Microsoft KB Archive/319966

= &quot;You do not have sufficient permissions in the Domain&quot; error message occurs and Exchange Setup does not respond =

Article ID: 319966

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q319966



This article is a consolidation of the following previously available articles: 823142 and 319966



SYMPTOMS
When you run the Exchange 2000 Server Setup program or the Exchange Server 2003 Setup program, you may receive the following error message:

The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: -You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.

If you use the /domainprep switch to run Setup and then run Exchange Setup again, you do not receive the error. However, the next time that you run Exchange Setup, Setup may stop responding, and you may receive the same error message again.

When you examine the security settings for these groups in the Active Directory Users and Computers management console, the Exchange Enterprise Servers security group does not have Full Control permissions over the Exchange Domain Servers group. Manually granting the Exchange Enterprise Server or an account with Full Exchange Administrator rights full control on the Exchange Domain Servers group resolves the behavior temporarily, but the permissions later disappear.



CAUSE
This behavior can occur because the Exchange Domain Servers group is also a member of any Builtin Administrators group.



RESOLUTION
To resolve this behavior, remove the Exchange Domain Servers group from any Builtin Administrators groups, and then rerun Exchange Setup by using the /domainprep switch.



MORE INFORMATION
The AdminSDHolder object controls the security settings on the Builtin Administrators, Schema Administrators, Enterprise Administrators, and Domain Administrators groups.

Note You can see the AdminSDHolder object in the System container in the Active Directory Users and Computers snap-in. You have to configure the Active Directory Users and Computers snap-in to display Advanced Features for the System container to be visible. To turn on Advanced Features, in the Active Directory Users and Computers snap-in, click Advanced Features on the View menu.

The access control list (ACL) on the AdminSDHolder object functions as a template for the ACLs that are on members of the various administrative groups in the domain. This is to prevent the ACLs for administrative accounts from being changed, either manually or by moving the accounts to another container.

Every hour, the Microsoft Windows domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object.

During the domain preparation operation (DomainPrep), the Exchange Enterprise Servers group is granted Full Control permissions to the Exchange Enterprise Servers and Exchange Domain Servers groups. These permissions are required for Exchange Setup to finish. Because the Exchange Enterprise Servers group is not granted Full Control permisions to the AdminSDHolder object, if the Exchange Domain Servers group is added to the Builtin Administrators group, the permissions granted through the domain preparation operation are later removed.

If you view the Exchange Server Setup Progress Log (located on the root of the boot partition, for example, C:\Exchange Server Setup Progress.log), you can see the following text:

[03:24:35]    Prerequisites for Microsoft Exchange Instant Messaging Service failed: The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions. - The installation directory &quot;H:\Program Files\Exchsrvr\MDBDATA&quot; must not contain any files

[03:24:35] The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions. - The installation directory &quot;H:\Program Files\Exchsrvr\MDBDATA&quot; must not contain any files

[03:28:05] CComBOIFacesFactory::QueryInterface (K:\admin\src\udog\BO\bofactory.cxx:52) Error code 0X80004002 (16386): No interface. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199 Description and update of the Active Directory AdminSDHolder object

318180 AdminSDHolder thread affects transitive members of distribution groups

Additional query words: 0X80004002 xadm mmc fsmo flexible single master operations re-run rerun

Keywords: kberrmsg kbpending kbprb KB319966

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.