MRS Proxy Error ‘The connection to the server could not be completed’

KB ID 0001358

Problem

When attempting a cross forest mailbox migration, When specifying the ‘Remote MRS Proxy Server address’ you get the following error;

error

the connection to the server ‘server-fqdn‘ could not be completed

Solution

Note: For Office 365 Environments see below.

This tripped me up for quite a while, (it kept saying access denied). I’d tested this previously and everything was working. Note: If you have never had it working, ensure that the name you are using is resolvable in DNS and it’s the name on the certificate of the MRS Proxy server, (or at least a subject alternative name) See this link for how to set it up properly.

Assuming, (like me) everything is OK and the MRS proxy service is running etc, then I found the root cause of my problem by running;

[box]Get-MigrationEndpoint | fl[/box]

I saw the problem straight away, it was using ‘cached credentials for an admin user who had changed their password, now all I had to do was work out how to replace the credentials!

Within the the Exchange admin center > Recipients > Migration > {Ellipsis} > ‘Migration Endpoints’.

Update.

Enter the new (correct credentials)  > Save > Save.

Now retry your ‘batch’ migration.

Office 365 Migration Endpoint Error

If you get the same error when attempting to setup a Migration Endpoint in Office 365;

Then simply skip setting up the endpoint, and perform a batch migration, the system will then connect to the MRS proxy service and work.

Related Articles, References, Credits, or External Links

NA

Publish CRL Error – Access Denied 0x80070005

KB ID 0001135

Problem

Seen when attempting to publish a CRL on a Windows Certificate Services Server.

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Solution

The problem is the COMPUTER ACCOUNT attempting to publish the CRL, (i.e. the Windows Certificate Services Server), needs rights to the physical folder the CRL files live in, like so;

Related Articles, References, Credits, or External Links

NA

Windows XP (Safe Mode) Cannot access USB Drive(Access Denied)

KB ID 0000368 Dtd 31/12/10

Problem

A few weeks back I was working on a Windows XP machine that had been infected with some rogue AV spyware, I was having no luck installing my usual cleaning tools so I booted to safe mode, I have a USB thumb drive that I keep a set of up to date AV/Spyware tools on for this very purpose, but the machine did not want to let me open it.

 

Solution

1. OK, I admit this is not really a “Fix”, more a work around, but lets be honest how often are you in safe mode accessing USB drives? I’m guessing the route of the problem is the removable storage process won’t be running and is set this way in safe mode. So rather than start hacking the registry to get that service started. Simply right click the drive and choose “Explore” (annoyingly simple eh!).

 

Related Articles, References, Credits, or External Links

NA

Windows – Error ‘A Good Time server could not be located’

KB ID 0000705

Problem

Seen when running dcdiag,

Error(s):

Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising

 

Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck

Solution

Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.

1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.

Locate your FSMO Role Servers

2. Now configure your PDC emulator to get its time from a reliable external source.

Windows – Setting Domain Time

3. If you have got this far, then should already have the windows time service running, check!

4. From command line, remove and reinstall the Windows time service with the following two commands.

[box]w32tm /unregister<br />w32tm /register[/box]

Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,

Error
The following error occurred: Access is denied (0x80070005)

If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.

WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.

5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;

[box]HKLM > System > CurrentControlSet > services > W32Time > Parameters[/box]

Ensure the Type value it set to NTP, the restart the Windows time service and check again.

5. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.

6. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]

Make sure the Enabled value is set to 1 (one).

7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.

Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).

As above navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure Global Configuration Settings is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are set to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

Related Articles, References, Credits, or External Links

NA

Exchange – (INSUFF_ACCESS_RIGHTS)

KB ID 0000719 

Problem

Saw this on a brand new Exchange 2010 install, this is not the first time I’ve written about this problem. It’s caused by the same thing as the error in KB0000434, back then I was trying to move mailboxes. This time I was changing the default E-mail Address Policy. It let me change the policy, but when it tried to apply the change to the user(s) this happened.

Error
Warning:
Failed to update recipient “PeteNetLive/Users/Administrator”. The following exception occurred: Active Directory operation failed on DC01.PeteNetLive.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Solution

1. On a domain controller launch “Active directory users and computers” > View > Advanced options.

2. Locate the user that is being denied access (the user you were logged in as), right click > properties > Security Tab > Advanced > Tick “Include inheritable permissions from this object’s parent” > Apply > OK.

3. Try again.

Permanent Fix

Particularly after a migration this can continue to be a problem, you can stop it on a domain wide basis by doing the following;

1. Open active directory Users and computers > Expand {domain-name} > System > AdminSDHolder > Properties > Security > Advanced.

Note: You may need advanced options turning on to see System (View > Advanced).

2. Place a tick in the ‘Include inheritable permissions form this objects parent’ option> Apply > OK.

Related Articles, References, Credits, or External Links

Exchange Mailbox Move Error – (INSUFF_ACCESS_RIGHTS)

Original Article written 22/11/12