December 22, 2006
@ 02:39 AM
Comments [3]
Exchange 2007 Transition - from Exchange 2003

"A problem occurred while trying to use your mailbox" proclaims the OWA page, after the mailbox is moved from an Exchange 2003 SP2 server to a 2007 server.  After moving a user's mailbox to the new 2007 mailbox store, I get this nice exception when trying to login:

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on <DC>. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Update: Fix 'em permissions

If your Exchange 2007 OWA is failing for a user after the mailbox is migrated from Exchange 2003 to Exchange 2007, the user account should be checked on the security tab under advanced to see if it has "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here."

  1. Open up Active Directory Users and Computers
  2. Go to the View menu, Advanced.
  3. Locate the user in AD, right click, properties.  Jump to the security tab.
  4. Click "Advanced" next to the "For special permissions or for advanced settings, click Advanced.
  5. Click "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." Check box and apply.
  6. Click OK and OK again.

Once changed and replicated OWA works. This is checked by default but is turned off for accounts with administrative privileges.

So how does this get turned off? Well if the account is an administrative account or was ever an administrative account previously. It will be turned off automatically. Reference the following.

XADM: Do Not Assign Mailboxes to Administrative Accounts
http://support.microsoft.com/kb/328753


 
Categories: Exchange 2007 | IT

« Longhorn Server - New Build! | Home | Windows Installer Cleanup Utility »
Tuesday, December 26, 2006 12:09:51 PM (Eastern Standard Time, UTC-05:00)
Hi,

got the same thing - already playing with it without a solution
if i found one i get back to you.
just to make sure - you are NOT alone :-)

merry Xmas & happy new year


Host
Horst Frank
Friday, December 29, 2006 4:23:19 PM (Eastern Standard Time, UTC-05:00)
Hey Horst,

I ended up deleting the user, recreating the user (email aliases were auto created using policies) and then reattaching the mailbox.
The problem is definitely on the AD object, NOT on the Exchange, but of course this issue had not come up in any testing I had done. Lack of scheduled downtime meant I had to bring the server back up ASAP.

Let me know if you discover anything =)
Justin Ho
Friday, December 29, 2006 4:55:10 PM (Eastern Standard Time, UTC-05:00)
I porivde a solution for this problem at

https://blogs.pointbridge.com/Blogs/mcduffie_forrest/default.aspx

Hope this helps

Forrest McDuffie
Forrest McDuffie
Comments are closed.