Hi, I have a Windows 2003 R2 as DC/GC in Child Domain :- "child.voiceLab.com" // DC and GC --> UNITY11.child.voiceLab.com The Exchange Server 2003 SP2 is on Windows 2003 R2 and that is in the Root Domain :- "voiceLab.com" and is the 1s DC and GC as well of the root domain "voiceLab.com" // DC and GC -- > UNITY-SEC.voiceLab.com The Exchange 2003 SP 2 was installed before the Child Domain :- "child.voiceLab.com" --> I know that is non-standard but just had some change of plans and so this way. I have run the forestprep and more importantly /domainprep on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com" It went fine except for the prompt:- The domain "Child.voiceLab.com" has been identified as an insecure domain for the mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-windows 2000 servers and application. To secure the domain, remove any unnecessary members from this group. https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21109&sc=documents I Created a new RUS in Exchange 2003 for the child domain AD a/c as you can see below :- https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21110&sc=documents However that didn't seem to have helped The Accounts are as below :- https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21111&sc=documents The only way to get it to work so far has been to add the SMTP and X.400 manually However even with working accounts updated manually and also for not the ones which have been manually updated the eventvwr is filled with these errors:- Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 1:16:27 PM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=6F6D6B4CE76D184FB9C92C064B081D54> changetype: Modify showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M... : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont... mail:pthree@voiceLab.com textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn; proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn; : SMTP:pthree@voiceLab.com msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:66 objectGUID:6F6D6B4CE76D184FB9C92C064B081D54 - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8317 Date: 8/2/2011 Time: 1:16:27 PM User: N/A Computer: UNITY-SEC Description: The service could not update the entry 'CN=pone,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I have checked the article :- http://support.microsoft.com/kb/254030 Resolution Use either the Active Directory Users and Computers management console or use Active Directory Service Interfaces (ADSI) Edit to re-establish inheritable permissions on the organizational unit. In Active Directory Users and Computers In Active Directory Users and Computers on the View menu, click Advanced Features. Right-click the container or organizational unit that contains the users who are not being stamped by the Recipient Update Service, and then click Properties. On the Security tab, verify that the Allow inheritable permissions from parent to propagate to this object check box is selected. This options adds Exchange Enterprise Servers to the list of accounts that have rights to that object. Verify that this box is selected at the container level, and also in the user properties. To select the properties for individual users, right-click the user, click Properties, and then click the Security tab. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This has not helped however. -- > The other Errors that I am getting :- Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 1:16:27 PM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=36B63987D4F796418D8903CDD54FE6D7> changetype: Modify mail:pone@voiceLab.com textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=one;g=phn; msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:64 objectGUID:36B63987D4F796418D8903CDD54FE6D7 - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Errors also present for accounts which have these details been updated manually and working ok:- Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8317 Date: 8/2/2011 Time: 12:46:23 PM User: N/A Computer: UNITY-SEC Description: The service could not update the entry 'CN=EAdmin023a4d66,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 12:46:23 PM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=45BCD4B27811E54DB3941393C485BF3E> changetype: Modify msExchUserAccountControl:2 msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:66 objectGUID:45BCD4B27811E54DB3941393C485BF3E - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. I see msExchUserAccountControl:2 which should be 0 but not able to figure out how to do that for a entire container as such. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 10:25:03 AM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=EB9C271174F41F45873917BE1458D49A> changetype: Modify msExchPoliciesIncluded:delete:a10ba2c7-4d4b-425d-af9e-c393de2cb579 : {26491cfc-9e50-4857-861b-0cb8df22b5d7} msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M... : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont... msExchALObjectVersion:83 objectGUID:EB9C271174F41F45873917BE1458D49A - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 12:16:16 PM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=45BCD4B27811E54DB3941393C485BF3E> changetype: Modify msExchUserAccountControl:2 showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M... : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont... msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:67 objectGUID:45BCD4B27811E54DB3941393C485BF3E - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Here I am unable to understand this path:- showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M... : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont... Event Type: Warning Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8317 Date: 8/2/2011 Time: 10:55:03 AM User: N/A Computer: UNITY-SEC Description: The service could not update the entry 'CN=test13,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 10:55:03 AM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=D41751053D0B7B4BB0E322101C31BE34> changetype: Modify mail:test13@voiceLab.com textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13; msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:72 objectGUID:D41751053D0B7B4BB0E322101C31BE34 - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: MSExchangeAL Event Category: LDAP Operations Event ID: 8270 Date: 8/2/2011 Time: 10:25:03 AM User: N/A Computer: UNITY-SEC Description: LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=D41751053D0B7B4BB0E322101C31BE34> changetype: Modify showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M... : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont... mail:test13@voiceLab.com textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13; proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13; : SMTP:test13@voiceLab.com msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} msExchALObjectVersion:74 objectGUID:D41751053D0B7B4BB0E322101C31BE34 - DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. -- > This doesn't seem to be an issues with Exchange 2010 however as I have exchange 2010 in root domain and when I create mailboxes of the AD account in the child domain on that exchange server that seems to go w/o any trouble. So can some please suggest what I am missing out in here to get it working for the Exchange 2003. Find A Way, Or, Make A Way...........

Adding mail addresses won't make accounts work, RUS stamp several other attributes together with proxyaddresses. RUS seems to have permission problem writing to DC in the child domain. RUS is part of System Attendant so a simple test could be to restart Exchange SA service. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

Hi Lasse, I restarted the Exchange SA service, however that hasn't made any difference and still getting the eventvwr errors and the e-mail fields are not getting populated still. Please Suggest what should be the next course of action I might take. Prad :) Find A Way, Or, Make A Way...........

Hi Prad, You need to run setup.com /PrepareLegacyExchangePermissions Prepare Legacy Exchange 2003 Permission http://technet.microsoft.com/en-us/library/aa997914.aspxMartina Miskovic

Thanks, Once again Martina, I'll do that today I have already run the /domainprep for exchange 2003 on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com" and the RUS is not working in Exhange 2003 SP2 for "child.voiceLab.com" So I guess you are referring to this section :- Running Setup /PrepareLegacyExchangePermissions Again There are some cases in which you will need to run setup /PrepareLegacyExchangePermissions again: You have a domain that contains Exchange Server 2003 servers, and you have not run DomainPrep. In an existing domain, you have mailbox-enabled users who will log on to mailboxes on Exchange Server 2003 servers in domains in which you have not run DomainPrep. In these cases, you must run setup /PrepareLegacyExchangePermissions again after you run Exchange Server 2003 DomainPrep. This allows the Exchange Server 2003 Recipient Update Service to function correctly in this domain. http://technet.microsoft.com/en-us/library/aa997914.aspx Prad, :) Find A Way, Or, Make A Way...........

Hi Prad, Yes I was refering to that section. Good Luck and lett us know how it went.Martina Miskovic

Hi Martina, You are a champ, After initial hiccups of trying to run Setup /PrepareLegacyExchangePermissions again with Exchange 2003 setup CD I realised soon it wasn't going the right way as it was more interested in installing the exchange rather than update it and I checked the above doc and some other links and that pointed that this was to to be done via the Exchange 2010 setup rather than 2003. This was surprising to me initially as Exchange 2010 was working fine with subdomain "child.voiceLab.com" however the only issues were with Exchange 2003 which was not updating the fields for these subdomain accounts as per RUS so I never expected the Exchange 2010 CD would have to be used. However I did so after going through the doc's which all pointed that it needs to be done via the Exchange 2010 --> Ny bad 1st time as being so fascinated with Start -- > Run I attempted c:\Exchange2010\setup /PrepareLegacyExchangePermissions It did go through the initial part and didn't like it and closed itself I remembered your instruction in the other post for doing via CMD, which is kind of strange as I expected both of them to have the same results, but apparently not. c:\Exchange2010>setup.com /PrepareLegacyExchangePermissions Welcome to Microsoft Exchange Server 2010 Unattended Setup Preparing Exchange Setup Copying Setup Files ......................... COMPLETED No server roles will be installed Performing Microsoft Exchange Server Prerequisite Check Organization Checks ......................... COMPLETED Configuring Microsoft Exchange Server Updating legacy permissions ......................... COMPLETED The Microsoft Exchange Server setup operation completed successfully. -- > The AD Repl showed good as well , I cross checked that as U had run into huge issues with DNS and NDTS earlier :- C:\Users\administrator.VOICELAB>repadmin /showrepl Repadmin: running command /showrepl against full DC localhost Default-First-Site-Name\EX2010 DSA Options: (none) Site Options: (none) DSA object GUID: e542cac7-5c98-43c7-bc64-7b14cbb6ebf8 DSA invocationID: e6c1e798-58b1-4629-9581-d6fdf187a0d9 ==== INBOUND NEIGHBORS ====================================== DC=voiceLab,DC=com Default-First-Site-Name\UNITY-SEC via RPC DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd Last attempt @ 2011-08-03 17:31:18 was successful. CN=Configuration,DC=voiceLab,DC=com Default-First-Site-Name\UNITY-SEC via RPC DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd Last attempt @ 2011-08-03 16:57:25 was successful. Default-First-Site-Name\UNITY11 via RPC DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9 Last attempt @ 2011-08-03 16:57:25 was successful. CN=Schema,CN=Configuration,DC=voiceLab,DC=com Default-First-Site-Name\UNITY-SEC via RPC DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd Last attempt @ 2011-08-03 16:57:25 was successful. Default-First-Site-Name\UNITY11 via RPC DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9 Last attempt @ 2011-08-03 16:57:25 was successful. DC=DomainDnsZones,DC=voiceLab,DC=com Default-First-Site-Name\UNITY-SEC via RPC DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd Last attempt @ 2011-08-03 16:57:25 was successful. DC=ForestDnsZones,DC=voiceLab,DC=com Default-First-Site-Name\UNITY-SEC via RPC DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd Last attempt @ 2011-08-03 16:57:25 was successful. Default-First-Site-Name\UNITY11 via RPC DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9 Last attempt @ 2011-08-03 16:57:25 was successful. C:\Users\administrator.VOICELAB> -- > I finally held my breath and logged in Exchange 2003 server -- > Checked and didn't seem to update anything -- > Re-build and updated the RUS for Child Event Type: Information Event Source: MSExchangeAL Event Category: Address List Synchronization Event ID: 8329 Date: 8/4/2011 Time: 6:16:32 AM User: N/A Computer: UNITY-SEC Description: The Recipient Update Service is starting a rebuild of DC=child,DC=voiceLab,DC=com For more information, click http://www.microsoft.com/contentredirect.asp. -- > No Errors and Checked and the RUS got update for the child domain a/c automatically as expected -- > Checked to login and worked fine Below is a screenshot of how well it looks now:- https://skydrive.live.com/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21112&sc=documents Now I am only left with the Exchange 2010 -- > Exchange 2003 Send Mail Issues and I would be starting an new thread for that. However once again, thanks a lot for the help Martina, You ROCK.......... Prad, :) Find A Way, Or, Make A Way...........

Hi Prad, Thanks for your kind words! I really don´t know anyone that are so good giving all the details while posting. Two thumbs up! It´s like you have read my favorite KB http://support.microsoft.com/kb/q555375 :) I guess I could have been more clear with /preparelegacypermission but you solved it. Running CMD with an elevated CMD prompt has do be done because of "User Account Control" (UAC) in the operating system. Martina Miskovic

Hi Martina, No I didn't read that article befor you posted, but I did it just the same now and thanks for that, however this goes along I guess with any Technical Forum and community and being Cisco TAC Voicemail Engineer I can understand how troubleshooting can be increasingly difficult w/o appropriate details and the more the related info. you have at hand the more likely you are towards getting it resolved as well. Much similar details have been posted the Cisco Support Forums that carries this kind of similar approach. https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity--information-you-should-include-when-opening-any-unity-tac-case https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity-connection--information-you-should-include-when-opening-any-unity-connection-tac-case Cheers, Prad :) Find A Way, Or, Make A Way...........