"Permission problem encountered" error message when you try to force Intrasite Directory Replication (326952)


The information in this article applies to:

  • Microsoft Exchange Server 5.5
This article was previously published under Q326952

SYMPTOMS

When you manually force Intrasite Directory Replication (update the directory from within the site), you may receive the following error message:
The requested operation failed due to a permission problem encountered while accessing a remote directory. Check that your account has permission to perform this operation. Then check that the directory service on this server has permission to set up replication on a remote directory. Both directory services must be running under the same service account, and the service account must have the Service Account Admin role on the site object. 0xc1030b22
Additionally, the following event ID message is logged in the Application event log:

Event Type: Warning
Event Source: MSExchangeAdmin
Event Category: (4)
Event ID: 2019
Description:
An error occurred updating the replica of naming context '/o=ORGANIZATION' on server 'SERVER'. The replica will be updated on server 'SERVER' during the course of any normal replication updates. 0xc1030b22 - The requested operation failed due to a permissions problem encountered while accessing a remote directory. Check that your account has permission to perform this operation. Then check that the directory service on this server has permission to set up replication on a remote directory. Both directory services must be running under the same service account, and the service account must have the Service Account Admin role on the site object.

CAUSE

This behavior can occur if the account that you use to run the Microsoft Exchange Server Administrator program does not have "Modify Admin Attributes" permission on the Configuration container.

RESOLUTION

To resolve this issue:
  1. Start the Exchange Server Administrator program.
  2. Make sure the Permissions tab is visible for all objects.
    1. On the Tools menu, click Options, and then click the Permissions tab.
    2. Click to select the Show Permissions page for all objects and Display rights for roles on Permissions page check boxes.
    3. Click OK.
  3. Right-click the Configuration container, click Properties, and then click the Permissions tab.
  4. Click the user account that manually forces Intrasite Directory Replication, and then click to select the Modify Admin Attributes permission check box.
NOTE: Instead of editing the permissions, you can directly grant the user account the Administrator Role, which automatically has the following permissions:
  • Add Child
  • Modify User Attributes
  • Modify Administrator
  • Attributes
  • Delete
If the issue still occurs after you perform the previous procedure, change the logon account of the Microsoft Exchange Directory service from the local system account to a domain account. Although the local system account is sufficient to start the Microsoft Exchange Directory service, the local system account does not have the permissions to make remote procedure calls (RPC) calls to other Exchange servers' directory services during Intrasite Directory Replication. To change the logon account, follow these steps:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Services, and then double-click Microsoft Exchange Directory.
  3. Type the name and the password for a domain account in the Log On As box.
  4. Click OK.
  5. Restart the Microsoft Exchange Directory service, and then click Close.

MORE INFORMATION

The Access Category property of an attribute determines the permissions that a user must have to modify the attribute. The Access Category property value definitions are as follows:
  • 0: Only the system can modify the attribute
  • 1: Users with Modify Admin Attributes permission can modify the attribute
  • 2: Users with Modify User Attributes permission can modify the attribute
  • 3: Users with Modify Permissions rights can modify the attribute
For example, the Exchange Phone Number attribute, which is mapped to the Lightweight Directory Access Protocol (LDAP) telephoneNumber attribute, has an Access Category value of 2, which means that users with "Modify Users Attributes" permission on the object can change the value.

To discover all of the properties you can modify according to a permission, follow the procedure described in this section.

Warning If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.
  1. Start the Exchange Server Administrator program in raw mode by typing the following at a command prompt:

    c:\exchsrvr\bin\admin /r

  2. On the View menu, click Raw Directory.
  3. In the right pane, double-click Schema.
  4. Double-click the attribute that you want to modify.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

168753 Microsoft Exchange roles, rights, and permissions

Modification Type:MajorLast Reviewed:7/25/2005
Keywords:kbprb KB326952
©2004 Microsoft Corporation. All rights reserved.