Sunday, April 03, 2011

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: 0x00000005 INSUFF_ACCESS_RIGHTS

This is possibly due to disabled ‘Inheritable permission’ option causing the ‘Exchange Trusted Subsystem’ group not being able to have Full Access to a number of important Microsoft Exchange OUs in the Active Directory configuration dSE.

As Exchange 2010 runs its Active Directory access via the Exchange Trusted Subsystem group permission (not as the logged-on user account permission), relevant objects in the Active Directory would require Full Access rights for this group. This would be (automatically) achievable if the Active Directory objects inherit the permissions from the parent object as the parent’s security permission is changed during Exchange setup’s PrepareAD process.

However, if certain child objects have their Inheritable permission option disabled beforehand, it would not acquire the correct permission level for the Exchange Trusted Subsystem to access them. For resolution, use the steps below:

  1. Using ‘adsiedit,msc’ traverse the Active Directory configuration schema and verify that the following OUs have its inheritable permission enabled (checkout Richard’s Exchange Ramblings blog:
    1. RootDSE-Configuration-Services-Microsoft Exchange-First Organization
    2. RootDSE-Configuration-Services-Microsoft Exchange-First Organization-Administrative Groups
    3. RootDSE-Configuration-Services-Microsoft Exchange-First Organization-Administrative Groups-Exchange Administrative Group (FYDIBOHF23SPDLT)
  2. Remove the Exchange Server computer account from the Exchange Trusted Subsystem group and adding it back again.
  3. Reboot the relevant Exchange server.
  4. Ensure that your currently logged-on account is a member of the Active Directory Schema admins.
    1. In an Administrator elevated Command Prompt re-run Exchange setup’s PrepareAD parameter “%ExchangeInstallationFiles\setup /PrepareAD”
    2. Reboot the Exchange server again.

No comments: