Solved

“User has insufficient access rights” received when trying to run  “setup /PrepareAD for Exchange 2013

Posted on 2015-01-16
10
1,203 Views
Last Modified: 2016-02-04
We are in the process of upgrading from Exchange 2007 to Exchange 2013 SP1.
Staged a new Windows Server 2012 R2 and attached to domain. Previously upgraded all ADs to Windows Server 2012 R2.
I am following the Prepare Active Directory and Domains procedures described at http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx
Successfully ran Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms.

While running Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms, I receive the following error: “The user has insufficient access rights.”

Ran from both command prompt, as well as PowerShell. Also tried both using “Run as Administrator”.

Here is the relevant entry in the ExchangeSetup.log
[01/16/2015 14:56:25.0203] [2] Used domain controller AD1.contoso.com to read object CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative Group,CN=Administrative Groups,CN=xxxxxx,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxxxx,DC=com.
[01/16/2015 14:56:25.0265] [2] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0265] [2] The user has insufficient access rights.
[01/16/2015 14:56:25.0281] [2] Ending processing initialize-AdminGroupPermissions
[01/16/2015 14:56:25.0281] [1] The following 1 error(s) occurred during task execution:
[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0281] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on AD1. contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[01/16/2015 14:56:25.0312] [1] The following error was generated when "$error.Clear();
      initialize-AdminGroupPermissions -DomainController $RoleDomainController

" was run: "Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
[01/16/2015 14:56:25.0312] [1] Active Directory operation failed on AD1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[01/16/2015 14:56:25.0312] [1] The user has insufficient access rights.
[01/16/2015 14:56:25.0312] [1] [ERROR-REFERENCE] Id=CommonGlobalConfig___b175f8c16c41495fa9b1e6f26681a32b Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/16/2015 14:56:25.0312] [1] Setup is stopping now because of one or more critical errors.

I verified / performed the following:
-      My domain account is a member of Schema and Enterprise Admin groups.
-      Permission inheritance is enabled on my domain account.
-      My domain account is added to the Exchange Trusted Subsystem  (Opened ADUC/Exchange Trusted Subsystem/ right click and open Properties/member tab )

Any assistance would be appreciated.
0
Comment
Question by:TomPro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 19

Expert Comment

by:R--R
ID: 40554320
How many domains/DC do you have?
Please check this from Richard Roddy [MSFT]
http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx
Please follow this article from http://exchangeserverpro.com (Paul Cunningham)
Since you have existing organization, please run setup /PrepareAD /IAcceptExchangeServerLicenseTerms and check

http://exchangeserverpro.com/how-to-install-exchange-server-2013/
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554324
I have run into something similar in my lab. Try the following...
- login to the server that you are going to install Exchange on
-  open command prompt
- type whoami /groups

Make sure that on this machine you can see the schema admins and enterprise admins group as well. If you do not see this info then there might be an AD replication delay or there may be something wrong with the computer account.

Will.
0
 
LVL 1

Author Comment

by:TomPro
ID: 40554539
We only have one domain with two DCs. Went through links you provided, they do not exactly match our configuration as one references Exchange 2010 and neither reference AD on Windows server 2012. I tried to perform the equivalent, but still get the same insufficient rights error.

Ran whoami /groups on the server I will be installing Exchange on and it does show schema and enterprise admins groups.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:R--R
ID: 40554576
Check if there is any replication issue between DC's
dcdiag and repadmin /showreps
0
 
LVL 19

Expert Comment

by:R--R
ID: 40554579
1
 
LVL 1

Author Comment

by:TomPro
ID: 40565062
Ran dcdiag and repadmin /showreps everything looks good.

I had previously seen Niko Cheng's fix, but my system already had administrators group added.

Any other suggestions would be appreciated.
0
 
LVL 1

Author Comment

by:TomPro
ID: 40566430
Looks like I made a little progress, Using ADSIEdit I drilled down and removed several Deny permissions. Now I am getting the following error when running setup /PrepareAD

Organization Preparation                                                                          FAILED
The following error was generated when "$error.Clear();
install-AdministrativeGroup -DomainController $RoleDomainController
" was run: "Active Directory operation failed on AD1. contoso.com. The object 'CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= contoso,DC=com' already exists.".
0
 
LVL 1

Accepted Solution

by:
TomPro earned 0 total points
ID: 40897143
Ended up opening a support ticket with Microsoft. Using ADSIEdit they removed a couple duplicate entries from within the Microsoft Exchange container. Once removed I was then able to successfully run /PrepareAD and continued with installation.
0
 
LVL 1

Author Closing Comment

by:TomPro
ID: 40903868
Contacted Microsoft support to resolve issue.
0
 

Expert Comment

by:GadgetGeek
ID: 41449486
Not sure if it was R--R post and link to Niko Cheng's fix OR whether I finally put in the domain/user when I logged in(Ex..  domain/administrator) but it is finally installing in my lab!  Woo hoo!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question