Microsoft KB Archive/821465

= You receive error ID 80004005 when you use Exchange System Manager to try to change the domain controller that is specified in the properties dialog box for the Recipient Update Service in Exchange 2000 =

Article ID: 821465

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-





SYMPTOMS
In Microsoft Exchange 2000 Server, when you use Exchange System Manager to try to change the Microsoft Windows 2000-based domain controller that is specified in the properties dialog box for the Recipient Update Service, you receive the following error message:

The operation failed

ID no: 80004005

Exchange System Manager



CAUSE
This issue occurs when one of the following conditions is true:
 * The account that you are using does not have permissions to the parent object.
 * The serverReference attribute is not set on the parent object.

Exchange System Manager performs a Lightweight Directory Access Protocol (LDAP) search for NTDS Settings objects in the Configuration/Sites container in the Active Directory directory service. You can locate the following NTDS Settings object by using the ADSI Edit snap-in or the LDP utility:

CN=NTDS Settings,CN= ,CN=Servers,CN= ,CN=Sites,CN=Configuration,DC= ,DC= ,

In this object,  is the name of a Windows-based domain controller.

Exchange System Manager then tries to read the serverReference attribute from the parent object. The parent object of the NTDS Settings object is the following server object:

CN= ,CN=Servers,CN= ,CN=Sites,CN=Configuration,DC= ,DC= ,

Because the account that you are using does not have permissions to the parent object, or because the serverReference attribute is missing on the parent object, an E_FAIL error condition is returned. You then receive the error message that is mentioned in the &quot;Symptoms&quot; section.



RESOLUTION
To resolve this issue, you must first locate the server object. This server object is either the object that your account does not have permissions to. Or, it is the domain controller object that contains a value that is not valid in the serverReference attribute. Then, you must grant your account the permissions that are required for the server object in Active Directory. Or, you must populate the serverReference attribute value for the server object.

Step 1: Locate the server object
Use the following script to locate the server object.

Note In line 4 of the following code, replace  with your domain, and replace   with your domain suffix. set connection = CreateObject(&quot;ADODB.Connection&quot;) connection.Provider = &quot;ADsDSOObject&quot; connection.Open set rsObjects = connection.Execute(&quot;&quot; & _ &quot;;(objectCategory=ntdsdsa);distinguishedName&quot;) while not rsObjects.EOF set obj = GetObject(&quot;LDAP://&quot; + rsObjects.Fields(&quot;distinguishedName&quot;)) set dc = GetObject(obj.Parent) WScript.Echo &quot;This is the DN of the server:&quot; & dc.distinguishedName if (dc.serverReference=&quot;&quot;) _ Then WScript.Echo &quot;Error: This attribute serverReference is not found&quot; _ else WScript.Echo &quot;This is the ServerReference attribute of the server:&quot; & _ dc.serverReference rsObjects.MoveNext wend

Method 1: Grant your account the permissions that are required for the server object in Active Directory
To determine whether your account has permissions to the server object, use the Dsacls utility that is included with the Microsoft Windows Support Tools. To do this, follow these steps:  Click Start, click Run, type cmd, and then click OK. Type the following command:

dsacls &quot;cn= ,cn=servers,cn= ,cn=sites,cn=configuration,dc= ,dc=

In the command,  is the name of the server,   is the name of the Windows site, and   and   are the forest root domain, for example, dc=contoso,dc=com.

The correct permissions on that object should be similar to the following output:

Access list: Effective Permissions on this object are: Allow DOMAIN\Domain Admins             FULL CONTROL Allow NT AUTHORITY\SYSTEM              FULL CONTROL Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow DOMAIN\Enterprise Admins         FULL CONTROL     Allow DOMAIN\Domain Admins             SPECIAL ACCESS   DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Permissions inherited to subobjects are: Inherited to all subobjects Allow DOMAIN\Domain Admins             FULL CONTROL Allow DOMAIN\Enterprise Admins         FULL CONTROL    Allow DOMAIN\Domain Admins             SPECIAL ACCESS  DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS

Method 2: Populate the serverReference attribute value for the server object
If the serverReference attribute value is not set, populate the value. Use the distinguished name of the server object as the value that you populate the attribute with. You can locate this distinguished name under the following domain partition:

CN= ,OU=Domain Controllers, DC= ,DC=

.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.  Install the ADSI Edit snap-in if it is not already installed.

The ADSI Edit snap-in is included with the Microsoft Windows 2000 Server Support Tools. To install the Windows 2000 Server Support Tools, run Setup.exe from the Support\Tools folder on the Microsoft Windows 2000 Server CD.</li> Click Start, click Run, type adsiedit.msc, and then click OK.</li> If you want to connect to a different domain controller, click Connect to on the Action menu, click Select or type a domain or server, type the fully-qualified domain name of the domain controller, and then click OK.</li> Expand '''Configuration Container [. ''']</li> Expand CN=Configuration,DC= ,DC= </li> Expand CN=Sites.</li> Expand CN= .</li> Expand CN=Servers.</li> Expand CN= .

In this step,  is the name of the domain controller.</li> Right-click the domain controller server object, and then click Properties.</li> Select the serverReference attribute.</li> If this attribute is empty, populate it with the distinguished name of the server object that appears under the domain partition. To do this, follow these steps:  In the ADSI Edit snap-in, locate and then expand '''Domain NC [. ]'''.</li> Expand DC= ,DC= .</li> <li>Expand OU= Domain Controllers.</li> <li>Expand CN= .</li> <li>Right-click  , and then copy the value of the distinguishedName attribute. This data can be pasted into the serverReference attribute that is mentioned in step 11.</li></ol>

Note The procedure in step 12 uses the default location for the server object.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and the tools that are used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200. For additional information about the support options available from Microsoft, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN;CNTACTMS]

Additional query words: XADM 0x80004005 rus enterprise

Keywords: kbtshoot kbprb KB821465

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.