Avatar of MainStaySolutions
MainStaySolutions
 asked on

Exchange 2013 New Mailbox Problem 4003

Having an issue attempting to create a new mailbox on Exchange 2013 with CU5.  It pops up The error listed below. I am able to create a user in AD then create a mailbox for the user with no problems.  Creating the user through exchange is a problem.  I have ran setup /prepareAD and setup /prepareDomain, restarted servers, ensured the license key was entered created new exchange Administrators and still am presented with the error below. Originally the server had no health monitoring mailboxes, I was able to get exchange to create those so they are no longer missing. Not really sure what to look at next.

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on . This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation) at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewADTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Management.Common.NewUserBase.InternalProcessRecord() at Microsoft.Exchange.Management.RecipientTasks.NewMailboxBase.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   ServerOperation
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   Ex6AE46B
   
   
   False
   
   0 objects execution has been proxied to remote server.
   
   
   0
   ActivityId: 274530e2-6a32-4294-a294-6690bfc99cd4
   ServicePlan:;IsAdmin:True;
   
   en-US
Exchange

Avatar of undefined
Last Comment
patrickkobai

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Gareth Gudger

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
MainStaySolutions

ASKER
Well, reading that article it would make sense.  Don't remember specifying that during setup.  I'll check it out and report back!

Thank you.
MainStaySolutions

ASKER
Okay well, after hunting and searching, is there anyway to check what permissions model you are using.  The only reference I've found is here:

http://www.dominikhoefling.com/Blog/Post/9/Exchange-permissions-model

And the note it makes is:

"Exchange Windows Permissions

This group is used to create and modify permissions to all Active Directory objects in all domains. When Split Permissions is not enabled, the Exchange Trusted Subsystem group is automatically added to this group. "

I checked and the Exchange Trusted Subsystem Group is a member of Exchange Windows Permissions.

Thank you.
Gareth Gudger

That's a very good question. Because I can never find much info on it either.

I did however run into this article. It looks like switching back to an RBAC model is much easier in 2013. I am not even sure if it was possible in 2010 once you committed.

http://technet.microsoft.com/en-us/library/dd638155(v=exchg.150).aspx
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SOLUTION
MainStaySolutions

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Gareth Gudger

Yea it basically says you don't have permissions. Are you a member of the Organization Management group in Exchange?
MainStaySolutions

ASKER
Actually it's worse now, I'm not even able to mail enable users.
MainStaySolutions

ASKER
Yes, there are currently 3 people in the group and each one seems to have no permission to mail enable users now.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
MainStaySolutions

ASKER
Well scratch that I can't mail enable an old test user.  So back at square one.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Gareth Gudger

Hmm. Not sure what else it could be. Alerted the mods to bring in more experts.
MainStaySolutions

ASKER
Well I decided to give it another go today... And, it's working now. Not sure what exactly it was, if it was a combination of the things, but I tested on 2 different users and had no more issues creating users.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Gareth Gudger

Glad you got it going! AD replication perhaps....
MainStaySolutions

ASKER
May have been a combination of items that fixed it, between adding administrators and rerunning setup with to disable split permissions.
patrickkobai

Please check if user creating the database or carrying out the operation has full control of the V15 Folder in y case this was the problem
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.