none
Exchange 2003 in Root domain (xyz.com) and RUS not updating for new mailboxes created for AD accounts in Child Domain (abc.xyz.com) and have to manually create the SMTP and X.400 adddress for the mailboxes. RRS feed

  • Question

  • Hi,

    I have a Windows 2003 R2 as DC/GC in Child Domain :- "child.voiceLab.com" // DC and GC --> UNITY11.child.voiceLab.com

     

    The Exchange Server 2003 SP2 is on Windows 2003 R2 and that is in the Root Domain :- "voiceLab.com" and is the 1s DC and GC as well of the root domain "voiceLab.com" // DC and GC -- > UNITY-SEC.voiceLab.com

    The Exchange 2003 SP 2 was installed before the Child Domain :- "child.voiceLab.com" --> I know that is non-standard but just had some change of plans and so this way.

    I have run the forestprep and more importantly /domainprep on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com"

    It went fine except for the prompt:-

    The domain "Child.voiceLab.com" has been identified as an insecure domain for the mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-windows 2000 servers and application. To secure the domain, remove any unnecessary members from this group.


    https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21109&sc=documents

     

    I Created a  new RUS in Exchange 2003 for the child domain AD a/c as you can see below :-

    https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21110&sc=documents

     

    However that didn't seem to have helped

     

    The Accounts are as below :-

     

    https://skydrive.live.com/P.mvc#!/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21111&sc=documents

     

    The only way to get it to work so far has been to add the SMTP and X.400 manually

     

    However even with working accounts updated manually and also for not the ones which have been manually updated the eventvwr is filled with these errors:-

     

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        1:16:27 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=6F6D6B4CE76D184FB9C92C064B081D54>
    changetype: Modify
    showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
    : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
    mail:pthree@voiceLab.com
    textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn;
    proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=three;g=phn;
    : SMTP:pthree@voiceLab.com
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:66
    objectGUID:6F6D6B4CE76D184FB9C92C064B081D54
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    Event Type:    Warning
    Event Source:    MSExchangeAL
    Event Category:    Address List Synchronization
    Event ID:    8317
    Date:        8/2/2011
    Time:        1:16:27 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    The service could not update the entry 'CN=pone,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions  may not have propagated completely down to this object yet. The inheritance time  may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

     

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    I have checked the article :-

    http://support.microsoft.com/kb/254030

    Resolution

    Use either the Active Directory Users and Computers management console or use Active Directory Service Interfaces (ADSI) Edit to re-establish inheritable permissions on the organizational unit.

    In Active Directory Users and Computers
    1. In Active Directory Users and Computers on the View menu, click Advanced Features.
    2. Right-click the container or organizational unit that contains the users who are not being stamped by the Recipient Update Service, and then click Properties.
    3. On the Security tab, verify that the Allow inheritable permissions from parent to propagate to this object check box is selected. This options adds Exchange Enterprise Servers to the list of accounts that have rights to that object.
    4. Verify that this box is selected at the container level, and also in the user properties. To select the properties for individual users, right-click the user, click Properties, and then click the Security tab.

     

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    This has not helped however.

    -- > The other Errors that I am getting :-

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        1:16:27 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=36B63987D4F796418D8903CDD54FE6D7>
    changetype: Modify
    mail:pone@voiceLab.com
    textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=one;g=phn;
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:64
    objectGUID:36B63987D4F796418D8903CDD54FE6D7
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

     

    Errors also present for accounts which have these details been updated manually and working ok:-

     

    Event Type:    Warning
    Event Source:    MSExchangeAL
    Event Category:    Address List Synchronization
    Event ID:    8317
    Date:        8/2/2011
    Time:        12:46:23 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    The service could not update the entry 'CN=EAdmin023a4d66,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions  may not have propagated completely down to this object yet. The inheritance time  may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

     

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        12:46:23 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=45BCD4B27811E54DB3941393C485BF3E>
    changetype: Modify
    msExchUserAccountControl:2
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:66
    objectGUID:45BCD4B27811E54DB3941393C485BF3E
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    I see msExchUserAccountControl:2 which should be 0 but not able to figure out how to do that for a entire container as such.

     

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        10:25:03 AM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=EB9C271174F41F45873917BE1458D49A>
    changetype: Modify
    msExchPoliciesIncluded:delete:a10ba2c7-4d4b-425d-af9e-c393de2cb579
    : {26491cfc-9e50-4857-861b-0cb8df22b5d7}
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
    : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
    msExchALObjectVersion:83
    objectGUID:EB9C271174F41F45873917BE1458D49A
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        12:16:16 PM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=45BCD4B27811E54DB3941393C485BF3E>
    changetype: Modify
    msExchUserAccountControl:2
    showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
    : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:67
    objectGUID:45BCD4B27811E54DB3941393C485BF3E
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    Here I am unable to understand this path:-

    showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
    : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...

     

    Event Type:    Warning
    Event Source:    MSExchangeAL
    Event Category:    Address List Synchronization
    Event ID:    8317
    Date:        8/2/2011
    Time:        10:55:03 AM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    The service could not update the entry 'CN=test13,CN=Users,DC=child,DC=voiceLab,DC=com' because inheritable permissions  may not have propagated completely down to this object yet. The inheritance time  may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain. DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        10:55:03 AM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=D41751053D0B7B4BB0E322101C31BE34>
    changetype: Modify
    mail:test13@voiceLab.com
    textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:72
    objectGUID:D41751053D0B7B4BB0E322101C31BE34
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

     

    Event Type:    Error
    Event Source:    MSExchangeAL
    Event Category:    LDAP Operations
    Event ID:    8270
    Date:        8/2/2011
    Time:        10:25:03 AM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    LDAP returned the error [32] Insufficient Rights when importing the transaction
    dn: <GUID=D41751053D0B7B4BB0E322101C31BE34>
    changetype: Modify
    showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=RecreateGP1,CN=M...
    : CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Cont...
    mail:test13@voiceLab.com
    textEncodedORAddress:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
    proxyAddresses:X400:c=US;a= ;p=RecreateGP1;o=Exchange;s=test13;
    : SMTP:test13@voiceLab.com
    msExchPoliciesIncluded:add:{A10BA2C7-4D4B-425D-AF9E-C393DE2CB579},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
    msExchALObjectVersion:74
    objectGUID:D41751053D0B7B4BB0E322101C31BE34
    -
     DC=child,DC=voiceLab,DC=com

    For more information, click http://www.microsoft.com/contentredirect.asp.

    -- > This doesn't seem to be an issues with Exchange 2010 however as I have exchange 2010 in root domain and when I create mailboxes of the AD account in the child domain on that exchange server that seems to go w/o any trouble.

     

    So can some please suggest what I am missing out in here to get it working for the Exchange 2003.

     

     


    Find A Way, Or, Make A Way...........


    • Edited by Pradipto Tuesday, August 2, 2011 9:10 AM Mozilla Crashed on me.........
    Tuesday, August 2, 2011 8:26 AM

Answers

  • Hi Prad,

    Yes I was refering to that section.
    Good Luck and lett us know how it went.


    Martina Miskovic
    • Marked as answer by Pradipto Thursday, August 4, 2011 1:10 AM
    Wednesday, August 3, 2011 3:50 AM

All replies

  • Adding mail addresses won't make accounts work, RUS stamp several other attributes together with proxyaddresses.

    RUS seems to have permission problem writing to DC in the child domain. RUS is part of System Attendant so a simple test could be to restart Exchange SA service.

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    Tuesday, August 2, 2011 9:34 AM
  • Hi Lasse,

    I restarted the Exchange SA service, however that hasn't made any difference and still getting the eventvwr errors and the e-mail fields are not getting populated still.

    Please Suggest what should be the next course of action I might take.

    Prad

    :)

     


    Find A Way, Or, Make A Way...........
    Tuesday, August 2, 2011 10:43 AM
  • Hi Prad,
    You need to run setup.com /PrepareLegacyExchangePermissions

    Prepare Legacy Exchange 2003 Permission
    http://technet.microsoft.com/en-us/library/aa997914.aspx
    Martina Miskovic
    Tuesday, August 2, 2011 6:27 PM
  • Thanks, Once again Martina, I'll do that today

    I have already run the /domainprep for exchange 2003 on the Windows 2003 R2 server working DC/GC in Child Domain :- "child.voiceLab.com" and the RUS is not working in Exhange 2003 SP2 for 

     "child.voiceLab.com"

    So I guess you are referring to this section :-

    Running Setup /PrepareLegacyExchangePermissions Again

     

     

    There are some cases in which you will need to run

    setup /PrepareLegacyExchangePermissions again:

    • You have a domain that contains Exchange Server 2003 servers, and you have not run DomainPrep.
    • In an existing domain, you have mailbox-enabled users who will log on to mailboxes on Exchange Server 2003 servers in domains in which you have not run DomainPrep.

    In these cases, you must run setup /PrepareLegacyExchangePermissions again after you run Exchange Server 2003 DomainPrep. This allows the Exchange Server 2003 Recipient Update Service to function correctly in this domain.


    Prad,
    :)

    Find A Way, Or, Make A Way...........
    Wednesday, August 3, 2011 3:36 AM
  • Hi Prad,

    Yes I was refering to that section.
    Good Luck and lett us know how it went.


    Martina Miskovic
    • Marked as answer by Pradipto Thursday, August 4, 2011 1:10 AM
    Wednesday, August 3, 2011 3:50 AM
  • Hi Martina,

    You are a champ,

    After initial hiccups of trying to run Setup /PrepareLegacyExchangePermissions again with Exchange 2003 setup CD I realised soon it wasn't going the right way as it was more interested in installing the exchange rather than update it and I checked the above doc and some other links and that pointed that this was to to be done via the Exchange 2010 setup rather than 2003.

    This was surprising to me initially as Exchange 2010 was working fine with subdomain "child.voiceLab.com" however the only issues were with Exchange 2003 which was not updating the fields for these subdomain accounts as per RUS so I never expected the Exchange 2010 CD would have to be used.

    However I did so after going through the doc's which all pointed that it needs to be done via the Exchange 2010

    --> Ny bad 1st time as being so fascinated with Start -- > Run I attempted

    c:\Exchange2010\setup /PrepareLegacyExchangePermissions

    It did go through the initial part and didn't like it and closed itself

    I remembered your instruction in the other post for doing via CMD, which is kind of strange as I expected both of them to have the same results, but apparently not.

     

    c:\Exchange2010>setup.com /PrepareLegacyExchangePermissions

    Welcome to Microsoft Exchange Server 2010 Unattended Setup

    Preparing Exchange Setup

        Copying Setup Files              ......................... COMPLETED

    No server roles will be installed

    Performing Microsoft Exchange Server Prerequisite Check

        Organization Checks              ......................... COMPLETED

    Configuring Microsoft Exchange Server

        Updating legacy permissions      ......................... COMPLETED

    The Microsoft Exchange Server setup operation completed successfully.

     

     

    -- > The AD Repl showed good as well , I cross checked that as U had run into huge issues with DNS and NDTS earlier :-

    C:\Users\administrator.VOICELAB>repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\EX2010
    DSA Options: (none)
    Site Options: (none)
    DSA object GUID: e542cac7-5c98-43c7-bc64-7b14cbb6ebf8
    DSA invocationID: e6c1e798-58b1-4629-9581-d6fdf187a0d9

    ==== INBOUND NEIGHBORS ======================================

    DC=voiceLab,DC=com
        Default-First-Site-Name\UNITY-SEC via RPC
            DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
            Last attempt @ 2011-08-03 17:31:18 was successful.

    CN=Configuration,DC=voiceLab,DC=com
        Default-First-Site-Name\UNITY-SEC via RPC
            DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
            Last attempt @ 2011-08-03 16:57:25 was successful.
        Default-First-Site-Name\UNITY11 via RPC
            DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
            Last attempt @ 2011-08-03 16:57:25 was successful.

    CN=Schema,CN=Configuration,DC=voiceLab,DC=com
        Default-First-Site-Name\UNITY-SEC via RPC
            DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
            Last attempt @ 2011-08-03 16:57:25 was successful.
        Default-First-Site-Name\UNITY11 via RPC
            DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
            Last attempt @ 2011-08-03 16:57:25 was successful.

    DC=DomainDnsZones,DC=voiceLab,DC=com
        Default-First-Site-Name\UNITY-SEC via RPC
            DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
            Last attempt @ 2011-08-03 16:57:25 was successful.

    DC=ForestDnsZones,DC=voiceLab,DC=com
        Default-First-Site-Name\UNITY-SEC via RPC
            DSA object GUID: 818cf5b1-4130-435b-8bb3-00adc314c9cd
            Last attempt @ 2011-08-03 16:57:25 was successful.
        Default-First-Site-Name\UNITY11 via RPC
            DSA object GUID: 68590d92-9f67-4cee-b21d-c866150ec8b9
            Last attempt @ 2011-08-03 16:57:25 was successful.


    C:\Users\administrator.VOICELAB>

     

    -- > I finally held my breath and logged in Exchange 2003 server

    -- > Checked and didn't seem to update anything

    -- > Re-build and updated the RUS for Child

    Event Type:    Information
    Event Source:    MSExchangeAL
    Event Category:    Address List Synchronization
    Event ID:    8329
    Date:        8/4/2011
    Time:        6:16:32 AM
    User:        N/A
    Computer:    UNITY-SEC
    Description:
    The Recipient Update Service is starting a rebuild of DC=child,DC=voiceLab,DC=com   

    For more information, click http://www.microsoft.com/contentredirect.asp.

    -- > No Errors and Checked and the RUS got update for the child domain a/c automatically as expected

    -- > Checked to login and worked fine

    Below is a screenshot of how well it looks now:-

    https://skydrive.live.com/?cid=AC90F2CDB394D9E7&id=AC90F2CDB394D9E7%21112&sc=documents

     

    Now I am only left with the Exchange 2010 -- > Exchange 2003 Send Mail Issues and I would be starting an new thread for that.

    However once again, thanks a lot for the help Martina, You ROCK..........

    Prad,

    :)

     

     

     

     




    Find A Way, Or, Make A Way...........
    Thursday, August 4, 2011 1:08 AM
  • Hi Prad,
    Thanks for your kind words!

    I really don´t know anyone that are so good giving all the details while posting. Two thumbs up!
    It´s like you have read my favorite KB http://support.microsoft.com/kb/q555375  :)

    I guess I could have been more clear with /preparelegacypermission but you solved it.
    Running CMD with an elevated CMD prompt has do be done because of "User Account Control" (UAC) in the operating system.


     

     


    Martina Miskovic
    Thursday, August 4, 2011 4:09 AM
  • Hi Martina,

    No I didn't read that article befor you posted, but I did it just the same now and thanks for that, however this goes along I guess with any Technical Forum and community and being Cisco TAC Voicemail Engineer I can understand how troubleshooting can be increasingly difficult w/o appropriate details and the more the related info. you have at hand the more likely you are towards getting it resolved as well.

    Much similar details have been posted the Cisco Support Forums that carries this kind of similar approach.

    https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity--information-you-should-include-when-opening-any-unity-tac-case

    https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2011/03/30/cisco-unity-connection--information-you-should-include-when-opening-any-unity-connection-tac-case

    Cheers,

    Prad

    :)

     

     


    Find A Way, Or, Make A Way...........
    Thursday, August 4, 2011 10:14 PM