Solved

“User has insufficient access rights” received when trying to run  “setup /PrepareAD for Exchange 2013

Posted on 2015-01-16
10
890 Views
Last Modified: 2016-02-04
We are in the process of upgrading from Exchange 2007 to Exchange 2013 SP1.
Staged a new Windows Server 2012 R2 and attached to domain. Previously upgraded all ADs to Windows Server 2012 R2.
I am following the Prepare Active Directory and Domains procedures described at http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx
Successfully ran Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms.

While running Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms, I receive the following error: “The user has insufficient access rights.”

Ran from both command prompt, as well as PowerShell. Also tried both using “Run as Administrator”.

Here is the relevant entry in the ExchangeSetup.log
[01/16/2015 14:56:25.0203] [2] Used domain controller AD1.contoso.com to read object CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative Group,CN=Administrative Groups,CN=xxxxxx,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxxxx,DC=com.
[01/16/2015 14:56:25.0265] [2] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0265] [2] The user has insufficient access rights.
[01/16/2015 14:56:25.0281] [2] Ending processing initialize-AdminGroupPermissions
[01/16/2015 14:56:25.0281] [1] The following 1 error(s) occurred during task execution:
[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[01/16/2015 14:56:25.0312] [1] The following error was generated when "$error.Clear();
      initialize-AdminGroupPermissions -DomainController $RoleDomainController

" was run: "Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
[01/16/2015 14:56:25.0312] [1] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0312] [1] The user has insufficient access rights.
[01/16/2015 14:56:25.0312] [1] [ERROR-REFERENCE] Id=CommonGlobalConfig___b175f8c16c41495fa9b1e6f26681a32b Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/16/2015 14:56:25.0312] [1] Setup is stopping now because of one or more critical errors.

I verified / performed the following:
-      My domain account is a member of Schema and Enterprise Admin groups.
-      Permission inheritance is enabled on my domain account.
-      My domain account is added to the Exchange Trusted Subsystem  (Opened ADUC/Exchange Trusted Subsystem/ right click and open Properties/member tab )

Any assistance would be appreciated.
0
Comment
Question by:TomPro
10 Comments
 
LVL 19

Expert Comment

by:R--R
Comment Utility
How many domains/DC do you have?
Please check this from Richard Roddy [MSFT]
http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx
Please follow this article from http://exchangeserverpro.com (Paul Cunningham)
Since you have existing organization, please run setup /PrepareAD /IAcceptExchangeServerLicenseTerms and check

http://exchangeserverpro.com/how-to-install-exchange-server-2013/
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
I have run into something similar in my lab. Try the following...
- login to the server that you are going to install Exchange on
-  open command prompt
- type whoami /groups

Make sure that on this machine you can see the schema admins and enterprise admins group as well. If you do not see this info then there might be an AD replication delay or there may be something wrong with the computer account.

Will.
0
 
LVL 1

Author Comment

by:TomPro
Comment Utility
We only have one domain with two DCs. Went through links you provided, they do not exactly match our configuration as one references Exchange 2010 and neither reference AD on Windows server 2012. I tried to perform the equivalent, but still get the same insufficient rights error.

Ran whoami /groups on the server I will be installing Exchange on and it does show schema and enterprise admins groups.
0
 
LVL 19

Expert Comment

by:R--R
Comment Utility
Check if there is any replication issue between DC's
dcdiag and repadmin /showreps
0
 
LVL 19

Expert Comment

by:R--R
Comment Utility
1
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:TomPro
Comment Utility
Ran dcdiag and repadmin /showreps everything looks good.

I had previously seen Niko Cheng's fix, but my system already had administrators group added.

Any other suggestions would be appreciated.
0
 
LVL 1

Author Comment

by:TomPro
Comment Utility
Looks like I made a little progress, Using ADSIEdit I drilled down and removed several Deny permissions. Now I am getting the following error when running setup /PrepareAD

Organization Preparation                                                                          FAILED
The following error was generated when "$error.Clear();
install-AdministrativeGroup -DomainController $RoleDomainController
" was run: "Active Directory operation failed on AD1. contoso.com. The object 'CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= contoso,DC=com' already exists.".
0
 
LVL 1

Accepted Solution

by:
TomPro earned 0 total points
Comment Utility
Ended up opening a support ticket with Microsoft. Using ADSIEdit they removed a couple duplicate entries from within the Microsoft Exchange container. Once removed I was then able to successfully run /PrepareAD and continued with installation.
0
 
LVL 1

Author Closing Comment

by:TomPro
Comment Utility
Contacted Microsoft support to resolve issue.
0
 

Expert Comment

by:GadgetGeek
Comment Utility
Not sure if it was R--R post and link to Niko Cheng's fix OR whether I finally put in the domain/user when I logged in(Ex..  domain/administrator) but it is finally installing in my lab!  Woo hoo!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now