Friday, March 14, 2014

Active Directory operation failed on DomainController.domain.local. This error was not retriable.

I had just finished a "Recover Server" installation for a customer of mine who has major issues on their Exchange server and had to rebuild the system drive.  This issue was documented on the following blog post, please read as this issue is related:

http://clintboessen.blogspot.com.au/2014/03/exchange-2010-sp1-recover-server.html

After performing the Recover Server installation, I reinstalled the Digital Certificate with private key and went to begin reconfiguring the web URLs.  When attempting to configure the WebServicesVirtualDirectory, ActiveSyncVirtualDirectory, OWAVirtualDirectory or any of the other virtual directories, I was presented with the following error.

Active Directory operation failed on DomainController.domain.local.  This error was not retriable.  Additional information: Insufficient access rights to perform the operation.

 
 
After a long time diagnosing it was found the issue was because the Exchange server object was not in the "Trusted Exchange Subsystem" security group.  This security group is "CRITICAL" to Exchange 2010, and I was surprised the server was able to load and even serve user Outlook requests!
 
The server was not in this group as the customer had deleted the computer object prior to commencing the Exchange server recovery installation as mentioned in the blog post list documented above.
 
After re-adding the server to the Trusted Exchange Subsystem and rebooting, I was able to configure the URL's successfully.
 
 

4 comments:

  1. Grateful to check out your website, I seem to be ahead to more excellent sites and I wish that you wrote more informative post for us. Well done work.

    ReplyDelete
  2. I seem to be ahead to more excellent sites and I wish that you wrote more informative post for us. Well done work.

    ReplyDelete
  3. Nice Post, thank you very much for sharing.

    ReplyDelete
  4. Thank you for this. Exact scenario I had and saved me a ton of time.

    ReplyDelete