Constraint Violation RRS feed

  • Question

  • We have recently merged with another company. We are using the exchnage servers in ad1 as the exchange servers for the whole company, using ad1 as the exchange resource domain. Trust have been created between ad1 and ad2. Mail flow and access to mailboxes on ad1 by users in ad2 is fine.


    We have the following problems however. If we create a DL in ad1and try to add a user in AD2 to it , or if we have a mialbox on ad1 and we try to add send on behalf of permissions for users in ad2 we get the following error.


    Microsoft Active Directory- Exchange Extension  

    A constraint violation occurred.  

    Facility:  LDAP Provider  

    ID no: 8007202f  

    Microsoft Active Directory- Exchange Extension


    Any help would be gratefully appreciated



    Tuesday, July 22, 2008 10:07 AM

All replies

  • I believe your require Microsoft Identity Integration Server 2003 to achieve the results you want.  Utilizing GAL sync feature in MIIS 2003 may provide you with the objects necessary to modify the DLs and (possibly) grant 'send on behalf' permissions. 


    Read more about MIIS 2003 here:



    I hope this info helps.  Let us know.



    Tuesday, July 22, 2008 9:43 PM
  • Thanks for that Jeremy


    All of the mailboxes and dl's are in AD1, the user accounts in AD 2, so basically we have setup a fairly standard exchange resource domain which i dont belive requires a gal sync to work.


    Any other ideas would be gratefully accepted.






    Wednesday, July 23, 2008 11:21 AM
  • Would you elaborate on the AD setup?  Are there two forests? You did note that you had to setup a trust, please clarify that point.  Is the exchange resource domain and the user accounts domain in separate forests?  What is the funtional level of each forest and domains, and what does the Exchange environment look like (server versions, functionaly level).


    This will give us a better understanding.





    Wednesday, July 23, 2008 12:59 PM
  • This came about as a merger, we had one existing forest with exchange and they had their own. WE have head office staff user accounts and mailboxes in forest 1.  Forest 2 used to use its own exchange server.

    We created a one way forest trust and migrated all the mailboxes of the new remote users from forest 2 to forest 1. Their login accounts remain in forest 2 although a disabled user account is created in forest 1 by the mailbox migration process.


    Mailflow works fine. The problem we have is that when we try to give a forest1 user permissions to send on behalf of a mailbox in forest 2 this throws up the error message.


    Ad/forest 1   Head office site - exchange severs reside here -

    Ad/forest 2   remote company - user accounts in this forest.


    Ad /forest 2 was origonally another company which we have integrated into our organisation . We are using exchange servers from ad forest 1 to host the mailboxes of the users from ad/forest 2


    In order to setup the mailboxes we created a one way forest trust. Subsequent to that we have created a two way forest trust to try to get this configuration to work.


    Both Forests are 2003 native.

    Exchange servers are 2003 sp2 , native.


    Hopefully that helps if not let me know and i will try to explain






    Wednesday, July 23, 2008 2:30 PM