—–
Active Directory operation failed on “DC01.MYDOMAIN.COM". You cannot retry this operation: “Insufficient access rights to perform the operation 00002098, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0″.
You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins Account. There are other possible causes. For details, see Lync Server 2010 Help.
—–

Solution
You have to go to Active Directory Users and Computers (with Advanced Features turned on in the View Menu), then go to Properties on the User that you can’t enable on Lync, and in the Security tab, clic on Advanced. Then check “Include Inheritable Permissions from this object’s parent", accept and the problem will be instantly solved.

Thanks to Matt Parkinson - http://www.matt-parkinson.co.uk/notes/2011/lync-2010-active-directory-operation-failed-insufficient-access-rights-to-perform-this-operation/
and Exchange dude http://www.exchangedude.net/index.php/2011/07/lync-control-panel-insufficient-access-rights-to-perform-the-operation/ for help with this one.

The attempt to connect to mail.test.local\PowerShell using Kerberos authentication failed. The WS-management service cannot process the request. The system load quota of 1000 request per 2 seconds has been exceeded. send future request at slower rate or raise system quota.

Various solutions online surrounding the registry:

————-
Can you check to see if the following is present in the Registy? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\Cmdlet\ProvisioningCache

BuildThresholdCount should be a decimal value of 5.

If that is the case then ensure in IIS that the Default Web Site does not have any host headers configured and the IP is set to All Unassigned. This would be found in the Bindings of the Default Web Site.
————-

HOWEVER, the best solution was simply to restart the IIS service on the exchange server. I.e: CMD, iisreset.
Could have restarted the box, but that is not a great plan with users on a production lan so wanted to find an alternative.

However, I had enabled the Monitoring Store in the installation and the error below was displayed…..

Error: Error connecting to “fqdn” while installing “MonitoringStore". Verify that the SQL instance is running, connections are not being blocked by a firewall, and that you have SQL administrator permissions. For details, see the following log file: “C:\Users\username\AppData\Local\Temp\Create-MonitoringStore-fqdnpath-[date][time].log”

 I tried changing this in the Topology builder, but then could’nt get it to apply. (Thanks to RobMorales for solving that one) :

——————————————————————————————————————–
In my case I choose to install the Monitoring Server, however removing it or even pointing it to a SQL server did not work it was like configuration was never refreshedand got stuck with the initial parametters. So I did the following:

1. Open Lync Management Shell
2. Export Configuration from Central Management Store (Export-CSConfiguration -FileName C:\Config.zip)
3. Import the configuration into the Local Store (Import-CSConfiguration -FileName C:\Config.zip -LocalStore)
4. Run Setup Again

——————————————————————————————————————–

However, the better solution for me was to get the SQL database readable by Lync.
It was a local instance that I setup called “lync-01\lyncmonitordb". I could talk to it from my desktop using Visual Studio, but not from within Lync.
After some googling I tried the following:

Open “SQL Server Configuration Management" on the server that your DB is on, expand “SQL Server Network Configuration” and click on “Protocols for <lyncmonitordb>".
Then go to Properties of TCP\IP protocol.

Enable TCP\IP, and in the IP Addresses tab.
You could  set the port 1433 for IP address if you wanted/needed to.

Restart the SQL Server instance, and try to start Setup of Archiving\Monitoring again.

This worked for me.

Tried the quick changing of the Domain controller in the GUI -
1.Open Exchange management console
2.Right click on “organization configuration” or “server configuration”
3.Select “modify configuration domain controller”

This didn’t solve it as when you go to System Settings within Organization or Server area it would still show up as the old server it was using for DC and GC.
I thought it was strange that it was only showing one server, even though there were 4 DC’s all with GC enabled.

However,  Googling further I came across a technet discussion which culminated in trying various things below:
(http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a3076a25-3bc7-494c-ad63-94ec79c90c6c/)

On Exchange 2010
1. Check DNS-Settings on EX2010
2. CMD –> nltest/DSGETDC /GC
3. CMD –> nltest /dsgetsite
3. CMD –> netdom query fsmo

Global Catalog Server
1. CMD –> dcdiag
2. CMD –> nltest

In the end it came down to trawling through the Event Logs.
I came across this:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1111).
Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC-OLD.school.local CDG 1 7 7 1 0 1 1 7 1
DC01.school.local CDG 1 7 7 1 0 0 1 7 1
DC02.school.local CDG 1 7 7 1 0 0 1 7 1
DC03.school.local CDG 1 7 7 1 0 0 1 7 1

Looking closely at this the SACL right was set to "1″ on the OLD DC I wanted to remove, and the new DCs were set to “0″ ZERO.
So I read up and found that if the value is 0 then an Exchange server cannot use that GC / DC, which would explain why Exchange was not functioning when the DC-OLD server was not running as a GC.

In the Default Domain Controller policy AND the Default Domain Policy under Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment, the policy “Manage auditing and security log” must have the Exchange Servers group added. This was not added in this environment. Once this was added the SACL as above changed to “1″ and the Exchange services started correctly.

Once this was set and I’d done a gpupdate /force on the DCs, I could see all the DCs and GCs servers available in the Exchange GUI in Server Configuration Properties -> System Settings. Whereas before it was only showing one server - the only one where SACL was set to “1″.

If you don’t have a Default Domain Controller Policy or a Default Domain Policy - WHY NOT!!!!
If you still don’t have one, then you can simply create a policy called “Exchange SACL Rights” and set the Manage auditing and security log settings as the single use for this policy, set it to authenticated users and domain computers and put it as enforced at the top root of your AD tree.

Experts Exchange was very helpful with solving this one, as was this spiceworks discussion (http://community.spiceworks.com/topic/134941-exchange-2010-ad-topology-failures-all-domain-controllers-unavailable?page=1)

I wasn’t quite sure what routes were setup automatically, so to find this out:
On the Exchange 2010 server, go into the Exchange Powershell.

NOTE: This is different from Windows Powershell.

Type: Get-RoutingGroupConnector
This will show you all the routing groups setup in your Exchange system.

To setup a new one:
Then copy and paste the code below into the command line within powershell.
Change the names though!

New-RoutingGroupConnector -Name “Exchange RGC” -SourceTransportServers “Ex2010Hub1.contoso.com” -TargetTransportServers “Ex2003BH1.contoso.com” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

We’ve asked here to create a bidirectional route between these servers, so two routes will be created.

To Remove the routing group:
Check to see what the name of the RGC you want to delete first: Get-RoutingGroupConnector
Then use that to delete the connector.
remove-routinggroupconnector -identity “Exchange RGC”

Your message did not reach some or all of the intended recipients. Subject: s1 Sent: 12/02/2011 18:21 The following recipient(s) could not be reached:

testuser on 12/02/2011 18:22
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.
exch03.testdomain.local #5.3.5

This was caused because both servers had an SMTP connector to the web, which is fine in some circumstances, however both these servers were using DNS to send MX records rather than using a smarthost.

To resolve this issue, follow these steps:

1. Start Exchange System Manager, and then expand the Connectors container.

Note By default, the SMTP connector is named “SmallBusiness SMTP Connector” in Small Business Server 2000 and Windows Small Business Server 2003. If you created an SMTP connector, the connector may not have this name. In this case, select the named SMTP connector instead.

2. Right-click SmallBusiness SMTP Connector, and then click Properties.
3. On the General tab, click either Use DNS to route to each address space on this connector or Forward all mail through this connector to the following smart hosts.
4. If you click Forward all mail through this connector to the following smart hosts, verify the following items:

Make sure that smart host or hosts that appear in the window are those that are authorized by the Internet service provider (ISP) to relay mail for the Exchange Server e-mail domain. The smart hosts may be listed by fully qualified domain name (such as mailserver.domain.net) or by IP address.
Verify the accuracy of the fully qualified domain names (FQDNs) or IP addresses with the ISP.
Make sure that the smart hosts do not include the Exchange Server FQDN, its public IP address, or its private IP address.

Another way to solve this in the Exchange 2003 System Manager is to:

1. In the properties of routing connectors select option “Any local server can send email over this connector”
2. In the properties of SMTP Virtual Server, change IP from “All Unassigned” to current IP address.

Helpful websites:

- http://support.microsoft.com/kb/326304
- http://www.petri.co.il/forums/showthread.php?t=7285