Exchange 2013 New Mailbox Problem 4003

Having an issue attempting to create a new mailbox on Exchange 2013 with CU5.  It pops up The error listed below. I am able to create a user in AD then create a mailbox for the user with no problems.  Creating the user through exchange is a problem.  I have ran setup /prepareAD and setup /prepareDomain, restarted servers, ensured the license key was entered created new exchange Administrators and still am presented with the error below. Originally the server had no health monitoring mailboxes, I was able to get exchange to create those so they are no longer missing. Not really sure what to look at next.

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on . This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation) at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewADTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Management.Common.NewUserBase.InternalProcessRecord() at Microsoft.Exchange.Management.RecipientTasks.NewMailboxBase.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   ServerOperation
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   Ex6AE46B
   
   
   False
   
   0 objects execution has been proxied to remote server.
   
   
   0
   ActivityId: 274530e2-6a32-4294-a294-6690bfc99cd4
   ServicePlan:;IsAdmin:True;
   
   en-US
MainStaySolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gareth GudgerCommented:
When you did the install, did you specify split-permissions during the install keep AD and Exchange separate?
http://technet.microsoft.com/en-us/library/dd638106(v=exchg.150).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MainStaySolutionsAuthor Commented:
Well, reading that article it would make sense.  Don't remember specifying that during setup.  I'll check it out and report back!

Thank you.
0
MainStaySolutionsAuthor Commented:
Okay well, after hunting and searching, is there anyway to check what permissions model you are using.  The only reference I've found is here:

http://www.dominikhoefling.com/Blog/Post/9/Exchange-permissions-model

And the note it makes is:

"Exchange Windows Permissions

This group is used to create and modify permissions to all Active Directory objects in all domains. When Split Permissions is not enabled, the Exchange Trusted Subsystem group is automatically added to this group. "

I checked and the Exchange Trusted Subsystem Group is a member of Exchange Windows Permissions.

Thank you.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Gareth GudgerCommented:
That's a very good question. Because I can never find much info on it either.

I did however run into this article. It looks like switching back to an RBAC model is much easier in 2013. I am not even sure if it was possible in 2010 once you committed.

http://technet.microsoft.com/en-us/library/dd638155(v=exchg.150).aspx
0
MainStaySolutionsAuthor Commented:
Well tried both options under:

http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx

and zero luck the error still pops up when creating a new user with a new mailbox.
0
Gareth GudgerCommented:
Yea it basically says you don't have permissions. Are you a member of the Organization Management group in Exchange?
0
MainStaySolutionsAuthor Commented:
Actually it's worse now, I'm not even able to mail enable users.
0
MainStaySolutionsAuthor Commented:
Yes, there are currently 3 people in the group and each one seems to have no permission to mail enable users now.
0
MainStaySolutionsAuthor Commented:
Well scratch that I can't mail enable an old test user.  So back at square one.
0
MainStaySolutionsAuthor Commented:
Not sure if this matters but I was able to check another exchange 2013 domain. The exchange trusted subsystems groups are different one has Administrators in and enable inheritance disabled the other doesn't have Administrators group and inheritance is enabled

Update made no difference either way same error
0
Gareth GudgerCommented:
Hmm. Not sure what else it could be. Alerted the mods to bring in more experts.
0
MainStaySolutionsAuthor Commented:
Well I decided to give it another go today... And, it's working now. Not sure what exactly it was, if it was a combination of the things, but I tested on 2 different users and had no more issues creating users.
0
Gareth GudgerCommented:
Glad you got it going! AD replication perhaps....
0
MainStaySolutionsAuthor Commented:
May have been a combination of items that fixed it, between adding administrators and rerunning setup with to disable split permissions.
0
patrickkobaiCommented:
Please check if user creating the database or carrying out the operation has full control of the V15 Folder in y case this was the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.