“User has insufficient access rights” received when trying to run “setup /PrepareAD for Exchange 2013

We are in the process of upgrading from Exchange 2007 to Exchange 2013 SP1.
Staged a new Windows Server 2012 R2 and attached to domain. Previously upgraded all ADs to Windows Server 2012 R2.
I am following the Prepare Active Directory and Domains procedures described at http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx
Successfully ran Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms.

While running Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms, I receive the following error: “The user has insufficient access rights.”

Ran from both command prompt, as well as PowerShell. Also tried both using “Run as Administrator”.

Here is the relevant entry in the ExchangeSetup.log
[01/16/2015 14:56:25.0203] [2] Used domain controller AD1.contoso.com to read object CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative Group,CN=Administrative Groups,CN=xxxxxx,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxxxx,DC=com.
[01/16/2015 14:56:25.0265] [2] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0265] [2] The user has insufficient access rights.
[01/16/2015 14:56:25.0281] [2] Ending processing initialize-AdminGroupPermissions
[01/16/2015 14:56:25.0281] [1] The following 1 error(s) occurred during task execution:
[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[01/16/2015 14:56:25.0312] [1] The following error was generated when "$error.Clear();
      initialize-AdminGroupPermissions -DomainController $RoleDomainController

" was run: "Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
[01/16/2015 14:56:25.0312] [1] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0312] [1] The user has insufficient access rights.
[01/16/2015 14:56:25.0312] [1] [ERROR-REFERENCE] Id=CommonGlobalConfig___b175f8c16c41495fa9b1e6f26681a32b Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/16/2015 14:56:25.0312] [1] Setup is stopping now because of one or more critical errors.

I verified / performed the following:
-      My domain account is a member of Schema and Enterprise Admin groups.
-      Permission inheritance is enabled on my domain account.
-      My domain account is added to the Exchange Trusted Subsystem  (Opened ADUC/Exchange Trusted Subsystem/ right click and open Properties/member tab )

Any assistance would be appreciated.
LVL 1
TomProAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
How many domains/DC do you have?
Please check this from Richard Roddy [MSFT]
http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx
Please follow this article from http://exchangeserverpro.com (Paul Cunningham)
Since you have existing organization, please run setup /PrepareAD /IAcceptExchangeServerLicenseTerms and check

http://exchangeserverpro.com/how-to-install-exchange-server-2013/
0
Will SzymkowskiSenior Solution ArchitectCommented:
I have run into something similar in my lab. Try the following...
- login to the server that you are going to install Exchange on
-  open command prompt
- type whoami /groups

Make sure that on this machine you can see the schema admins and enterprise admins group as well. If you do not see this info then there might be an AD replication delay or there may be something wrong with the computer account.

Will.
0
TomProAuthor Commented:
We only have one domain with two DCs. Went through links you provided, they do not exactly match our configuration as one references Exchange 2010 and neither reference AD on Windows server 2012. I tried to perform the equivalent, but still get the same insufficient rights error.

Ran whoami /groups on the server I will be installing Exchange on and it does show schema and enterprise admins groups.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

R--RCommented:
Check if there is any replication issue between DC's
dcdiag and repadmin /showreps
0
TomProAuthor Commented:
Ran dcdiag and repadmin /showreps everything looks good.

I had previously seen Niko Cheng's fix, but my system already had administrators group added.

Any other suggestions would be appreciated.
0
TomProAuthor Commented:
Looks like I made a little progress, Using ADSIEdit I drilled down and removed several Deny permissions. Now I am getting the following error when running setup /PrepareAD

Organization Preparation                                                                          FAILED
The following error was generated when "$error.Clear();
install-AdministrativeGroup -DomainController $RoleDomainController
" was run: "Active Directory operation failed on AD1. contoso.com. The object 'CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= contoso,DC=com' already exists.".
0
TomProAuthor Commented:
Ended up opening a support ticket with Microsoft. Using ADSIEdit they removed a couple duplicate entries from within the Microsoft Exchange container. Once removed I was then able to successfully run /PrepareAD and continued with installation.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TomProAuthor Commented:
Contacted Microsoft support to resolve issue.
0
GadgetGeekCommented:
Not sure if it was R--R post and link to Niko Cheng's fix OR whether I finally put in the domain/user when I logged in(Ex..  domain/administrator) but it is finally installing in my lab!  Woo hoo!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.