I am in the process of upgrading my Exchange 2003 environment to Exchange 2010. For good measure I have installed a single Exchange 2007 server in the forest, just to be on the safe side and then installed the first Exchange 2010 server. I am currently at the point where I want to start adding Accepted Domains to my environment, this works just fine when I use the Exchange 2007 EMC but when using the 2010 EMC or EMS I get the response: ---------------------------------------------- Error: Active Directory operation failed on somedomaincontroller.emea.mydomain.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 The user has insufficient access rights. Exchange Management Shell command attempted: new-AcceptedDomain -Name 'somecompany-ag.de' -DomainName 'somecompany-ag.de' -DomainType 'Authoritative' ----------------------------------------------------------------- Forest Setup is: Empty Root Domain (mydomain.com) with 3 resource domains: emea.mydomain.com, ap.mydomain.com and am.mydomain.com There are exchange 2003 servers deployed in all 3 resource domains, the Ex 2007 and Ex 2010 servers are installed in the EMEA domain. I have tried to add the Accepted Domain using different accounts with permissions limited to only member of "Exchange Organization Administrators" all the way up to Enterprise Admins and Schema Admin. When I look at the permissions in the configuration partition in AD all seems to be correct. I'm at a loss, all help is appreciated. regards, Ruud

did you get a chance to have a look into this http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24990540.html You might need to check the permissions from ADSIEDIT . Also can have look at this http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_25060970.htmlRaj

Hi Raj, Thanks for helping me out here, I did check both articles (and a lot of other ones that google returns when searching for the error codes) and I cannot find anything wrong. Inherritance is enabled and in adsi edit the permissions appear to be fine. Besides that, I am able to perform the same task using the 2007 EMC with a limited permissions account. What strikes me as odd is the error lists a DC in my subdomain, not in the root domain but I'm not sure that is related. Ruud

Only if you are using any account from the child domain. Trying running a domain prep from child domain and see if that makes any diff.Raj

Hi, You can add parameter -DomainController to specify DC that writes this configuration change to Active Directory. And can you do other tasks? For example: move mailbox from Exchange 2003 to Exchange 2010. Did you use the account which you install Exchange 2010? Please check ADUC->domain.com->Microsoft Exchange Security Groups-> Organization Management->Properties->Members The account is in there? Also please check the Exchange 2010 server is a member of "Exchange Trusted Subsystem" Group which is in the same OU. Try to remove it and add it back, then restart the server.Frank Wang

It was the membership of the "Exchange Trusted Subsystem" that was missing. Could it be I did something wrong that caused it not to be automatically added to that group? Since I'm in the process of upgrading to 2010 there's no mailboxes on it yet (afraid it will mess up mailrouting somehow), I'm trying to get all settings finished before adding the first mailbox. Thanks for your help guys!