Wednesday, September 14, 2005

Error in Active Directory Users and Computers when updating e-mail addresses

In the environment in which I'm currently working, the OU admins in Active Directory have "Exchange View Only Admins" permissions to their respective Exchange admin groups. We have started seeing a problem when modifying e-mail addresses. When an OU-level admin modifies an e-mail address such as an SMTP on the user's E-Mail Addresses property page (using Active Directory Users and Computers), they get the following error message:

Microsoft Active Directory - Exchange Extension
An Exchange Server could not be found in the domain.
Check if the Microsoft Exchange System Attendant service is running on the Exchange Server.
ID no: c10308a2
Microsoft Exchange Directory - Exchange Extension

OR

There is no such object on the server
Facility: Win32
ID no: c0072030
Microsoft Active Directory – Exchange Extension
OR (updated on 10 Sept 2006)
There are no bindings.
Facility: Win32
ID no: c00706b6
Microsoft Active Directory - Exchange Extension

I'm not sure why the difference in errors occured, as I have had both reported to me for the same problem, but I suspect it is the difference between the E2K3 and E2K3 SP1 ADUC extension.

I did not not realize this, but the ADUC Exchange extension contacts an Exchange server via RPC when you modify an e-mail address. It does this to verify the validity of formatting on the particular type of address you are creating.

These problems started once the Exchange 2003 servers were updated to Windows 2003 SP1. Apparently, this has something to do with the services control manager and the DCOM/RPC security hardening that was done in Windows 2003 SP1. Here is a blog entry I read about this: Fun with changing E-Mail Addresses

I found very little data on the Internet about this, but I did find one thread that seemed to be relevant: Could NOT change mail address after windows server 2003 sp1

This article suggested running a program against the Windows 2003 server that would adjust the necessary permissions for the Distributed COM Users group. However, being a little uncomfortable with this solution, I wanted the "official" Microsoft, supported solution. Here is what PSS recommended.

Edit the Default Domain GPO, in the Services portion of the GPO, set theMicrosoft Exchange System Attendant service to start automatically and then set Security on this service so that your groups that have been delegated Exchange View Only Admins permission will also have the "Read" and the "Write" permissions on this service. (You will need to edit the GPO from an Exchange server in order for the Exchange services to show up properly in the Services section of the GPO. I was not crazy about this solution and I'm still now sure why it is necessary to put this in the Default Domain GPO rather than a GPO that just applies to the Exchange Servers OU. However, I tried this by editing ONLY the GPO that applied to the Exchange Servers and it did not fix the problem.

In the middle of all this troubleshooting, Microsoft released KB 905809: You receive an "ID no: c10308a2" error message when you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user in Exchange Server 2003.

The method that seems to have ended up fixing this is Method 1 in this KB article. Make sure that you have v5.2.3790.1830 of the SC.EXE utility. At the command prompt on each Exchange server, run:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Make sure you type this command in exactly, as the Security Descriptor Definitation Language (SDDL) must be typed in exactly. You can also insert the name of the server into the SC command line and perform this task remotely.

5 Comments:

At 5:57 PM, Blogger Alex Siow said...

Thanks for sharing this information.

I tried method 2 by editing the Default Domain Policy but it did not work.

Actually I don't understand how method 2 can solve the problem because the delegated admin still does not have the following access right on SCMANAGER.

LC - SDDL_LIST_CHILDREN
RP - SDDL_READ_PROPERTY
RC - SDDL_READ_CONTROL

 
At 7:42 PM, Blogger Marcina said...

I too tried both methods yet my problem is still unresolved.

There is no such object on the server.
Facility: Win32
ID no:c0072030
Microsoft Active Directory - Exchange Extension

 
At 6:21 AM, Blogger Stevo said...

This comment has been removed by the author.

 
At 6:22 AM, Blogger Stevo said...

I found that the SC command did the trick for me, but I had to run it as an Enterprise Administrator on the exchange boxes.

Running the command as a Domain Administrator did not fix the problem.
Also, the permissions assignment to the System Attendant service did not, in and of itself, solve the problem, but I did that as well prior to running the SC fix as Ent Admin.

http://forums.msexchange.org/m_1800385892/mpage_1/key_/tm.htm#1800385892

 
At 10:00 PM, Blogger zolkin said...

Hi!

We got exactly the same error messages. Have you found any solutions for this question since then?

Thanx

Zolee

 

Post a Comment

<< Home