Microsoft KB Archive/326952

= &quot;Permission problem encountered&quot; error message when you try to force Intrasite Directory Replication =

Article ID: 326952

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q326952



SYMPTOMS
When you manually force Intrasite Directory Replication (update the directory from within the site), you may receive the following error message:

The requested operation failed due to a permission problem encountered while accessing a remote directory. Check that your account has permission to perform this operation. Then check that the directory service on this server has permission to set up replication on a remote directory. Both directory services must be running under the same service account, and the service account must have the Service Account Admin role on the site object. 0xc1030b22

Additionally, the following event ID message is logged in the Application event log:

Event Type: Warning

Event Source: MSExchangeAdmin

Event Category: (4)

Event ID: 2019

Description:

An error occurred updating the replica of naming context '/o=ORGANIZATION' on server 'SERVER'. The replica will be updated on server 'SERVER' during the course of any normal replication updates. 0xc1030b22 - The requested operation failed due to a permissions problem encountered while accessing a remote directory. Check that your account has permission to perform this operation. Then check that the directory service on this server has permission to set up replication on a remote directory. Both directory services must be running under the same service account, and the service account must have the Service Account Admin role on the site object.



CAUSE
This behavior can occur if the account that you use to run the Microsoft Exchange Server Administrator program does not have &quot;Modify Admin Attributes&quot; permission on the Configuration container.



RESOLUTION
To resolve this issue:  Start the Exchange Server Administrator program. Make sure the Permissions tab is visible for all objects.  On the Tools menu, click Options, and then click the Permissions tab. Click to select the Show Permissions page for all objects and Display rights for roles on Permissions page check boxes. Click OK. </li> Right-click the Configuration container, click Properties, and then click the Permissions tab.</li> Click the user account that manually forces Intrasite Directory Replication, and then click to select the Modify Admin Attributes permission check box.</li></ol>

NOTE: Instead of editing the permissions, you can directly grant the user account the Administrator Role, which automatically has the following permissions:
 * Add Child
 * Modify User Attributes
 * Modify Administrator
 * Attributes
 * Delete

If the issue still occurs after you perform the previous procedure, change the logon account of the Microsoft Exchange Directory service from the local system account to a domain account. Although the local system account is sufficient to start the Microsoft Exchange Directory service, the local system account does not have the permissions to make remote procedure calls (RPC) calls to other Exchange servers' directory services during Intrasite Directory Replication. To change the logon account, follow these steps:
 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Services, and then double-click Microsoft Exchange Directory.
 * 3) Type the name and the password for a domain account in the Log On As box.
 * 4) Click OK.
 * 5) Restart the Microsoft Exchange Directory service, and then click Close.

<div class="moreinformation_section">

MORE INFORMATION
The Access Category property of an attribute determines the permissions that a user must have to modify the attribute. The Access Category property value definitions are as follows:
 * 0: Only the system can modify the attribute
 * 1: Users with Modify Admin Attributes permission can modify the attribute
 * 2: Users with Modify User Attributes permission can modify the attribute
 * 3: Users with Modify Permissions rights can modify the attribute

For example, the Exchange Phone Number attribute, which is mapped to the Lightweight Directory Access Protocol (LDAP) telephoneNumber attribute, has an Access Category value of 2, which means that users with &quot;Modify Users Attributes&quot; permission on the object can change the value.

To discover all of the properties you can modify according to a permission, follow the procedure described in this section.

Warning If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.  Start the Exchange Server Administrator program in raw mode by typing the following at a command prompt:

c:\exchsrvr\bin\admin /r

</li> On the View menu, click Raw Directory.</li> In the right pane, double-click Schema.</li> Double-click the attribute that you want to modify.</li></ol>

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

168753 Microsoft Exchange roles, rights, and permissions

Additional query words: XADM

Keywords: kbprb KB326952

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.