You receive error ID 80004005 when you use Exchange System Manager to try to change the domain controller that is specified in the properties dialog box for the Recipient Update Service in Exchange 2000 (821465)


The information in this article applies to:

  • Microsoft Exchange 2000 Server

SYMPTOMS

In Microsoft Exchange 2000 Server, when you use Exchange System Manager to try to change the Microsoft Windows 2000-based domain controller that is specified in the properties dialog box for the Recipient Update Service, you receive the following error message:
The operation failed
ID no: 80004005
Exchange System Manager

CAUSE

This issue occurs when one of the following conditions is true:
  • The account that you are using does not have permissions to the parent object.
  • The serverReference attribute is not set on the parent object.
Exchange System Manager performs a Lightweight Directory Access Protocol (LDAP) search for NTDS Settings objects in the Configuration/Sites container in the Active Directory directory service. You can locate the following NTDS Settings object by using the ADSI Edit snap-in or the LDP utility:

CN=NTDS Settings,CN=Server_Name,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your_Domain,DC=com,

In this object, Server_Name is the name of a Windows-based domain controller.

Exchange System Manager then tries to read the serverReference attribute from the parent object. The parent object of the NTDS Settings object is the following server object:

CN= Server_Name,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your_Domain,DC=com,

Because the account that you are using does not have permissions to the parent object, or because the serverReference attribute is missing on the parent object, an E_FAIL error condition is returned. You then receive the error message that is mentioned in the "Symptoms" section.

RESOLUTION

To resolve this issue, you must first locate the server object. This server object is either the object that your account does not have permissions to. Or, it is the domain controller object that contains a value that is not valid in the serverReference attribute. Then, you must grant your account the permissions that are required for the server object in Active Directory. Or, you must populate the serverReference attribute value for the server object.

Step 1: Locate the server object

Use the following script to locate the server object.

Note In line 4 of the following code, replace Your_Domain with your domain, and replace com with your domain suffix.
set connection = CreateObject("ADODB.Connection")
connection.Provider = "ADsDSOObject" 
connection.Open()
set rsObjects =  connection.Execute("<LDAP://CN=Sites,CN=Configuration,DC=Your_Domain,DC=com>" & _
";(objectCategory=ntdsdsa);distinguishedName")
while not rsObjects.EOF
set obj = GetObject("LDAP://" + rsObjects.Fields("distinguishedName"))
set dc = GetObject(obj.Parent)
WScript.Echo "This is the DN of the server:" & dc.distinguishedName
if (dc.serverReference="") _
   Then WScript.Echo "Error: This attribute serverReference is not found" _
   else WScript.Echo "This is the ServerReference attribute of the server:" & _
dc.serverReference
rsObjects.MoveNext() 
wend

Step 2: Resolve the issue

Method 1: Grant your account the permissions that are required for the server object in Active DirectoryTo determine whether your account has permissions to the server object, use the Dsacls utility that is included with the Microsoft Windows Support Tools. To do this, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following command:

    dsacls "cn=server_name,cn=servers,cn=site_name,cn=sites,cn=configuration,dc=domain,dc=domain_suffix

    In the command, server_name is the name of the server, site_name is the name of the Windows site, and domain and domain_suffix are the forest root domain, for example, dc=contoso,dc=com.
The correct permissions on that object should be similar to the following output:

Access list:    
Effective Permissions on this object are:   
Allow DOMAIN\Domain Admins              FULL CONTROL  
Allow NT AUTHORITY\SYSTEM               FULL CONTROL  
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS  
                                        READ PERMISSONS  
                                        LIST CONTENTS  
                                        READ PROPERTY  
                                        LIST OBJECT  
Allow DOMAIN\Enterprise Admins          FULL CONTROL    <Inherited from parent> 
Allow DOMAIN\Domain Admins              SPECIAL ACCESS  <Inherited from parent> 
                                        DELETE  
                                        READ PERMISSONS  
                                        WRITE PERMISSIONS  
                                        CHANGE OWNERSHIP  
                                        CREATE CHILD  
                                        LIST CONTENTS  
                                        WRITE SELF  
                                        WRITE PROPERTY  
                                        READ PROPERTY  
                                        LIST OBJECT  
                                        CONTROL ACCESS   
Permissions inherited to subobjects are:   
Inherited to all subobjects   
Allow DOMAIN\Domain Admins              FULL CONTROL  
Allow DOMAIN\Enterprise Admins          FULL CONTROL   <Inherited from parent>  
Allow DOMAIN\Domain Admins              SPECIAL ACCESS <Inherited from parent> 
                                        DELETE  
                                        READ PERMISSONS  
                                        WRITE PERMISSIONS  
                                        CHANGE OWNERSHIP  
                                        CREATE CHILD  
                                        LIST CONTENTS  
                                        WRITE SELF  
                                        WRITE PROPERTY  
                                        READ PROPERTY  
                                        LIST OBJECT  
                                        CONTROL ACCESS

Method 2: Populate the serverReference attribute value for the server objectIf the serverReference attribute value is not set, populate the value. Use the distinguished name of the server object as the value that you populate the attribute with. You can locate this distinguished name under the following domain partition:

CN=Server_Name,OU=Domain Controllers, DC=Your_Domain,DC=Domain Suffix

.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Install the ADSI Edit snap-in if it is not already installed.

    The ADSI Edit snap-in is included with the Microsoft Windows 2000 Server Support Tools. To install the Windows 2000 Server Support Tools, run Setup.exe from the Support\Tools folder on the Microsoft Windows 2000 Server CD.
  2. Click Start, click Run, type adsiedit.msc, and then click OK.
  3. If you want to connect to a different domain controller, click Connect to on the Action menu, click Select or type a domain or server, type the fully-qualified domain name of the domain controller, and then click OK.
  4. Expand Configuration Container [Server_Name.Your_Domain.com]
  5. Expand CN=Configuration,DC=Your_Domain,DC=com
  6. Expand CN=Sites.
  7. Expand CN=Site_Name.
  8. Expand CN=Servers.
  9. Expand CN=Server_Name.

    In this step, Server_Name is the name of the domain controller.
  10. Right-click the domain controller server object, and then click Properties.
  11. Select the serverReference attribute.
  12. If this attribute is empty, populate it with the distinguished name of the server object that appears under the domain partition. To do this, follow these steps:
    1. In the ADSI Edit snap-in, locate and then expand Domain NC [Server_Name.Your_Domain.com].
    2. Expand DC=Your_Domain,DC=com.
    3. Expand OU= Domain Controllers.
    4. Expand CN=Server_Name.
    5. Right-click Server_Name, and then copy the value of the distinguishedName attribute. This data can be pasted into the serverReference attribute that is mentioned in step 11.
    Note The procedure in step 12 uses the default location for the server object.

MORE INFORMATION

Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and the tools that are used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200. For additional information about the support options available from Microsoft, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

Modification Type:MajorLast Reviewed:12/15/2005
Keywords:kbtshoot kbprb KB821465
©2004 Microsoft Corporation. All rights reserved.