewMailboxBase.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   ServerOperation
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   Ex6AE46B
   
   
   False
   
   0 objects execution has been proxied to remote server.
   
   
   0
   ActivityId: 274530e2-6a32-4294-a294-6690bfc99cd4
   ServicePlan:;IsAdmin:True;
   
   en-US
0
Comment
Question by:MainStaySolutions
  • 9
  • 5
15 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40457079
When you did the install, did you specify split-permissions during the install keep AD and Exchange separate?
http://technet.microsoft.com/en-us/library/dd638106(v=exchg.150).aspx
0
 

Author Comment

by:MainStaySolutions
ID: 40457218
Well, reading that article it would make sense.  Don't remember specifying that during setup.  I'll check it out and report back!

Thank you.
0
 

Author Comment

by:MainStaySolutions
ID: 40457860
Okay well, after hunting and searching, is there anyway to check what permissions model you are using.  The only reference I've found is here:

http://www.dominikhoefling.com/Blog/Post/9/Exchange-permissions-model

And the note it makes is:

"Exchange Windows Permissions

This group is used to create and modify permissions to all Active Directory objects in all domains. When Split Permissions is not enabled, the Exchange Trusted Subsystem group is automatically added to this group. "

I checked and the Exchange Trusted Subsystem Group is a member of Exchange Windows Permissions.

Thank you.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40458427
That's a very good question. Because I can never find much info on it either.

I did however run into this article. It looks like switching back to an RBAC model is much easier in 2013. I am not even sure if it was possible in 2010 once you committed.

http://technet.microsoft.com/en-us/library/dd638155(v=exchg.150).aspx
0
 

Assisted Solution

by:MainStaySolutions
MainStaySolutions earned 0 total points
ID: 40458965
Well tried both options under:

http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx

and zero luck the error still pops up when creating a new user with a new mailbox.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40458967
Yea it basically says you don't have permissions. Are you a member of the Organization Management group in Exchange?
0
 

Author Comment

by:MainStaySolutions
ID: 40458969
Actually it's worse now, I'm not even able to mail enable users.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:MainStaySolutions
ID: 40458970
Yes, there are currently 3 people in the group and each one seems to have no permission to mail enable users now.
0
 

Author Comment

by:MainStaySolutions
ID: 40458974
Well scratch that I can't mail enable an old test user.  So back at square one.
0
 

Assisted Solution

by:MainStaySolutions
MainStaySolutions earned 0 total points
ID: 40458999
Not sure if this matters but I was able to check another exchange 2013 domain. The exchange trusted subsystems groups are different one has Administrators in and enable inheritance disabled the other doesn't have Administrators group and inheritance is enabled

Update made no difference either way same error
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40460824
Hmm. Not sure what else it could be. Alerted the mods to bring in more experts.
0
 

Author Comment

by:MainStaySolutions
ID: 40461129
Well I decided to give it another go today... And, it's working now. Not sure what exactly it was, if it was a combination of the things, but I tested on 2 different users and had no more issues creating users.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40461149
Glad you got it going! AD replication perhaps....
0
 

Author Closing Comment

by:MainStaySolutions
ID: 40470204
May have been a combination of items that fixed it, between adding administrators and rerunning setup with to disable split permissions.
0
 

Expert Comment

by:patrickkobai
ID: 40760511
Please check if user creating the database or carrying out the operation has full control of the V15 Folder in y case this was the problem
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now