Is your request related to a problem? Please describe.
Getting this error when trying to run /PrepareAd on the environment
Configuring Microsoft Exchange Server
Organization Preparation FAILED
The following error was generated when "$error.Clear();
$createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
$createMsoSyncRoot = $RoleIsDatacenter;
#$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
[bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);
if ($RolePrepareAllDomains)
{
initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$cre
ateMsoSyncRoot -IsManagementForest:$isManagementForest;
}
elseif ($RoleDomain -ne $null)
{
initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$c
reateMsoSyncRoot -IsManagementForest:$isManagementForest;
}
else
{
initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -Is
ManagementForest:$isManagementForest;
}
" was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC
1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, Resu
ltAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOpe
ration, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest reques
t, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRe
quest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest reques
t, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean by
passValidation)
at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceTo
Save)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer mes
o)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePip
elineIfFailed)".
Was thinking at first it was denies, but it is likely the lack of permissions to do anything.
Describe The Request
In the SetupLogReviewer script find the object that we are trying to set permissions on. Example in the below text should result in "CN=Microsoft Exchange System Objects,DC=Solo,DC=net" and provide the list of ACE that we need. Need to find out the min that we need yet, but it is from this list here:
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
The user doesn't need to be administrators, just that you in a group or nested group that provides you the permissions required to add ACEs to the object in AD.
[03/05/2021 01:53:42.0819] [2] Used domain controller Solo-DC1.Solo.net to write object CN=AdminSDHolder,CN=System,DC=Solo,DC=net.
[03/05/2021 01:53:42.0819] [2] Used domain controller Solo-DC1.Solo.net to read object CN=Microsoft Exchange System Objects,DC=Solo,DC=net.
[03/05/2021 01:53:42.0835] [2] [ERROR] Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[03/05/2021 01:53:42.0835] [2] [ERROR] The user has insufficient access rights.
[03/05/2021 01:53:42.0835] [2] Ending processing initialize-DomainPermissions
[03/05/2021 01:53:42.0835] [1] The following 1 error(s) occurred during task execution:
[03/05/2021 01:53:42.0835] [1] 0. ErrorRecord: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[03/05/2021 01:53:42.0835] [1] 0. ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceToSave)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[03/05/2021 01:53:42.0835] [1] [ERROR] The following error was generated when "$error.Clear();
$createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
$createMsoSyncRoot = $RoleIsDatacenter;
#$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
[bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);
if ($RolePrepareAllDomains)
{
initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
elseif ($RoleDomain -ne $null)
{
initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
else
{
initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
" was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Save(ADConfigurationObject instanceToSave)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[03/05/2021 01:53:42.0835] [1] [ERROR] Active Directory operation failed on Solo-DC1.Solo.net. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152610, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Additional context
-
SetupLogReviewer
- Add logic to catch AD INSUFF_ACCESS_RIGHTS
- determine what object we are getting the issue on
- provide the user we are running as
- provide to go run SetupAssist.ps1 on the server with X params
- possibly provide hacky workaround of provide full access perms to X - last resort option
-
SetupAssist.ps1
- Add logic to check Permissions on an object for the user that we are running as
- Dump out the ACEs with
dsacls on the object
- Dump out the user's group
Is your request related to a problem? Please describe.
Getting this error when trying to run
/PrepareAdon the environmentWas thinking at first it was denies, but it is likely the lack of permissions to do anything.
Describe The Request
In the SetupLogReviewer script find the object that we are trying to set permissions on. Example in the below text should result in "CN=Microsoft Exchange System Objects,DC=Solo,DC=net" and provide the list of ACE that we need. Need to find out the min that we need yet, but it is from this list here:
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
The user doesn't need to be administrators, just that you in a group or nested group that provides you the permissions required to add ACEs to the object in AD.
Additional context
SetupLogReviewer
SetupAssist.ps1
dsaclson the object