INSUFF-ACCESS_RIGHTS on added domain controller
Hi folks;
I'm running Exchange 2010. When the original install was done we had two DC's and all was well. Recently, I added another DC. I went into Exchange to modify some user settings and got an INSUFF_ACCESS_RIGHTS error with respect to that new DC;
Microsoft Exchange Error
The following error(s) occurred while saving changes:
Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Is there something that needs to be done when adding a new domain controller?
July 19th, 2011 2:18pm
Nothing should normally need to be done that's Exchange-specific when adding another domain controller.
You could try rerunning Exchange 2010:
Setup /PrepareLegacyExchangePermissions
Setup /PrepareAD
Setup /PrepareAllDomains
Run these from the media for the latest service pack you've installed.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2011 3:27pm
I would ensure that your domain controllers are properly replicating. It sounds as though you may have DC that isn't operating correctly. There should be no need to rerun any of the setup steps. The below article overviews troubleshooting the domain: Raschke | C/D/H -
July 19th, 2011 10:00pm
Force the AD replica. Then try to modiy the user settings once again. If the issue persists, then rerun the setup prepare that was mentioned in Ed's post.
Gen Lin
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2011 4:24am
Thanks for the replies everyone :-)
I forced a replication from the other DC's and then re-tried modifying a user's settings and learned something new. I only seem to get that error when I'm modifying my own mailbox :-) This time is reported that it was accessing my first DC and coughed up
the same error. So it seems to be related to that one particular mailbox.
At this point I think I'll leave it alone for a while - it's not that important - yet :-)
Thanks for the help everyone!
July 20th, 2011 2:17pm