We are running exchange 7.0 on exchange 2k7 with 2008 OS. Everything seems to be working ok but whenever I try to modify someones account through web/sa I get the following error:
Event Type: Error
Event Source: CiscoUnity_DSAD
Event Category: Error
Event ID: 1046
Time: 11:38:41 AM
The Cisco Unity service that monitors Active Directory (AvDSAD) failed to modify object.
Reason: ERROR_ACCESS_DENIED: Access is denied.
Possible causes include: 1) Network connectivity to the Domain Controller. 2) Insufficient rights for The Cisco Unity service that monitors Active Directory (AvDSAD) account.
Ensure that The Cisco Unity service that monitors Active Directory (AvDSAD) can contact the Domain Controller and has sufficient rights to modify objects. If the problem persists, enable all the micro traces for The Cisco Unity service that monitors Active Directory (AvDSAD) in the Unity Diagnostic Tool. Report the problem to Cisco TAC and include the diagnostic log.
It may not hurt to check the users in question in AD to make sure that within security tab they're selected to inherit permissions. It may not hurt to re-run permissions wizard once this is confirmed- ensuring you're logged in with a domain admin account while running the wizard.
Thanks for the quick reply. I have done both of your suggestions already. It looks like the users have the appropriate permissions. The permissions wizard also runs with 100% success.
One thing to note, it seems like this is a problem for all users. Not just one.
Are you also running AD2008? If so, Unity requires an ES to be supported in that environment and will have to be connected to a writable DC.
Ok.... It does sound like a permissions issue. Perhaps some group policy? You could try a couple things....
1. Log on to Windows as the Unity directory service account and see if you are able to modify these users in AD.
2. Create a new Unity directory service account, run permissions wizard on it and assign it to the directory services.
In addition to what Chris suggests, this may sound trivial but check to see if DirSvc is actually running your DSAD and DSGlobalCatalog services..
Good catch! That was it.
Although, I am not sure why all of a sudden the other account stopped working. This setup was working up until a few days ago.
Something I haven't seen anyone mention so far is that you should make sure that your AvDSAD and AvGlobalCatalog services in teh services snap in have the UnityDirSvc running them. Sometimes I see where customers have UnityInstall running those.
Another tool you can run is the Directory Access Diagnostics (DAD) tool in the Tools Depot under Diagnostic Tools. You'll need to be logged into the Unity server as the UnityDirSvc account. Here you can determine if you've got the proper permissions to access/create users as well as determining proper mailstore access.
I just ran that tool as unitydirsvc.
For all of the read attributes it returned Yes. However, it only returned yes for two write attributes - mailNickname and msExchHideFromAddressLists.
Shouldn't they all be yes?
Correct, they should all be Yes. This tells me that aren't being set or there is something in the environment that's disallowing or removing these. The diagnostics mentioned in the error will most likely just confirm the lack of access for these fields in AD. Try running the Permissions Wizard in Report mode and see what the results are.
Results were good except for the following two errors under the unitymsgstoresvc account.
â¢ Send As(Send-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.
â¢ Receive As(Receive-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.
These two errors were present in a few of my mail stores but not all.
To be able to import administrators you must check the "Allow Active Directory administrator and operator accounts to have voice mail" option in the Permissions Wizard.
Just tried it and I am getting the same result.
Do I run the permissions wizard under the UnityInstall account ?
Or under the domain account ?
Typically you would run the Permissions Wizard logged in as an account that has permissions to set permissions (domain admin). The permissions wizard sets permissions for the UnityInstall, UnityMessageStore, and UnityDirectory service accounts you created to install and run Cisco Unity.
Thats what I thought just needed confirmation.
Im leaving site now. Ill continue in the morning. Many thanks for your help.