OWA 2007 issues with users in 1 other child domain
Ive been troubleshooting this one for a few days with no luck. Currently in process of transition of Exchange 2003 SP2 to Exchange 2007SP1 Update5. We have Forest with several sub domains, 3 of which have Mail enabled users in them. ChildDomainA has Exchange installed in it along with mail enabled objects, ChildDomainB and ChildDomainC each have mail enabled objects in them. The problem I am seeing is with OWA access. ChildDomainA and ChildDomainC, users have no issues accessing OWA 2007. Users in ChildDomainB receive the following error. Ive done tons of searching and this always comes back to permissions or a rerun of /preparedomain. Ive verified permissions and reran /preparedomain. Any help would be much appreciated. RequestUrl: https://url.tld:443/owa/lang.owaUser host address: x.x.x.xExceptionException type: Microsoft.Exchange.Data.Storage.StoragePermanentExceptionException message: There was a problem accessing Active Directory.Call stack Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner ExceptionException type: Microsoft.Exchange.Data.Directory.ADOperationExceptionException message: Active Directory operation failed on DomainBDC.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Call stack Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId) Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Inner ExceptionException type: System.DirectoryServices.Protocols.DirectoryOperationExceptionException message: The user has insufficient access rights.Call stack System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
December 19th, 2008 3:25am

Hi, Yes,you are right.The possible cause of the issue is permission and AD replication related. Please follow the steps below to double check the issue. 1. Open Active Directory Users and Computers from Administrative Tools. 2. Navigate to View" .Please ensure that "Advanced Features" has been checked. 3. Right-click the user Account and Choose Properties. 4. Select the Security Tab and click Advanced 5. Tick the "Allow inheritable..." checkbox. Please double run setup.exe /preparedomain from child domain and then wait a few hours for AD replication Exchange 2007 - How to Prepare Active Directory and Domainshttp://technet.microsoft.com/en-us/library/bb125224.aspx Some users cannot access Exchange Server 2007 Outlook Web Access after you create new mailboxes or migrate existing mailboxes http://support.microsoft.com/kb/949527 Besides, please check if you can ping Exchange Server from the child domain, if you can ping DC in Child domain A. If the problem still persists, then please follow the steps below to perform collect more informations for further troubleshooting. 1. Policy Test 1). Load command window on DC server, navigate to the folder <Exchange installation files>\setup\serverroles\common\.2). Run command policytest.exe > c:\policytest.log3). Collect the log and send it to me. 2. Permission Settings 1). Load Exchange Management Shell, dump permission settings on the testing user/mailbox with command.Get-MailboxPermission <alias> | FL > MB.logGet-ADPermission <username> | FL > User.log2). Collect the output files and send it to me. 3. ExBPA 1). Load Exchange Management Console, select Toolbox.2). Double click Best Practices Analyzer.3). Connect to Active Directory.4). Input the name of DC; make sure you are using Exchange Administrator account and Domain User account.5). Click Connect to the Active Directory Server.6). Select entire Organization as the Scan Scope, type "Health Check".7). Click Start Scanning.8). When the scan finishes, Click View a report in the left pane and click the report in the right pane.9). Click Export report, select the type as XML (will save entire data file).10). Compress the XML file and send it to me. Regards, Xiu
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2008 11:09am

Hi Xiu,I've sent you the info you requested via email.Something else came to light:Root Domain is @ Win2k FunctionalChildDomainA is @ Win2k FunctionalChildDomainB is @ Win2k3ChildDomainC is @ Win2k FunctionalSo the problematic DC is running @ Win2k3 Functional level.
December 30th, 2008 5:11am

Hi, Before we move on, we need to double check the steps listed in my previous post. First please ensure that Allow inheritable permissions from the parent to propagate to this object and all child objects was selected both at OU level and Users. Then please check if domain controller for Childdomain has been listed in Exchange Install Domain Servers. If not, then please run setup/preparedomian on child domain and then add it to the group. Try to force AD replication and then check the issue.( how to force AD replication: http://technet.microsoft.com/en-us/library/cc776188.aspx ) 1. You can open ADUC from Administrative Tools-Active Directory Users and Computers-Microsoft Exchange Security Groups. 2. Double click on Exchange Servers, find Members tab. 3. Double click on Exchange Install Domain Servers and then check members. Besides, can user in ChildDomain B use Outlook to access their mailbox? Please follow the article below to set ApplyMandatoryProperties on users. Error message when users try to log on to Outlook Web Access in Exchange 2007: "A problem occurred while trying to use your mailbox" http://support.microsoft.com/kb/941146 Is there any delegation on user in ChildDomain B? If yes, then please remove the delegation. If all the steps do not help, then please try to move this mailbox to another mailbox store and then test the issue. Regards, Xiu
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2008 9:06am

Thanks for your reply Xiu.I've checked all inheritance OU/User in the Childdomain. It's all checked. I checked the Exchange Install Domain Servers group for this domain and no servers were listed in it, in fact I checked this group for all domains and the only domain that has servers is the domain that has Exchange 2007 servers installed in it. No group contains Domain Controllers nor have I seen where this is supposed to be.I ran threw KB 941146 early on in my troubleshooting and it's all correct.By delegation, do you mean in AD? for user management? We tested with users created directly in the root of this childdomain and there was no difference.This is impacting all users of this domain, they are spread out on separate mailstores and mailbox servers.One thing we saw was that adding one of the CAS server AD Objects with full control on the user object seemed to allow the user to log onto OWA. Did you notice anything strange with the permissions dump I sent you via email? I had compared it to a user from the working child domain and didn't see any discrepencies. Thanks.
December 30th, 2008 6:54pm

Further testing on new accounts shows that Granting the CAS ComputerObject$ Full Control over the user object seems to resolve this issue. Granting the Exchange Servers group full control over the user object didn't change anything. I'm comparing permissions for the Exchange Servers group on user objects from both the working and non-working domain via a LDP dump right now.
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2008 12:27am

Xiu,Any idea why would adding the CAS server Computer Objects with full control to the user objects resolve this? Should the Exchange Servers Group permissions set the required access for OWA access?
December 31st, 2008 4:44am

Hi,I'd like to know how did you grant full controll rights to user? From ADUC or IIS,or ADSIedit ? please give the detail steps.Besides,what is the authentication on OWA ?What is the authentication method on Default Web Site?(Note: IIS-Default Web Site-[OWA-]Properties-Directory Security-Authentication and access control)Xiu
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2008 5:52am

Hi, I found that if we do not have allow inherited permissions from the Active Directory domain level to child containers and organization units, then we need to assign the Exchange Servers group permissions to all recipient object types in the organizational unit. You can refer to Q: My company does not allow inherited permissions from the Active Directory domain level to child containers and organization units. Is this going to cause a problem? from Exchange 2007 permissions Frequently Asked Questions For your question, I suspect that the settings has not been valid, so we need to manually assign the permission. Hope it helps. Xiu
December 31st, 2008 8:59am

Xiu Zhang - MSFT said: Hi,I'd like to know how did you grant full controll rights to user? From ADUC or IIS,or ADSIedit ? please give the detail steps.Besides,what is the authentication on OWA ?What is the authentication method on Default Web Site?(Note: IIS-Default Web Site-[OWA-]Properties-Directory Security-Authentication and access control)XiuWe granted full control via ADUC. Simply add the computer object and select Full Control.We are using basic authentication. We are also using Windows Server 2008 OS on the Exchange servers.
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2008 6:52pm

I also checked the Domain Security and the Domain Controller Security Policy. I found that this trouble domain has one Domain Controller Security setting set that might be questionable.Network Access: Allow Anonymous SID/Name Translation is set to Disabled.- I've read that this had caused problems in older versions of OWA.
December 31st, 2008 8:52pm

Hi,Try to change the policy and foce client to apply the policy and then check the issue.We may close the thread now.Regards,Xiu
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2009 6:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics