Microsoft KB Archive/905809

= You receive an &quot;ID no: c10308a2&quot; error message when you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user in Exchange Server 2003 =

Article ID: 905809

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition

-



SYMPTOMS
You are running Microsoft Exchange Server 2003 on a server that has Microsoft Windows Server 2003 Service Pack 1 (SP1) installed. When you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user, you receive the following error message.

An Exchange server could not be found in the domain. Check if the Microsoft System Attendant service is running on the Exchange Server. ID no: c10308a2 Microsoft Active Directory - Exchange Extension

Additionally, you receive this error message if the following conditions are true:
 * You remotely connect to Exchange Server 2003 by using Exchange System Manager.
 * The remote Exchange server does not have the local administrator identity.



CAUSE
This problem occurs if the following conditions are true:
 * Users are delegated Exchange Server administrator roles.
 * The users who are delegated Exchange Server administrator roles are not members of the Domain Admins group or the Local Admins group on the Exchange server.
 * You have implemented the Exchange Server 2003 Security Hardening templates.

Therefore, the users cannot log on to the Exchange server.

Windows Server 2003 SP1 limits the ability of users who are not administrators to remotely access the Service Control Manager (SCM). Therefore, Exchange System Manager or the Active Directory Users and Computers snap-in cannot determine the Exchange Server services that are running.

Note This problem does not occur if Windows Server 2003 SP1 is not installed on the Exchange server.



WORKAROUND
To work around this problem, follow these steps.

Step 1: Install Exchange System Manager on a workstation that is connected to the network
 Insert the Exchange Server 2003 CD into the CD drive on the computer. If the Exchange Setup program starts automatically, click Exchange Deployment Tools. Otherwise, run Setup.exe from the root folder of the CD. Click Exchange System Management Tools only. Complete the steps in the wizard to install Exchange System Manager.

For more information about factors that you must consider when you install Exchange System Management tools on Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

834121 What to consider when you install Exchange System Management Tools on Windows XP

Step 2: Start a Network Monitor trace on the client workstation
Note Make sure that Exchange System Manager is not running on the Exchange server.

Step A: Install Network Monitor
To install Windows Network Monitor, you must first install the Network Monitor driver. Then, install Network Monitor Tools. To install the Network Monitor driver, follow these steps:
 * 1) Click Start, point to Settings, and then click Network Connections.
 * 2) Double-click the local area connection that you want, and then click Properties.
 * 3) On the General tab, click Install.
 * 4) Click Protocol, and then click Add.
 * 5) Click Network Monitor Driver, and then click OK.
 * 6) Click Close two times, and then close the Network Connections window.

To install the Network Monitor Tools, follow these steps:
 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Click Add/Remove Windows Components.
 * 3) Click Management and Monitoring Tools, and then click Details.
 * 4) Click to select the Network Monitoring Tools check box, and then click OK.
 * 5) Click Next. If you are prompted to insert a disk, insert the Windows Server 2003 CD into the CD drive. Then, go to step 6. If the files are located on a network share, click OK, click Browse, move to the appropriate folder, and then click Open.
 * 6) Click OK, click Finish, and then close the Add or Remove Programs dialog box.

Step B: Start a Network Monitor trace

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Network Monitor.
 * 2) On the Capture menu, click Networks.
 * 3) Expand Local Computer, click the local area connection that you want, and then click OK.
 * 4) On the Capture menu, click Start.

Step 3: Reproduce the problem
 Open the Active Directory Users and Computers snap-in on the workstation. Then, connect to the domain controller that hosts the user whose account you want to modify. Perform the steps that caused the error that is mentioned in the &quot;Symptoms&quot; section. When you receive the error, start Network Monitor and follow these steps:  On the Capture menu, click Stop.</li> On the File menu, click Save as.</li> In the File name box, type an appropriate file name, and then click Save. The file is saved with a .cap file name extension.</li></ol> </li></ol>

Step 4. Review the Network Monitor trace
To review the Network Monitor trace, open the file that you captured and then examine the list of entries. To do this, follow these steps:  In Network Monitor, click Open on the File menu.</li> Click the file that you captured, and then click Open.</li></ol>

When you review the Network Monitor trace, see whether the Exchange System Manager binds to the Service Control Manager. In the Network Monitor trace, this bind will appear as an RPC Bind to UUID 367ABB81-9844-35F1-AD32-98F038001003. If the RPC bind succeeds, it will be followed by a call to OpenSCManager, opnum 0xF. If the opnum 0xF call fails, the response will contain an error code at the end of the packet data. In the following example, the error code is highlighted in bold text:

00000030 FF 53 4D 42 25 00 .SMB%.

00000040 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 ................

00000050 00 00 03 78 E0 0A 01 D8 80 01 0A 00 00 30 00 00 ...x.........0..

00000060 00 00 00 38 00 00 00 30 00 38 00 00 00 00 00 31 ...8...0.8.....1

00000070 00 40 05 00 02 03 10 00 00 00 30 00 00 00 01 00 .@........0.....

00000080 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 ................

000000A0 00 00

Here, error code 0x5 indicates that access is denied. If the opnum 0xF call fails with a 0x5 error code, the user does not have permissions to Service Control Manager. To resolve this issue, use the sc sdset SCMANAGER command to modify the permissions. For more information about how to modify permissions, see the &quot;Method 1: Use the Sc.exe tool to grant sufficient permissions to authenticated users&quot; section.

If the opnum 0xF call succeeds, the response will contain a handle instead of an error code. The following output is an example of a successful opnum 0xF call:

00000030 FF 53 4D 42 25 00 .SMB%.

00000050 00 00 02 D8 E0 0A 00 C0 80 01 0A 00 00 30 00 00 .............0..

00000060 00 00 00 38 00 00 00 30 00 38 00 00 00 00 00 31 ...8...0.8.....1

00000070 00 4C 05 00 02 03 10 00 00 00 30 00 00 00 01 00 .L........0.....

00000080 00 00 18 00 00 00 00 00 00 00 00 00 00 00 C9 C6 ................

00000090 9A AC C8 25 33 47 A8 73 B0 0A 14 8D 0D CE 00 00 ...%3G.s........

000000A0 00 00 ..

Next, an OpenService, or opnum 0x10, call is made. Again, if the opnum 0x10 call fails, the response will contain an error code at the end of the packet data. In the following example, the error code is highlighted in bold text:

00000030 FF 53 4D 42 25 00 .SMB%.

00000040 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 ................

00000050 00 00 02 D8 E0 0A 00 C0 C0 01 0A 00 00 30 00 00 .............0..

00000060 00 00 00 38 00 00 00 30 00 38 00 00 00 00 00 31 ...8...0.8.....1

00000070 00 58 05 00 02 03 10 00 00 00 30 00 00 00 02 00 .X........0.....

00000080 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 ................

000000A0 00 00 ..

If the OpenService call fails with the error code 0x5, the user does not have permissions to the service itself. You can see the name of the service that is being opened in the packet data for the 0x10 request. In the following example, the service that is being opened is highlighted in bold text:

00000080 05 00 ..

00000090 00 03 10 00 00 00 58 00 00 00 02 00 00 00 40 00 ......X.......@.

000000A0 00 00 00 00 10 00 00 00 00 00 C9 C6 9A AC C8 25 ...............%

000000B0 33 47 A8 73 B0 0A 14 8D 0D CE 0D 00 00 00 00 00 3G.s............

000000C0 00 00 0D 00 00 00 4D 00 53 00 45 00 78 00 63 00 ......M.S.E.x.c.

000000D0 68 00 61 00 6E 00 67 00 65 00 53 00 41 00 00 00 h.a.n.g.e.S.A...

000000E0 F1 35 04 00 00 00 .5....

If the operation fails at this step, you must add permissions to the service itself. For information about how to add permissions to the service, see the &quot;Method 2: Add Read and Write permissions to the user account&quot; section.

Step 5: Modify the appropriate permissions
Administrators may not want to grant authenticated users the right to access SCMANAGER. Additionally, this command frequently does not allow correct access to SCMANAGER. You can run an alternative SC command to grant this right directly to a specified Security group.

For this alternative command to work, you must be able to retrieve the SID of the security group. To do this, you can use a tool such as PSGETSID. For more information about PSGETSID, visit the following Microsoft Web site:

http://www.microsoft.com/technet/sysinternals/utilities/psgetsid.mspx

<div class="workaround_section">

Method 1: Use the Sc.exe tool to grant sufficient permissions to authenticated users
Use version 5.2.3790.1830 of the Sc.exe tool that is located in the %windir%\system32 folder. The Sc.exe tool restores the functionality that lets you add or edit an e-mail address for a mail-enabled user on a computer that is running Windows Server 2003 SP1. Run the Sc.exe tool on the Exchange server to which you are remotely connecting, and then type the following at a command prompt:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note The permissions string is specified in Security Descriptor Definition Language (SDDL).

The following permissions are granted after you run the command: <ul> Discretionary access control list (DACL) <ul> Allow to Authenticated Users: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL</li> Allow to Interactively logged-on user: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL</li> Allow to Service logon user: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL</li> Allow to SYSTEM: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_WRITE_PROPERTY, SDDL_READ_CONTROL</li> Allow to Built-in Administrators: SDDL_KEY_ALL</li></ul> </li>  System access control list (SACL) <ul> Audit activities of the Everyone group: SDDL_AUDIT_FAILURE, SDDL_KEY_ALL</li> <li>Audit activities of the Everyone group: SDDL_INHERIT_ONLY, SDDL_OBJECT_INHERIT, SDDL_AUDIT_FAILURE SDDL_GENERIC_ALL WD</li></ul>

Note If you still receive the error message after you apply this set of permissions, try the following command: D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) For more information, click the following article number to view the article in the Microsoft Knowledge Base:

907460 Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1

</li></ul>

Method 2: Add Read and Write permissions to the user account
To add Read and Write permissions to the user account that was delegated on the Microsoft Exchange System Attendant service, follow these steps:
 * 1) On the Exchange server, start the Active Directory Users and Computers snap-in.
 * 2) Right-click the name of the domain, and then click Properties.
 * 3) Click the Group Policy tab, click Default Domain Policy, and then click Edit to open Group Policy Object Editor.
 * 4) Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand System Services.
 * 5) Right-click the Microsoft Exchange System Attendant service, and then click Properties.
 * 6) Click to select the Define this policy setting check box, and then click Edit Security.
 * 7) Click Add, type , click Check Names, and then click OK.
 * 8) Click to select the Read check box and the Write check box, and then click OK.
 * 9) Click Automatic to set the Service Startup Mode. Click OK, and then exit Group Policy Object Editor.
 * 10) Click OK, and then exit the Active Directory Users and Computers snap-in.

Note You may get the SC_MANAGER_ENUMERATE_SERVICE permission on Service Control Manager first before you can query the status of MSExchangeSA.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: XADM c10308a2.Windows

Keywords: kbprb KB905809

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.