XADM: How to Recover When Only Full Exchange Administrator Account Is Deleted (296487)
The information in this article applies to:
- Microsoft Exchange 2000 Server
This article was previously published under Q296487 SYMPTOMS
When you try to install a new Exchange 2000 Server, Setup stops and you receive the following error message:
The component "Microsoft Messaging and Collaboration Services" cannot be
assigned the action "install" because:
Active Directory has not replicated all of the necessary permissions for the
deleted items container. Please wait until replication completes before
running setup.
This error message is an indication that the account running Exchange Setup does not have Full Exchange Administrator rights.
Or, when you run the Delegate Wizard in Exchange System Manager, the wizard stops and you receive the following error messages:
Failed to grant permissions for account on this object: /dc=com;dc=domain/cd=configuration
The delegation wizard could not grant/change permissions for : account
You may be able to use the Delegate Wizard to delegate Exchange Administrators or View Only Administrators.
CAUSE
These symptoms can occur when the only Full Exchange Administrator Account has been deleted. Because this account has been deleted, there is no account with rights as Exchange Full Administrator.
RESOLUTION
To resolve this behavior, run Setup.exe /forestprep from the Exchange 2000 CD.
If this does not resolve the behavior, perform the following steps to enable the domain system account to run the delegate wizard: WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk. - Open ADSIEdit.
- Expand CN=Configuration-CN=Services, select CN=Microsoft Exchange, right-click, and then click Properties.
- Click the Security tab, and then click Add.
- In the Select Users window, select the SYSTEM account, click Add, and then click OK.
- Assign System Full Control access, and then click OK to close this window.
- In ADSIEdit, expand CN=Microsoft Exchange, select the Organization Name, right-click to open Properties.
- Assign System Full Control at this level also, and then quit ADSIEdit.NOTE: Steps 8 through 17 must be performed at a domain controller in the same domain where the first Exchange Install or Exchange ForestPrep was run.
- Install the Exchange System Manager.
- Enter the following at a command prompt
at xx:xx /interactive "mmc.exe"
- When the management console opens, add the Exchange System Manager.
- Select Console, click Add/Remove Snap-In, and then click Add.
- Select Exchange System, and then click Add.
- Click OK to the change Domain Controller window, close the Add Stand-alone Snap-In window, and then click OK to open the Exchange System Manager Snap-In.
- Right-click the Exchange Organization Name in the ESM console.
- Select Delegate Control, and then click Next in the Delegation Wizard screen.
- Click Add, and then browse and select an account to give permissions to. Change the Role to Exchange Full Administrator. Click OK to continue.
- Click Next, and then click Finish to complete the Delegation Wizard.
MORE INFORMATION
ForestPrep assigns Exchange Full Administrative account permissions to the account that you specify. This account will have the authority to install Exchange 2000 throughout the forest. Also, after the first installation of Exchange 2000, you can use this account to run the Exchange Administration Delegation Wizard, which configures Exchange-specific roles for administrators across the forest.
| Modification Type: | Minor | Last Reviewed: | 4/25/2005 |
|---|
| Keywords: | kberrmsg kbprb KB296487 |
|---|
|