This is one of the most annoying error that you may probably face with your HT servers and they stop sending emails to MBX servers. There are multiple things that you need to go through to fix this problem. This post is just provide some common troubleshooting steps that can be performed if you face this problem. I faced this one toady in one of my customer’s Exchange 2007 SP2 environment.
This error is most likely generated by permissions issue in active directory. The best bet to find out these problems is using ExBPA. In this particular case the permissions were messed up at the server object level in active directory. Inherited permissions from parent objects got removed due to some reasons.
Here are few things that you should try in this case:
- First off, make sure your active directory replication is not experiencing any problems.
- All domain controllers, global catalogs have the correct time and synchronized with your designated NTP server.
- You can use net time /set \ntpservername if you find any issue discrepancies in the time.
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment of your default domain controller policies.
Once you have made sure all these things are in place the permissions are something that we need to concentrate on.
- Use EXBPA to ensure that none of the Exchange Server objects have permissions inheritance blocked on them. If you have you should see something similar to below:
- If you really see something like above then the inheritance of permissions to these objects must be allowed. To do this follow below steps:
- Open ADSIEDIT.MSC and browse to the location CN=<Exchange Server Name>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchange Geek Inc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
- Right click on the server object that was found not inheriting permissions from parent, Select properties, select Security Tab, Click Advanced button and check the check box “
- We are not done yet. There are few more permissions we should check even after allowing inheritance on this object. Follow the previous step to get to security tab of the properties window of Exchange Server object
- As you see in above screenshot below permissions should be assigned to the Exchange Server security group:
- Store Constrained Delegation – Allow
- Store read and write access – Allow
- Store read only access – Allow
- Store transport access – Allow
Hope that helps!