Dear
I have a normal non privileged AD account but I’m member of the Exchange Organization Management group.
Today, I’m not able to move a mailbox, add the Exchange License key, get the properties of a DAG and I can’t create mailboxes.
Move mailbox: Active Directory Property homeMDB is not writeable on recipient ..’
Get DAG properties, create mailbox, add license: Insufficient access rights to perform operation. Active Directory response: 00002098: SecErr: DSID-03150E49 (INSUFF_ACCESS_RIGHTS).
All the things that I check in AD: ACLS, SPNs, … seems to be normal. Servers are member of the correct groups, groups and Exchange objects are in the correct location and the inheritance is not broken ...
Granting full controll to trusted subsystem on the mailbox does not solve the problem.
Granting full controll to everyone on the mailbox and I can move it ??
It seems that trusted subsystem has the necessary rights but is not able to use or claim the rights it has. I really don’t know what we more can do to find the root cause.
Following is some interesting information, some history of the Exchange deployment.
Begin October, we installed all our Exchange servers, just Exchange, no DAGs, no databases, nothing but Exchange. Exchange was installed on a drive D:, a SAN disk.
Due to SAN storage performance issues, we needed to uninstall Exchange because the disk layout of the SAN needed to be redesigned.
Because we don’t have domain or enterprise admin rights, we decided to keep one Exchange server to not lose the Exchange organization and the delegated rights.
We uninstalled all but the first original Exchange server (server A). We used the setup /uninstall command.
Afterward, we installed a second Exchange server (server B) on the C: drive.
I moved all arbitration mailboxes from A to B and uninstalled A successful, so no issues.
Regards.
Peter
Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be