I need some help with this one. I have migrated Exchange 2007 to Exchange 2013 and decommissioned the old server. Everything was working fine at that time. A few days later I looked in the AD and saw duplicated Groups under ‘Microsoft Exchange Security Groups’ like ‘Organization Management’, ‘Organization Management1', ‘Compliance Management’, ‘Compliance Management1’. I decided to delete duplicated entries with the 1. Something I shouldn’t have done because after that moment I couldn’t manage my exchange environment anymore. Commands like ‘Get-ManagementRoleAssignment’ were not working and I couldn’t manage users with ECP. When I executed the command ‘get-mailbox’ I saw only my own mailbox.
Next I deleted all ‘Microsoft Exchange Security Groups’ and recreated them with PrepareAD. furthermore I correct RBAC with the following commands, which I found on Social TechNet:
- Run a powershell session as admin
- Get-ManagementRoleAssignment
- Add-PSSnapin *setup
- Install-CannedRbacRoleAssignments -InvocationMode Install –Verbose
- Remove-PSSnapin *setup
- Get-ManagementRoleAssignment
Correcting RBAC solve my problem half. Commands such as get-mailbox andGet-ManagementRoleAssignment are working again and I can access ECP with the Organization Management role. But when I try to change something which involves an AD operation, it failed.I am getting the following message on Exchange 2013 ECP and Exchange Powershell.
Active Directory operation failed on DC1.Local.example.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I tried several things like the technet forum posts below:
Exchange 2010 and the Exchange Trusted Subsystem
- Looks like the same issue, possible solution: Exchange Trusted Subsystem permissions should have an inherited Full Control from the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com container.
- Checked with ADSIEdit:
- Services
- Microsoft Exchange
- First Organization – (check here)
- Administrative Groups – (check here)
- Exchange Administrative Group (FYDIBOHF23SPDLT) – (check here)
- Experience: Exchange Trusted Subsystem has everywhere inherited permission.
Active Directory operation failed in ECP
- Looks like the same issue, possible solution:
- 'full control' on the employee (user) entry in AD to the following groups:
- Exchange Enterprise Servers, Exchange Servers, Exchange Trusted Subsystems, Exchange Windows Permissions
- Experience: Doesn't work.
This error is not retriable. Additional information: Access is denied.
- Looks like the same issue, possible solution:
- Add-ADPermission "User Name" -User "domain\user1" -Extendedrights Receive-As
- Add-ADPermission "User Name" -User "domain\user1" -ExtendedRights Send-As
- Experience: Doesn't work, get the same error message: 'This error is not retriable. Additional information: Access is denied.
Cant Modify or Delete mailboxes DC error
- Looks like the same issue,possible solution:
- Check Inherit permissions
- Experience: Inherit permissions is ticked.
***I can't post the urls because my account isn't verified yet. I will post them later.