Exchange 2003 in Root domain (xyz.com) and RUS not updating for new mailboxes created for AD accounts in Child Domain (abc.xyz.com) and have to manually create the SMTP and X.400 adddress for the mailboxes.
Hi,
I have a Windows 2003 R2 as DC/GC in Child Domain :- "child.voiceLab.com"
// DC and GC --> UNITY11.child.voiceLab.com
The Exchange Server 2003 SP2 is on Windows 2003 R2 and that is in the Root Domain :- "voiceLab.com" and is the 1s DC and GC as well of the root domain "voiceLab.com" // DC and GC -- >
UNITY-SEC.voiceLab.com
The Exchange 2003 SP 2 was installed before the Child Domain :- "child.voiceLab.com"
--> I know that is non-standard but just had some change of plans and so this way.
I have run the forestprep and more importantly /domainprep on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com"
It went fine except for the prompt:-
The domain "Child.voiceLab.com" has been identified as an insecure domain for the mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group.
This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-windows 2000 servers and application. To secure the domain, remove any unnecessary members from this group.
https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21109&sc=documents
I Created a new RUS in Exchange 2003 for the child domain AD a/c as you can see below :-
https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21110&sc=documents
However that didn't seem to have helped
The Accounts are as below :-
https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21111&sc=documents
The only way to get it to work so far has been to add the SMTP and X.400 manually
However even with working accounts updated manually and also for not the ones which have been manually updated the eventvwr is filled with these errors:-
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 1:16:27 PM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=6F6D6B4CE76D184FB9C92C064B081D54>
changetype: Modify
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
mail:pthree@voiceLab.com
textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn;
proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn;
: SMTP:pthree@voiceLab.com
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:66
objectGUID:6F6D6B4CE76D184FB9C92C064B081D54
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Warning
Event Source: MSExchangeAL
Event Category: Address List Synchronization
Event ID: 8317
Date: 8/2/2011
Time: 1:16:27 PM
User: N/A
Computer: UNITY-SEC
Description:
The service could not update the entry 'CN=pone,CN=Users,DC=child,DC=voiceLab,DC=com'
because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers.
To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I have checked the article :-
http://support.microsoft.com/kb/254030
Resolution
Use either the Active Directory Users and Computers management console or use Active Directory Service Interfaces (ADSI) Edit to re-establish inheritable permissions on the organizational unit.
In Active Directory Users and Computers
In Active Directory Users and Computers on the View menu, click
Advanced Features. Right-click the container or organizational unit that contains the users who are not being stamped by the Recipient Update Service, and then click
Properties. On the Security tab, verify that the Allow inheritable permissions from parent to propagate to this object check box is selected. This options adds Exchange Enterprise Servers to the list of accounts that have rights to
that object. Verify that this box is selected at the container level, and also in the user properties. To select the properties for individual users, right-click the user, click
Properties, and then click the Security tab.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This has not helped however.
-- > The other Errors that I am getting :-
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 1:16:27 PM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=36B63987D4F796418D8903CDD54FE6D7>
changetype: Modify
mail:pone@voiceLab.com
textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=one;g=phn;
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:64
objectGUID:36B63987D4F796418D8903CDD54FE6D7
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Errors also present for accounts which have these details been updated manually and working ok:-
Event Type: Warning
Event Source: MSExchangeAL
Event Category: Address List Synchronization
Event ID: 8317
Date: 8/2/2011
Time: 12:46:23 PM
User: N/A
Computer: UNITY-SEC
Description:
The service could not update the entry 'CN=EAdmin023a4d66,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of
Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain.
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 12:46:23 PM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=45BCD4B27811E54DB3941393C485BF3E>
changetype: Modify
msExchUserAccountControl:2
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:66
objectGUID:45BCD4B27811E54DB3941393C485BF3E
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
I see msExchUserAccountControl:2 which should be 0
but not able to figure out how to do that for a entire container as such.
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 10:25:03 AM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=EB9C271174F41F45873917BE1458D49A>
changetype: Modify
msExchPoliciesIncluded:delete:a10ba2c7-4d4b-425d-af9e-c393de2cb579
: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
msExchALObjectVersion:83
objectGUID:EB9C271174F41F45873917BE1458D49A
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 12:16:16 PM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=45BCD4B27811E54DB3941393C485BF3E>
changetype: Modify
msExchUserAccountControl:2
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:67
objectGUID:45BCD4B27811E54DB3941393C485BF3E
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Here I am unable to understand this path:-
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
Event Type: Warning
Event Source: MSExchangeAL
Event Category: Address List Synchronization
Event ID: 8317
Date: 8/2/2011
Time: 10:55:03 AM
User: N/A
Computer: UNITY-SEC
Description:
The service could not update the entry 'CN=test13,CN=Users,DC=child,DC=voiceLab,DC=com'
because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers.
To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 10:55:03 AM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=D41751053D0B7B4BB0E322101C31BE34>
changetype: Modify
mail:test13@voiceLab.com
textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:72
objectGUID:D41751053D0B7B4BB0E322101C31BE34
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Date: 8/2/2011
Time: 10:25:03 AM
User: N/A
Computer: UNITY-SEC
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction
dn: <GUID=D41751053D0B7B4BB0E322101C31BE34>
changetype: Modify
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
mail:test13@voiceLab.com
textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
: SMTP:test13@voiceLab.com
msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchALObjectVersion:74
objectGUID:D41751053D0B7B4BB0E322101C31BE34
-
DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
-- > This doesn't seem to be an issues with Exchange 2010 however as I have exchange 2010 in root domain and when I create mailboxes of the AD account in the child domain on that exchange server that seems to go w/o any trouble.
So can some please suggest what I am missing out in here to get it working for the
Exchange 2003.
Find A Way, Or, Make A Way...........
August 2nd, 2011 4:35am
Adding mail addresses won't make accounts work, RUS stamp several other attributes together with proxyaddresses.
RUS seems to have permission problem writing to DC in the child domain. RUS is part of System Attendant so a simple test could be to restart Exchange SA service.
lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2011 5:43am
Hi Lasse,
I restarted the Exchange SA service, however that hasn't made any difference and still getting the eventvwr errors and the e-mail fields are not getting populated still.
Please Suggest what should be the next course of action I might take.
Prad
:)
Find A Way, Or, Make A Way...........
August 2nd, 2011 6:52am
Hi Prad,
You need to run setup.com /PrepareLegacyExchangePermissions
Prepare Legacy Exchange 2003 Permission
http://technet.microsoft.com/en-us/library/aa997914.aspxMartina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2011 2:38pm
Thanks, Once again Martina, I'll do that today
I have already run the /domainprep for exchange 2003 on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com" and the RUS is not working in Exhange 2003 SP2 for
"child.voiceLab.com"
So I guess you are referring to this section :-
Running Setup /PrepareLegacyExchangePermissions Again
There are some cases in which you will need to run
setup /PrepareLegacyExchangePermissions again:
You have a domain that contains Exchange Server 2003 servers, and you have not run DomainPrep.
In an existing domain, you have mailbox-enabled users who will log on to mailboxes on Exchange Server 2003 servers in domains in which you have not run DomainPrep.
In these cases, you must run setup /PrepareLegacyExchangePermissions again after you run Exchange Server 2003 DomainPrep. This allows the Exchange Server 2003 Recipient Update Service to function correctly in this domain.
http://technet.microsoft.com/en-us/library/aa997914.aspx
Prad,
:)
Find A Way, Or, Make A Way...........
August 2nd, 2011 11:47pm
Hi Prad,
Yes I was refering to that section.
Good Luck and lett us know how it went.Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2011 12:01am
Hi Martina,
You are a champ,
After initial hiccups of trying to run Setup /PrepareLegacyExchangePermissions
again with Exchange 2003 setup CD I realised soon it wasn't going the right way as it was more interested in installing the exchange rather than update it and I checked the above doc and some other links and that pointed that this was to to be done
via the Exchange 2010 setup rather than 2003.
This was surprising to me initially as Exchange 2010 was working fine with subdomain "child.voiceLab.com" however the only issues were with Exchange 2003 which was not updating the fields for these subdomain accounts as per RUS so I never expected
the Exchange 2010 CD would have to be used.
However I did so after going through the doc's which all pointed that it needs to be done via the Exchange 2010
--> Ny bad 1st time as being so fascinated with Start -- > Run I attempted
c:\Exchange2010\setup /PrepareLegacyExchangePermissions
It did go through the initial part and didn't like it and closed itself
I remembered your instruction in the other post for doing via CMD, which is kind of strange as I expected both of them to have the same results, but apparently not.
c:\Exchange2010>setup.com /PrepareLegacyExchangePermissions
Welcome to Microsoft Exchange Server 2010 Unattended Setup
Preparing Exchange Setup
Copying Setup Files ......................... COMPLETED
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks ......................... COMPLETED
Configuring Microsoft Exchange Server
Updating legacy permissions ......................... COMPLETED
The Microsoft Exchange Server setup operation completed successfully.
-- > The AD Repl showed good as well , I cross checked that as U had run into huge issues with DNS and NDTS earlier :-
C:\Users\administrator.VOICELAB>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\EX2010
DSA Options: (none)
Site Options: (none)
DSA object GUID: e542cac7-5c98-43c7-bc64-7b14cbb6ebf8
DSA invocationID: e6c1e798-58b1-4629-9581-d6fdf187a0d9
==== INBOUND NEIGHBORS ======================================
DC=voiceLab,DC=com
Default-First-Site-Name\UNITY-SEC via RPC
DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
Last attempt @ 2011-08-03 17:31:18 was successful.
CN=Configuration,DC=voiceLab,DC=com
Default-First-Site-Name\UNITY-SEC via RPC
DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
Last attempt @ 2011-08-03 16:57:25 was successful.
Default-First-Site-Name\UNITY11 via RPC
DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
Last attempt @ 2011-08-03 16:57:25 was successful.
CN=Schema,CN=Configuration,DC=voiceLab,DC=com
Default-First-Site-Name\UNITY-SEC via RPC
DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
Last attempt @ 2011-08-03 16:57:25 was successful.
Default-First-Site-Name\UNITY11 via RPC
DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
Last attempt @ 2011-08-03 16:57:25 was successful.
DC=DomainDnsZones,DC=voiceLab,DC=com
Default-First-Site-Name\UNITY-SEC via RPC
DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
Last attempt @ 2011-08-03 16:57:25 was successful.
DC=ForestDnsZones,DC=voiceLab,DC=com
Default-First-Site-Name\UNITY-SEC via RPC
DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
Last attempt @ 2011-08-03 16:57:25 was successful.
Default-First-Site-Name\UNITY11 via RPC
DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
Last attempt @ 2011-08-03 16:57:25 was successful.
C:\Users\administrator.VOICELAB>
-- > I finally held my breath and logged in Exchange 2003 server
-- > Checked and didn't seem to update anything
-- > Re-build and updated the RUS for Child
Event Type: Information
Event Source: MSExchangeAL
Event Category: Address List Synchronization
Event ID: 8329
Date: 8/4/2011
Time: 6:16:32 AM
User: N/A
Computer: UNITY-SEC
Description:
The Recipient Update Service is starting a rebuild of DC=child,DC=voiceLab,DC=com
For more information, click http://www.microsoft.com/contentredirect.asp.
-- > No Errors and Checked and the RUS got update for the child domain a/c automatically as expected
-- > Checked to login and worked fine
Below is a screenshot of how well it looks now:-
https://skydrive.live.com/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21112&sc=documents
Now I am only left with the Exchange 2010 -- > Exchange 2003 Send Mail Issues and I would be starting an new thread for that.
However once again, thanks a lot for the help Martina, You ROCK..........
Prad,
:)
Find A Way, Or, Make A Way...........
August 3rd, 2011 9:19pm
Hi Prad,
Thanks for your kind words!
I really don´t know anyone that are so good giving all the details while posting. Two thumbs up!
It´s like you have read my favorite KB
http://support.microsoft.com/kb/q555375 :)
I guess I could have been more clear with /preparelegacypermission but you solved it.
Running CMD with an elevated CMD prompt has do be done because of "User Account Control" (UAC) in the operating system.
Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 12:20am
Hi Martina,
No I didn't read that article befor you posted, but I did it just the same now and thanks for that, however this goes along I guess with any Technical Forum and community and being Cisco TAC Voicemail Engineer I can understand how troubleshooting can be
increasingly difficult w/o appropriate details and the more the related info. you have at hand the more likely you are towards getting it resolved as well.
Much similar details have been posted the Cisco Support Forums that carries this kind of similar approach.
https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity--information-you-should-include-when-opening-any-unity-tac-case
https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity-connection--information-you-should-include-when-opening-any-unity-connection-tac-case
Cheers,
Prad
:)
Find A Way, Or, Make A Way...........
August 4th, 2011 6:24pm