Exchange 2010 installation fails at adprep / domainprep
Hello all, I'm trying to do an Exchange 2010 install on a fresh 2008 R2 server. Domain is at Windows 2003 Forest and Domain functional Level. Both DC's are 2008 server. The useraccount used for installation is member of domain admins, enterprise admins and schema admins. The first step, schema update succeeds. The second step, domainprep, fails with the following error: [05-04-2010 16:18:42.0696] [2] [ERROR] Active Directory operation failed on <customers domain controller name>. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [05-04-2010 16:18:42.0727] [2] [ERROR] The user has insufficient access rights. [05-04-2010 16:18:42.0743] [2] Ending processing. [ [05-04-2010 16:18:42.0743] [1] 0. ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on< customers domain controller name >. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.TakeOwnership(ADObjectId id, RawSecurityDescriptor sd, ADSystemConfigurationSession session) at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord() [05-04-2010 16:18:42.0758] [1] [ERROR] The following error was generated when "$error.Clear(); if ($RolePrepareAllDomains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$RoleIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-DomainPermissions -CreateTenantRoot:$RoleIsDatacenter; }" was run: "Active Directory operation failed on < customers domain controller name >. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ". [05-04-2010 16:18:42.0758] [1] [ERROR] Active Directory operation failed on<DC van klant>. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [05-04-2010 16:18:42.0758] [1] [ERROR] The user has insufficient access rights. [05-04-2010 16:18:42.0774] [1] [WARNING] <<< Setup failed to execute a task. Dumping all variables.... >>> Since the user is member of all relevant groups, i am at a loss here. My guess is some deny that's been set on an important AD object. So my question would be: which specific rights (on which AD objects) are required for doing the /PrepareAd step? Is there a way to tell on which AD object exactly it fails? Maybey some clever dsquery script for searching the AD for Denies? Or is this too far fetched? Hope 2 hear from you guys, Greets, Rik van Berendonk
May 5th, 2010 8:48pm

Hello, Your account is in the correct groups. Did you logoff and login after you added the account to the groups above? May be the rights have not been updated yet accross the domain.. Suggest try rebooting and try again.Isaac Oben MCITP:EA, MCSE
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2010 9:05pm

Hello, Did you installed RSAT-ADDS tools on Exchange server? Open the CMD right click to select the run as administrator. run setup /PrepareAD /OrganizationName: <Name> Thanks Mhussain
May 6th, 2010 12:42am

Hello, Yes i have rebooted the servers; have also tried it with the default administrator account, which was already member of these groups. No change unfortunately
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2010 1:05am

Hi, Yes, the ADDS tools are present on the exchange server. If i run the setup /PrepareAD /OrganizationName: <my exhange organization name> i get the following error: Performing Microsoft Exchange Server Prerequisite Check Organization Checks ......................... COMPLETED Setup is going to prepare the organization for Exchange 2010 by using 'Setup /P repareAD'. No Exchange 2007 server roles have been detected in this topology. Af ter this operation, you will not be able to install any Exchange 2007 server rol es. Configuring Microsoft Exchange Server Organization Preparation ......................... FAILED The following error was generated when "$error.Clear(); buildToBuildUpgrade -ExsetDataAtom -AtomName OrgLevelCt -DomainController $RoleDomainController" was run: "An error occurred with error code '3238218301' and message 'The operation failed. Either you don't have sufficient permissions to perform the operation, or you need to wait for permissions to be replicated and try again later.'.". The Exchange Server setup operation did not complete. Visit http://support.micro soft.com and enter the Error ID to find more information. Exchange Server setup encountered an error.
May 6th, 2010 1:11am

Can you run a copy of the Exchange BPA on another machine and run the Readiness and Permissions Inheritance checks?Active Directory, 4th Edition - www.briandesmond.com/ad4/
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2010 7:05am

Sure, how can i best post the results? It's an XML file, with some private data in it.
May 6th, 2010 12:48pm

Hi Rik, Please send the report to me: v-elvwei [at] microsoft [dot] com and I will help you to see if I can find some clues. Please also make sure you meet the following conditions. The computer where you run this command must be able to contact all domains in the forest on port 389. You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency. Prepare Active Directory and Domains http://technet.microsoft.com/en-us/library/bb125224.aspx Thanks, Elvis
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2010 10:58am

Hi Rik, Please send the report to me: v-elvwei [at] microsoft [dot] com and I will help you to see if I can find some clues. Please also make sure you meet the following conditions. The computer where you run this command must be able to contact all domains in the forest on port 389. You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency. Prepare Active Directory and Domains http://technet.microsoft.com/en-us/library/bb125224.aspx Thanks, Elvis
May 10th, 2010 10:58am

Hi guys, I've created a MS support ticket. Right now i'm creating a second server to see if the problem can be reproduced there. The MS support technician noted that there were other customers with exactly the same problem while installing Ex2010. No resolution yet, but i'll post here if any is found. grts Rik
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2010 2:55pm

Hi Rik, Since you have contacted our support professional, I would like to temporarily mark the current thread. If you find the solution, we welcome you put it here that it can benefit more people in the community. Thanks a lot, Elvis
May 12th, 2010 9:46am

Hi Rik, Since you have contacted our support professional, I would like to temporarily mark the current thread. If you find the solution, we welcome you put it here that it can benefit more people in the community. Thanks a lot, Elvis
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2010 9:46am

Hi y'all, Well the ticket with MS Support was recently closed, although the issue was not still completely solved. This was on our request, because the troubleshooting was taking too long, so the project board decided to stop the troubleshooting and build a new AD. There had been a Exchange 2000 or 2003 server in the AD, that had been incorrectly removed a few years ago. That, in conjunction with a "dirty AD" with a lot of incorrect permissions set, led to this problem with setting up Exchange 2010. After resetting a lot of AD permissions, i eventually managed to get past the AD preparation phase, but after that encountered other AD-related errors while installing the Exchange roles. At that point, after a couple of weeks of troubleshooting, we lost confidence in the idea of getting an proper installation of Exchange 2010. Therefore, the decision was made to leave this AD, and start with a fresh new AD, and then migrate users to that one. The installation of Exc2010 in the new domain went as expected, within 30 minutes it was done. As far as i am concerned, this thread can be closed. Thank you all for your input.
August 10th, 2010 4:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics