Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Environment:
Root Domain: domain.local
Domain Controllers: 3
Child Domain: abc.domian.local
Domain Controllers: 3
2 Exchange 2003 running in child domain
6 Exchange 2010 running in child domain

When trying to register/activate the license key for exchange server 2010, I was getting this error.

Now, I was able to register/activate other server without any issue in the same domain, but this one was failing. I tried Exchange Management Shell and it failed too.
This error message clearly talks about the permission issue, hence I checked the Inheritance blocked on the user account and found that it was unchecked.

Checked the check box.

Tried registering/activating the server but failed again with the same error message. I found the event ID 2080 and it has some issue with SACL rights on few domain controllers on the site.

Ran Setup.com /PrepareAD to fix the SACL right’s and checked the event, no changes in the event result. Waited for the replication to complete. After 20 minutes, tried to register/activate the server, not it’s failing on different domain controller not the domain controller for which it was failing.

Now, I had one server activated successfully without any issue. So I went on to the server and activated all the 3 servers without any issues.
But, it’s a workaround and not a resolution, cause I will get the same error when I start the migration process when moving the mailboxes from 2003 to 2010.
To check if the issue still exist, I created a Test Mailbox on 2003 and tried to move it on to 2010 server, and as expected, it failed with the same error message.

I checked the Exchange Trusted Sub System Group and Exchange Server
Group and found that only one exchange server is a member of these
groups not all of them.

Added all the remaining servers in both the groups.

Restarted the domain controller on which the move was failing. Moved the mailbox and it moved successfully.
As per my experience, the straight forward resolution is, Inheritance blocked should be checked. But in this case, check box was getting unchecked by itself. And I also ran the /PrepareDomain switch too, But it didn’t helped.

It was the issue with AD replication and the permission issue on the user account.
Note: Still monitoring the issue, will move few mailboxes again and check the issue. Will update the post.

Cheers,

Posted in:
About the Author

Gulab Prasad

Technology Consultant & Blogger

MCSE: Exchange Server 2016, 2013
MCSE: Skype for Business Server 2015
MCSE: Azure Productivity
MCSE: Windows Server 2016
MCSA: Windows Server 2012, Office 365
MCITP: Exchange Server 2010-2007 | Lync Server 2010
VMware: vSphere 6 Foundations

One Comment

  1. Hey, the "Allow inheritable permissions" checkbox is getting unchecked because of a process called SDPROP. To resolve this, you need to set the admin count attribute on your AD account to a value of 0 (zero). After making this change, inheritance will not get disabled. Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress spam blocked by CleanTalk.