Hi All, We have a painful situation that we are trying to find solution for couple of weeks. Our AD domain infrastructure comprises a root domain and 3 child domains directly under the root. Facts: Forest is running in Windows Server 2008 functional mode.Single Exchange 2003 server is located in the HO and all 3 domains are prepared for Exchange 2003 recipients (the forest and root domain have already been upgraded to Exchange 2010 schema as we are preparing to migrate within next 2 months). The 3^rd child domain (lets say child3.domain.org.au) is newly created in one of our remote country offices and connects to HO via a site to site VPN. Domain functional level is Windows Server 2008 R2.Country office connects to the internet (and to HO via VPN) through 768 kbps satellite connection not the fastest connection in the world but enough. JAD replication works fine within the forest. Repadmin, dcdiag results are fine.In Exchange 2003 server, there is a Recipient Update Service (RUS) and a Recipient Policy created for child3.domain.org.au. Pains Exchange 2003 RUS cannot update AD accounts in child3.domain.org.au with the correct email addresses and we see below errors in the application log. Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8201 Date: 7/2/2012 Time: 5:35:12 PM User: N/A Computer: EXCHSRV1 Description: The service could not bind to server dc01.child3.domain.org.au. Please check the credentials supplied. For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8166 Date: 7/2/2012 Time: 5:27:11 PM User: N/A Computer: EXCHSRV1 Description: Could not modify Address List 'CN=COMPANY1 Country Office - ABC,CN=Recipient Policies,CN=COMPANY1,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=org,DC=au' for the object: 'dc01.child3.domain.org.au'. CN=Abc\, Xyz,OU=Company1 Co3 Users,DC=child3,DC=domain,DC=org,DC=au For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8317 Date: 7/2/2012 Time: 5:27:11 PM User: N/A Computer: EXCHSRV1 Description: The service could not update the entry CN=Abc\, Xyz,OU=Company1 Co3 Users,DC=child3,DC=domain,DC=org,DC=au because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child3,DC=domain,DC=org,DC=au For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8168 Date: 7/2/2012 Time: 5:27:11 PM User: N/A Computer: EXCHSRV1 Description: Could not modify the object: CN=Abc\, Xyz,OU=Company1 Co3 Users,DC=child3,DC=domain,DC=org,DC=au. DC=child3,DC=domain,DC=org,DC=au For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 7/2/2012 Time: 5:27:11 PM User: N/A Computer: EXCHSRV1 Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=135A431913E8984EA410F137398CBEE0> changetype: Modify mail:Abc.Xyz@company1.org textEncodedORAddress:c=AU;a= ;p=COMPANY1;o=AUSTRALIA;s=Xyz;g=Abc; proxyAddresses:SMTP: Abc.Xyz@company1.org : X400:c=AU;a= ;p= COMPANY1;o=AUSTRALIA;s=Xyz;g=Abc; msExchPoliciesIncluded:add:{17A2D59C-489D-4F51-87FB-BC7138063DB1},{3B6813EC-CE89-42BA-9442-D87D4AA30DBC} : {17A2D59C-489D-4F51-87FB-BC7138063DB1},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} objectGUID:135A431913E8984EA410F137398CBEE0 - DC=child3,DC=domain,DC=org,DC=au For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8022 Date: 7/2/2012 Time: 5:27:11 PM User: N/A Computer: EXCHSRV1 Description: LDAP Modify on directory dc01.child3.domain.org.au for entry '<GUID=135A431913E8984EA410F137398CBEE0>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]. DC=child3,DC=domain,DC=org,DC=au For more information, click http://www.microsoft.com/contentredirect.asp. Steps: Found this KB that describes some of the errors. http://support.microsoft.com/kb/254030Ran Exchange 2003 /domainprep again Had a look at this article too http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/06841abf-0bb9-471a-b6db-fbf3144e1699Ran ExBPA but found nothing significant. Just to mention that it says Recipient Update Service 'Recipient Update Service (child3)' was configured to perform a full rebuild Looks like something to do with permission. Any advices are much appreciated. Cheers.

Are you sure that DomainPrep was run in that domain? Is there a RUS configured for that domain?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi Ed, Answer to both questions is yes and I have found what the problem is and the missing permission. Further troubleshooting revealed that a user object in child3 domain does not have "Write Exchange Information" permission for child3\Exchange Enterprise Servers group. Manually adding this permission to user account and updating the RUS worked and that user account got its proxy address. Now my problem is how to get this permission propagated to all users. I assume that this permission is set during domainprep and ran it yet another time. But the permission did not get set. I could probably add this permission to domain object but is that the correct way of setting this ? Thoughts are much appreciated. Cheers.

You can set it higher up and let it be inherited. You didn't block inheritance on OUs or recipients, did you? That can cause all sorts of problems.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi Ed, No inheritance is not blocked at all. I checked other 2 child domains and found that permission for Exchange Enterprise Servers are set at the domain level. There are 5 Write Property permissions. But it does not show what those permissions are. This is on one of the child domains thats working fine. This is the child domain that's having the problem. Seems one "Write Property" permission is missing. Just cannot identify which one at the domain level even going into Edit page. But on the individual user account, the missing permission is "Write Exchange Information". Any thoughts? Is "Write Exchange Information" is made up of more granular permissions? Cheers

The permissions that are there aren't inherited, so I suspect inheritance is blocked there or somewhere up the tree. You didn't show the page where that is set.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi Ed, We were able to fix the issue by running Exchange 2010 Setup /PrepareLegacyExchangePermissions again on the parent domain. This addedd the missing permission above. Hope this helps some one. http://technet.microsoft.com/en-us/library/aa997914 Cheers.

You should mark your post as the answer.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

You should mark your post as the answer. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." Hi Ed, I don't see an option to "Mark as Answer" beneath the post. Cheers