Unable to Administer Exchange 2010 - Insufficient access rights to perform the operation.



I am in the process of trying to migrate from Exchange 2003 to Exchange 2010. The domain structure is such that there is a root domain ("company.local" ) which has no exchange server. Under this is a number of state based domains (eg "qld.company.local") in which Exchange 2003 has been operating for years.

I have successfully prepared forest and domains and installed Exchange 2010 into the "qld.company.local" domain. This all appeared to go perfectly until I tried to configure anything on the new Exchange 2010 installation. I cannot perform almost any administrative task, even applying the ProductKeyt without getting the following error:

Active Directory operation failed on SVR-01.qld.company.local. This error is not retriable. Additional information

: Insufficient access rights to perform the operation.

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (0:Int32) [Set-ExchangeServer], ADOperationException
+ FullyQualifiedErrorId : 9010B41B,Microsoft.Exchange.Management.SystemConfigurationTasks.SetExchangeServer

The new exhcnage server boots with clean logs except for the following application log error

Log Name: Application

Source: MSExchangeRepl

Date: 16/08/2010 11:28:07 AM

Event ID: 4098

Task Category: Action

Level: Error

Keywords: Classic

User: N/A

Computer: SVR-03.qld.company.local


The Microsoft Exchange Replication service couldn't find a valid configuration for database '3728d80d-1037-4570-b9d4-b8026f544b5c' on server 'SVR-03'. Error:

I have tried everything I can think of or have been able to find possible explanations/solutions for this problem without luck.

Happy to provide any additional details that may be of useful if anyone has ideas.


Are you using the same account that you performed the exchange upgrade on? Also check the security group " Organization Managemement" to make sure your account is in there.


Yes, and I have also tried to administer from the administrator account in the domain at the root of the forest. I have checked that the domain accounts being used are in the relevant Exchange Security Groups.


Local Domain (qld.company.local) currently has four domain controllers. Three original Windows 2003 Servers and one new 2008R2 machine. The root domain has four as well, three 2003 boxes in different states and an new 2008R2 machine installed locally. All domain replication has been checked and is working fine.

Installing the lastest rollup now. Will report backl shortly.


OK another thing to check is to make sure that UAC isnt blocking you. When you open up the Exchange Management Shell right click it and select open as administrator.



Definitely not a UAC problem. Does the same with the Shell opened 'Run as Administrator'.

Have now installed Rollup 4. No change to the problem.


Thanks. The cmdlt did not help but working my way through the referenced article did. In my case it was the need to add the Server itself to the Trusted Subsystem Group. Seems that the installer does not do this in multi-domain installations.

Thanks for the help.