cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2307
Views
5
Helpful
19
Replies

Cisco Unity 7.0 AvDSAD Event ID 1046

mike083108
Level 1
Level 1

Hi Everyone,

We are running exchange 7.0 on exchange 2k7 with 2008 OS. Everything seems to be working ok but whenever I try to modify someones account through web/sa I get the following error:

Event Type: Error

Event Source: CiscoUnity_DSAD

Event Category: Error

Event ID: 1046

Date: 2/12/2009

Time: 11:38:41 AM

User: N/A

Computer: UNITY

Description:

The Cisco Unity service that monitors Active Directory (AvDSAD) failed to modify object.

Type: AVOBJECTTYPE_MAILUSER

Reason: ERROR_ACCESS_DENIED: Access is denied.

Possible causes include: 1) Network connectivity to the Domain Controller. 2) Insufficient rights for The Cisco Unity service that monitors Active Directory (AvDSAD) account.

Ensure that The Cisco Unity service that monitors Active Directory (AvDSAD) can contact the Domain Controller and has sufficient rights to modify objects. If the problem persists, enable all the micro traces for The Cisco Unity service that monitors Active Directory (AvDSAD) in the Unity Diagnostic Tool. Report the problem to Cisco TAC and include the diagnostic log.

Any ideas???

19 Replies 19

Brad Magnani
Cisco Employee
Cisco Employee

Mike,

It may not hurt to check the users in question in AD to make sure that within security tab they're selected to inherit permissions. It may not hurt to re-run permissions wizard once this is confirmed- ensuring you're logged in with a domain admin account while running the wizard.

Brad

Brad,

Thanks for the quick reply. I have done both of your suggestions already. It looks like the users have the appropriate permissions. The permissions wizard also runs with 100% success.

One thing to note, it seems like this is a problem for all users. Not just one.

-Mike

Christopher McAlpin
Community Manager
Community Manager

Are you also running AD2008? If so, Unity requires an ES to be supported in that environment and will have to be connected to a writable DC.

Nope. Running 2k3 R2 64 bit

Ok.... It does sound like a permissions issue. Perhaps some group policy? You could try a couple things....

1. Log on to Windows as the Unity directory service account and see if you are able to modify these users in AD.

2. Create a new Unity directory service account, run permissions wizard on it and assign it to the directory services.

In addition to what Chris suggests, this may sound trivial but check to see if DirSvc is actually running your DSAD and DSGlobalCatalog services..

Good catch! That was it.

Although, I am not sure why all of a sudden the other account stopped working. This setup was working up until a few days ago.

Thanks Guys!

Checked #1 is it can modify.

I will try #2 next. Thanks for the tips.

Something I haven't seen anyone mention so far is that you should make sure that your AvDSAD and AvGlobalCatalog services in teh services snap in have the UnityDirSvc running them. Sometimes I see where customers have UnityInstall running those.

Tray

Mike,

Another tool you can run is the Directory Access Diagnostics (DAD) tool in the Tools Depot under Diagnostic Tools. You'll need to be logged into the Unity server as the UnityDirSvc account. Here you can determine if you've got the proper permissions to access/create users as well as determining proper mailstore access.

Brad

Thanks for all of the great info!

I just ran that tool as unitydirsvc.

For all of the read attributes it returned Yes. However, it only returned yes for two write attributes - mailNickname and msExchHideFromAddressLists.

Shouldn't they all be yes?

Correct, they should all be Yes. This tells me that aren't being set or there is something in the environment that's disallowing or removing these. The diagnostics mentioned in the error will most likely just confirm the lack of access for these fields in AD. Try running the Permissions Wizard in Report mode and see what the results are.

Results were good except for the following two errors under the unitymsgstoresvc account.

• Send As(Send-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

• Receive As(Receive-As\) Right: ACCESS DENIED because a Deny ACE takes precendent over an exact Allow ACE.

These two errors were present in a few of my mail stores but not all.