When configuring Synchronization and specifying Apply Exchange Options the button "Browse" is grayed out and cannot be used, you cannot select a server and/or a Mailbox Store. The Quest Knowledgebase explains that this happens because of insufficient rights to the Configuration container, but permissions have been set according to documentation and have been verified and confirmed.
Usually adding the service account to the built-in Administrators group will suffice when performing an AD migration or synchronization. But the built in Administrators don't have the required right to browse the Configuration container (see attached screenshot) and only Domain Admins have this permission.
Note: Domain Admins is a Global Group and a user from another domain cannot be added to this group. This means that the issue will be faced when using one single account.
The resolution is: For the AD portion and for DSA (Directory Synchronization Agent) to be able to work we need the account to belong to Domain Admins group, so the requirements for the DSA account will be - Membership in the Domain admins group in both source and target domains (which again means the use of 2 separate accounts).
If this is not possible, or in case you use a single administrative account for source and target domains then the following permissions are needed:
-Full control permissions on the domain partition via ADSIEdit
-Read permissions on the configuration partition via ADSIEdit
Note that a Domain Admin account should not be used as an Exchange account as it conflicts with the default Exchange security model (Domain Admins have “deny” on "send as " and "receive as").
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center