Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2309
Views
5
Helpful
19
Replies

Cisco Unity 7.0 AvDSAD Event ID 1046

mike083108
Level 1
Level 1

‎02-12-2009 08:46 AM - edited ‎03-18-2019 10:29 PM

Hi Everyone,

We are running exchange 7.0 on exchange 2k7 with 2008 OS. Everything seems to be working ok but whenever I try to modify someones account through web/sa I get the following error:

Event Type: Error

Event Source: CiscoUnity_DSAD

Event Category: Error

Event ID: 1046

Date: 2/12/2009

Time: 11:38:41 AM

User: N/A

Computer: UNITY

Description:

The Cisco Unity service that monitors Active Directory (AvDSAD) failed to modify object.

Type: AVOBJECTTYPE_MAILUSER

Reason: ERROR_ACCESS_DENIED: Access is denied.

Possible causes include: 1) Network connectivity to the Domain Controller. 2) Insufficient rights for The Cisco Unity service that monitors Active Directory (AvDSAD) account.

Ensure that The Cisco Unity service that monitors Active Directory (AvDSAD) can contact the Domain Controller and has sufficient rights to modify objects. If the problem persists, enable all the micro traces for The Cisco Unity service that monitors Active Directory (AvDSAD) in the Unity Diagnostic Tool. Report the problem to Cisco TAC and include the diagnostic log.

Any ideas???

Labels:
0 Helpful
19 Replies 19

Brad Magnani
Cisco Employee
Cisco Employee

‎02-12-2009 08:52 AM

Mike,

It may not hurt to check the users in question in AD to make sure that within security tab they're selected to inherit permissions. It may not hurt to re-run permissions wizard once this is confirmed- ensuring you're logged in with a domain admin account while running the wizard.

Brad

0 Helpful

mike083108
Level 1
Level 1
In response to Brad Magnani

‎02-12-2009 08:54 AM

Brad,

Thanks for the quick reply. I have done both of your suggestions already. It looks like the users have the appropriate permissions. The permissions wizard also runs with 100% success.

One thing to note, it seems like this is a problem for all users. Not just one.

-Mike

0 Helpful

Christopher McAlpin
Community Manager
Community Manager

‎02-12-2009 08:56 AM

Are you also running AD2008? If so, Unity requires an ES to be supported in that environment and will have to be connected to a writable DC.

0 Helpful

mike083108
Level 1
Level 1
In response to Christopher McAlpin

‎02-12-2009 08:58 AM

Nope. Running 2k3 R2 64 bit

0 Helpful

Christopher McAlpin
Community Manager
Community Manager
In response to mike083108

‎02-12-2009 09:05 AM

Ok.... It does sound like a permissions issue. Perhaps some group policy? You could try a couple things....

1. Log on to Windows as the Unity directory service account and see if you are able to modify these users in AD.

2. Create a new Unity directory service account, run permissions wizard on it and assign it to the directory services.

0 Helpful

Brad Magnani
Cisco Employee
Cisco Employee
In response to Christopher McAlpin

‎02-12-2009 09:07 AM

In addition to what Chris suggests, this may sound trivial but check to see if DirSvc is actually running your DSAD and DSGlobalCatalog services..

mike083108
Level 1
Level 1
In response to Brad Magnani

‎02-12-2009 09:19 AM

Good catch! That was it.

Although, I am not sure why all of a sudden the other account stopped working. This setup was working up until a few days ago.

Thanks Guys!

0 Helpful

mike083108
Level 1
Level 1
In response to Christopher McAlpin

‎02-12-2009 09:17 AM

Checked #1 is it can modify.

I will try #2 next. Thanks for the tips.

0 Helpful

Tray Stoutmeyer
Cisco Employee
Cisco Employee
In response to mike083108

‎02-12-2009 09:19 AM

Something I haven't seen anyone mention so far is that you should make sure that your AvDSAD and AvGlobalCatalog services in teh services snap in have the UnityDirSvc running them. Sometimes I see where customers have UnityInstall running those.

Tray

0 Helpful

Brad Magnani
Cisco Employee
Cisco Employee
In response to mike083108

‎02-12-2009 09:23 AM

Mike,

Another tool you can run is the Directory Access Diagnostics (DAD) tool in the Tools Depot under Diagnostic Tools. You'll need to be logged into the Unity server as the UnityDirSvc account. Here you can determine if you've got the proper permissions to access/create users as well as determining proper mailstore access.

Brad

0 Helpful

mike083108
Level 1
Level 1
In response to Brad Magnani

‎02-12-2009 10:31 AM

Thanks for all of the great info!

0 Helpful

mike083108
Level 1
Level 1
In response to mike083108

‎02-12-2009 10:33 AM

I just ran that tool as unitydirsvc.

For all of the read attributes it returned Yes. However, it only returned yes for two write attributes - mailNickname and msExchHideFromAddressLists.

Shouldn't they all be yes?

0 Helpful

Brad Magnani
Cisco Employee
Cisco Employee
In response to mike083108

‎02-12-2009 10:41 AM

Correct, they should all be Yes. This tells me that aren't being set or there is something in the environment that's disallowing or removing these. The diagnostics mentioned in the error will most likely just confirm the lack of access for these fields in AD. Try running the Permissions Wizard in Report mode and see what the results are.

0 Helpful

mike083108
Level 1
Level 1
In response to Brad Magnani

‎02-12-2009 11:06 AM

Results were good except for the following two errors under the unitymsgstoresvc account.

• Send As(Send-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

• Receive As(Receive-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

These two errors were present in a few of my mail stores but not all.

0 Helpful
Customers Also Viewed These Support Documents