Hi, When I run: setup.com /prepareAD, I get this error: Configuring Microsoft Exchange Server Organization Preparation FAILED The following error was generated when "$error.Clear(); initialize-AdminGroupPermissions -DomainController $RoleDomainController " was run: "Active Directory operation failed on DC01 . This e rror is not retriable. Additional information: Insufficient access rights to per form the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF _ACCESS_RIGHTS), data 0 ". I have checked permission of Exchange trusted Subsystem and it checked on inheritance permissions option already. Following this link: http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx Please help, Thanks,

Hello FPT Software, I hope you are running this command with Run As Administrator in Cmd Prompt. Post the event id 2080 from Application log. What is the account you are using to login to the server?Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

Thanks Gulab for quick response. I log on as Administrator on DC and run setup.com /prepareAD. I not found event id 2080 from app log.

You can get the 2080 from exchange 2007. You won't get 2080 until you install the server. Kindly look in to application log for more information. Post the permissions you have on the account.Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

Event 2080 as below: Log Name: Application Source: MSExchange ADAccess Date: 6/24/2011 9:05:57 AM Event ID: 2080 Task Category: Topology Level: Information Keywords: Classic User: N/A Computer: MB01.xxx.xxx.xxx Description: Process STORE.EXE (PID=10956). Exchange Active Directory Provider has discovered the following servers with the following characteristics: (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site: DC01.xxx.xxx.xxx CDG 1 7 7 1 0 1 1 7 1 DC02.xxx.xxx.xxx CDG 1 7 7 1 0 1 1 7 1 DC03.xxx.xxx.xxx CDG 1 7 7 1 0 1 1 7 1 Out-of-site: Permission of installation account: Administrators, Domain Admins, Enterprise Admins, Schema admins, Exchange Domain Servers, Exchange Organization Administrators.

Hi, Please refer to the following steps to troubleshoot the issue. 1. Open ADUC and navigate to the specified user. 2. Click Properties > Security > Advanced. Check the box to allow inheritable permissions from parent. Then, please run the command again. If the issue persists, please use another administrator account and delegate to relevant permission, and then try to configure Exchange again. For detail permission to prepare AD, please refer to the following article: http://technet.microsoft.com/en-us/library/ee681663.aspx Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Novak, I have tried re-enable inheritable permission and change other Administrator account with same permission as Administrator built-in account, but the issue still persist.

Which permission is the account included? At this stage, I suggest you add the account in Schema admins and Enterprise admins group to check the result. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Permission included on installation account: Administrators, Domain Admins, Enterprise Admins, Schema admins --> The problem still occurs.

Hi, Please open ADUC and double click Administrators under Builtin folder. Switch to Members tab and add the Exchange Trusted Subsystem to check the result. If the issue persists, please check whether there is relevant error message in Event Log. Regards, Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Novak, After add Exchange Trusted Subsystem to Administrators group, I run prepareAD again but the problem still persists. I copy here the detail error on Event viewer: The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Install-ExchangeOrganization {DomainController=DC01.Mydomain, OrganizationName=My Org, PrepareOrganization=True, Industry=NotSpecified, ActiveDirectorySplitPermissions=, PrepareDomain=True} Mydomain/Users/Administrator Exchange Management Console-Local 4464 15 00:00:48.3144388 View Entire Forest: 'True', Configuration Domain Controller: 'DC01.Mydomain', Preferred Global Catalog: 'DC01.Mydomain', Preferred Domain Controllers: '{ DC01.Mydomain }' Microsoft.Exchange.Management.Deployment.ScriptExecutionException: The following error was generated when "$error.Clear(); initialize-AdminGroupPermissions -DomainController $RoleDomainController " was run: "Active Directory operation failed on DC01.Mydomain. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ". ---> Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on DC01.Mydomain. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord() --- End of inner exception stack trace --- 0 Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on DC01.Mydomain. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) at Microsoft.Exchange.Management.Tasks.InitializeAdminGroupPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord() the message resource is present but the message is not found in the string/message table

After analyzing the log files, please perform the following steps. 1. Open adsiedit.msc 2. Expand configuration patition and go to: CN=All Address Lists, CN=Address Lists Container, CN= Exchange Org name, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=domain, DC=com 3. Right click "All Address Lists" and then click on properties and click on Security Tab 4. Click on Advanced button and verify that Authenticated users group/Everyone group, do not have deny set for the following permssions; a. Delete b. Create All Child Object c. Create Address List Objects 5. If the Authenticated users group or everyone group have deny permissions set, remove the deny and click on Ok and close the permission and adsiedit window 6. Run setup /preapread and check the result. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Novak, I have checked security of Authenticated users group, everyone group, both of them not have deny permission for : a. Delete b. Create All Child Object c. Create Address List Objects

I got the solution, when I read exchangesetup.log I found the CN=public folder (in configuration patition) with deny permission for everyone group, just uncheck deny permission and the installation complete.