Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2003 access denied - 0xa0008488 1

Status
Not open for further replies.
itmt

itmt

IS-IT--Management
Jan 7, 2002
122
GB
Hi,

Using BE 9.1 to successfully backup all data on a single server. Can run a successfull separate job to backup the information store.

However, when backing up all the mailboxes, it fails on every individual message with the error: "0xa0008488 - Access is denied"

Any ideas what permisssions I should apply and where? The BE backup job is using DOMAIN\administrator as the logon a/c.

Cheers guys.

Torro
 
Sort by date Sort by votes
Thanks - I have followed article and will see how it gets on in tonight's backup. Cheers.
 
Upvote 0 Downvote
Typically there is an account created for Backup Exec which has log on as service rights ... maybe that's something to look into .. but that's what we run here.

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Well typically the BE services should be running with an account that has rights to the Exchange store. My BE server account has Domain Admin rights. But its at home so security isn't a huge issue.

 
Upvote 0 Downvote
Still get the same error. Have followed the article and ensured that the BE service a/c has rights - it is evern a memeber of domain admins now.
Any other ideas?
 
Upvote 0 Downvote
Well - the backup exec account must have a lot of rights in order to do it's job properly, and what i've found out is that if the Netsys - or Netbackup or whatever you've named your Service Account, has been removed from the services, for whatever reason, the rights are revoked from the account, and would have to be manually set... and there are a lot of rights that you need to set in order for things to work...


That link will show you which local rights need to be set on the backup server (do these on the server not at the domain level)



AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
Thanks - I have applied the content of that article. As the service a/c is actually the Domain Admin a/c, they all seemed ok anyway.

Any other ideas more than gratefully received!
 
Upvote 0 Downvote
My BE service account only has domain admins and it works fine.

This could be a good resource for troubleshooting this error.



Another thing to check is the account that BE uses to access the server. To check this.

Go to Job Setup and find the job that is having the issue and right click and go to properties. On the left go to Resource Credentials and see what account its using. Make sure this account has the correct rights. You can make the account a domain admin temporary to see if it helps.

Test the account also with the test function.
 
Upvote 0 Downvote
That's as maybe. You'll also fine that your BE account is an Exchange Admin.

A simpler way to check BE is to look in services and see the username there. Changing it to system account will probably resolve the problem but is insecure.
 
Upvote 0 Downvote
Ya Zel - one of the things I found yesterday - was that the exchange server was set up using the Local System account as it's services account...
*slaps head hard!*

In essence - who ever had set it up - set it up all wrong.. so now i have to do it right... sometimes at night - next week.

The guy who set it up - also used his own personal accounts as service account for BE -- it was just a mess...

When I have everything looking they it should - and i get a successful backup - i'll post here to tell everyone what i did...

Zel: if I change the services account within services to the service account that i have created; what should I take into consideration??

Obviously, it will require some special rights ...
This account already has been given all of the BE rights (log on as serivice, create token object, restore and backup rights etc.. ) are there any for Exchange that i need to add??

AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
The remote agent on the exchange server should be local system. It should never be a specific account. You will have problem down the road not only with exchange but backing up the entires system.

 
Upvote 0 Downvote
Ya.. but what about the Exchange Service accounts?? They are all "Local System Account"!!!

In all of my experience.. that's just wrong!

When doing backups in the past, i've always used the Exchange Services accounts for backups - as they have privileged rights for all the Stores!!

AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
I'll add..

I don't want people confusing the Exchange service accounts with the BE service accounts...

With my most recent issues - the Exchange services were run with Local System Account .. that's just not right...

BE has its own accounts for other backup and restore functions - but my most recent issue pertains specifically with exchange ---

Like i said before - i had more than one issue to deal with...

I just wanted to clarify to remove any confusion.,

AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
Al,
Here's what I do (and therefore recommend):
Exchange Admin. Is a Full Exchange Admin at the top level. Used to manage Exchange. Is the logon account for all Exchange services. Is an Admin on the Windows servers where Exchange is installed.
Backup Exec Admin. Is a Full Exchange Admin at the top level. Is the logon account for all BE services. Can logon as a service.

Both passwords are something 16 character with upper case, lower case, numbers and punctuation.

If you do something similar, set all BE services to use the new account then restart all BE services. Job done.
 
Upvote 0 Downvote
Right! Got the BE one set up -
The issue now is - that when whoever setup with the exchange server set it up - he didn't use an exchange services account - he used a Local System account.

I'm finding now that i can't do any online backups because i get access denied, as i do not know the passwords for the system accounts (as we should not)... it's a real mess.

AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
Local System Account doesn't have password / issues.

Are you sure that the BE account is an Exchange Full Admin? In ESM, at the top level, check the delegate access lists the BE account. If not, add it.
 
Upvote 0 Downvote
Ya.. that's what i'm saying - it doesn't have any rights at all ...

I will add it as you say...

What i'm wondering is : in Services, should I keep it so that the Exchange services are started by using the Local System Account? Or should i change that ?

And if i change it - what problems do you think I would run into -- are there rights issues I should concern myself with - or simply change the Service account?

AlRo
System Administrator
Ottawa, Canada.
 
Upvote 0 Downvote
Exchange should run as Local System account

-------------------------------

If it doesn't leak oil it must be empty!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Phenrique
  • Locked
  • Question
ArcServe does not Exchange tape to perform Full
Replies
1
Views
272
Phenrique
Phenrique
activenew
  • Locked
  • Question
commvault Backup exchange2010 users mailbox issue
Replies
0
Views
289
activenew
activenew
SrCairo
  • Locked
  • Question
Restore old Novell backups files on tapes to Windows 2003 Server
Replies
0
Views
157
SrCairo
SrCairo
Jaranedac
  • Locked
  • Question
Low Performance to restore files into client Windows 2003 R2
Replies
0
Views
149
Jaranedac
Jaranedac
slavishrook
  • Locked
  • Question
Symantec System Recovery 2013 causes the Exchange console to fail
Replies
2
Views
295
slavishrook
slavishrook

Part and Inventory Search

Sponsor

Back
Top