Link to home
Start Free TrialLog in
Avatar of MainStaySolutions
MainStaySolutions

asked on

Exchange 2013 New Mailbox Problem 4003

Having an issue attempting to create a new mailbox on Exchange 2013 with CU5.  It pops up The error listed below. I am able to create a user in AD then create a mailbox for the user with no problems.  Creating the user through exchange is a problem.  I have ran setup /prepareAD and setup /prepareDomain, restarted servers, ensured the license key was entered created new exchange Administrators and still am presented with the error below. Originally the server had no health monitoring mailboxes, I was able to get exchange to create those so they are no longer missing. Not really sure what to look at next.

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on . This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation) at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.NewADTaskBase`1.InternalProcessRecord() at Microsoft.Exchange.Management.Common.NewUserBase.InternalProcessRecord() at Microsoft.Exchange.Management.RecipientTasks.NewMailboxBase.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   ServerOperation
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   Ex6AE46B
   
   
   False
   
   0 objects execution has been proxied to remote server.
   
   
   0
   ActivityId: 274530e2-6a32-4294-a294-6690bfc99cd4
   ServicePlan:;IsAdmin:True;
   
   en-US
ASKER CERTIFIED SOLUTION
Avatar of Gareth Gudger
Gareth Gudger
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MainStaySolutions
MainStaySolutions

ASKER

Well, reading that article it would make sense.  Don't remember specifying that during setup.  I'll check it out and report back!

Thank you.
Okay well, after hunting and searching, is there anyway to check what permissions model you are using.  The only reference I've found is here:

http://www.dominikhoefling.com/Blog/Post/9/Exchange-permissions-model

And the note it makes is:

"Exchange Windows Permissions

This group is used to create and modify permissions to all Active Directory objects in all domains. When Split Permissions is not enabled, the Exchange Trusted Subsystem group is automatically added to this group. "

I checked and the Exchange Trusted Subsystem Group is a member of Exchange Windows Permissions.

Thank you.
That's a very good question. Because I can never find much info on it either.

I did however run into this article. It looks like switching back to an RBAC model is much easier in 2013. I am not even sure if it was possible in 2010 once you committed.

http://technet.microsoft.com/en-us/library/dd638155(v=exchg.150).aspx
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yea it basically says you don't have permissions. Are you a member of the Organization Management group in Exchange?
Actually it's worse now, I'm not even able to mail enable users.
Yes, there are currently 3 people in the group and each one seems to have no permission to mail enable users now.
Well scratch that I can't mail enable an old test user.  So back at square one.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hmm. Not sure what else it could be. Alerted the mods to bring in more experts.
Well I decided to give it another go today... And, it's working now. Not sure what exactly it was, if it was a combination of the things, but I tested on 2 different users and had no more issues creating users.
Glad you got it going! AD replication perhaps....
May have been a combination of items that fixed it, between adding administrators and rerunning setup with to disable split permissions.
Please check if user creating the database or carrying out the operation has full control of the V15 Folder in y case this was the problem