Cisco Unity 7.0 AvDSAD Event ID 1046

Unanswered Question
Feb 12th, 2009

Hi Everyone,

We are running exchange 7.0 on exchange 2k7 with 2008 OS. Everything seems to be working ok but whenever I try to modify someones account through web/sa I get the following error:

Event Type: Error

Event Source: CiscoUnity_DSAD

Event Category: Error

Event ID: 1046

Date: 2/12/2009

Time: 11:38:41 AM

User: N/A

Computer: UNITY

Description:

The Cisco Unity service that monitors Active Directory (AvDSAD) failed to modify object.

Type: AVOBJECTTYPE_MAILUSER

Reason: ERROR_ACCESS_DENIED: Access is denied.

Possible causes include: 1) Network connectivity to the Domain Controller. 2) Insufficient rights for The Cisco Unity service that monitors Active Directory (AvDSAD) account.

Ensure that The Cisco Unity service that monitors Active Directory (AvDSAD) can contact the Domain Controller and has sufficient rights to modify objects. If the problem persists, enable all the micro traces for The Cisco Unity service that monitors Active Directory (AvDSAD) in the Unity Diagnostic Tool. Report the problem to Cisco TAC and include the diagnostic log.

Any ideas???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Bradford Magnani Thu, 02/12/2009 - 08:52

Mike,

It may not hurt to check the users in question in AD to make sure that within security tab they're selected to inherit permissions. It may not hurt to re-run permissions wizard once this is confirmed- ensuring you're logged in with a domain admin account while running the wizard.

Brad

mikegemza Thu, 02/12/2009 - 08:54

Brad,

Thanks for the quick reply. I have done both of your suggestions already. It looks like the users have the appropriate permissions. The permissions wizard also runs with 100% success.

One thing to note, it seems like this is a problem for all users. Not just one.

-Mike

Christopher McAlpin Thu, 02/12/2009 - 08:56

Are you also running AD2008? If so, Unity requires an ES to be supported in that environment and will have to be connected to a writable DC.

Christopher McAlpin Thu, 02/12/2009 - 09:05

Ok.... It does sound like a permissions issue. Perhaps some group policy? You could try a couple things....

1. Log on to Windows as the Unity directory service account and see if you are able to modify these users in AD.

2. Create a new Unity directory service account, run permissions wizard on it and assign it to the directory services.

Bradford Magnani Thu, 02/12/2009 - 09:07

In addition to what Chris suggests, this may sound trivial but check to see if DirSvc is actually running your DSAD and DSGlobalCatalog services..

mikegemza Thu, 02/12/2009 - 09:19

Good catch! That was it.

Although, I am not sure why all of a sudden the other account stopped working. This setup was working up until a few days ago.

Thanks Guys!

mikegemza Thu, 02/12/2009 - 09:17

Checked #1 is it can modify.

I will try #2 next. Thanks for the tips.

Tray Stoutmeyer Thu, 02/12/2009 - 09:19

Something I haven't seen anyone mention so far is that you should make sure that your AvDSAD and AvGlobalCatalog services in teh services snap in have the UnityDirSvc running them. Sometimes I see where customers have UnityInstall running those.

Tray

Bradford Magnani Thu, 02/12/2009 - 09:23

Mike,

Another tool you can run is the Directory Access Diagnostics (DAD) tool in the Tools Depot under Diagnostic Tools. You'll need to be logged into the Unity server as the UnityDirSvc account. Here you can determine if you've got the proper permissions to access/create users as well as determining proper mailstore access.

Brad

mikegemza Thu, 02/12/2009 - 10:33

I just ran that tool as unitydirsvc.

For all of the read attributes it returned Yes. However, it only returned yes for two write attributes - mailNickname and msExchHideFromAddressLists.

Shouldn't they all be yes?

Bradford Magnani Thu, 02/12/2009 - 10:41

Correct, they should all be Yes. This tells me that aren't being set or there is something in the environment that's disallowing or removing these. The diagnostics mentioned in the error will most likely just confirm the lack of access for these fields in AD. Try running the Permissions Wizard in Report mode and see what the results are.

mikegemza Thu, 02/12/2009 - 11:06

Results were good except for the following two errors under the unitymsgstoresvc account.

• Send As(Send-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

• Receive As(Receive-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

These two errors were present in a few of my mail stores but not all.

bsmith Mon, 05/18/2009 - 02:36

I have had the same problem but I can import users except users who have been configured as domain administrators.

Christopher McAlpin Mon, 05/18/2009 - 10:45

To be able to import administrators you must check the "Allow Active Directory administrator and operator accounts to have voice mail" option in the Permissions Wizard.

bsmith Mon, 05/18/2009 - 10:52

Hi

Just tried it and I am getting the same result.

Do I run the permissions wizard under the UnityInstall account ?

Or under the domain account ?

Billy

Christopher McAlpin Mon, 05/18/2009 - 10:55

Typically you would run the Permissions Wizard logged in as an account that has permissions to set permissions (domain admin). The permissions wizard sets permissions for the UnityInstall, UnityMessageStore, and UnityDirectory service accounts you created to install and run Cisco Unity.

bsmith Mon, 05/18/2009 - 10:59

Yes

Thats what I thought just needed confirmation.

Im leaving site now. Ill continue in the morning. Many thanks for your help.

Billy

Actions

This Discussion