6 replies to this topic

[capr]

Hey guys, noobie here... I am trying to prepare my Domain for an exchange server. I am running the following commands on the Domain Controller.

setup /PrepareSchema

setup /PrepareAD /OrganizationName:ph2304

setup /PrepareDomain

First one goes well, other two not so much...

Quote

Configuring Microsoft Exchange Server
Organization Preparation ......................... FAILED
The following error was generated when "$error.Clear(); initialize-Exchange
ConfigurationPermissions -DomainController $RoleDomainController" was run: "You
don't have permissions to read the security descriptor on CN=Deleted Objects,CN=
Configuration,DC=PH2304,DC=com.".

And the third one also fails at the last step.

Quote

Prepare Domain Progress ......................... FAILED
The following error was generated when "$error.Clear(); if ($RolePrepareAll
Domains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$Rol
eIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -
Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-Doma
inPermissions -CreateTenantRoot:$RoleIsDatacenter; }" was run: "You don't have p
ermissions to read the security descriptor on CN=Deleted Objects,DC=PH2304,DC=co
m.".

Given those errors, what am I doing wrong? I can make out that it is telling me I don't have permissions, but the account is a member of domain admins, enterprise admins, and schema admins.
I also tried using the default administrator account since it has permission to do pretty much anything. But that didn't work either.

[timmmay]

What is the FQDN of your domain? ie is it ph2304.com or ph2304.local etc

Use the FQDN with the "setup /PrepareAD /OrganizationName:" command.

Otherwise it would appear that the account you're running it from does not have permission. Make sure you're logged in as a domain admin and use an elevated command prompt (or turn off UAC and reboot).

[xendrome]

What version OS is your DC also..

[+sc302]

Looks like you aren't logged in with the administrator account, you are logged in with someone who is a member of domain admins only. That is great and all, but the user needs more permissions than just domain admins.

read up here
http://technet.micro...y/aa997914.aspx
http://technet.micro...y/bb125224.aspx
http://technet.micro...y/ee681663.aspx

[capr]

timmmay, on 16 June 2012 - 23:58, said:

What is the FQDN of your domain? ie is it ph2304.com or ph2304.local etc

Use the FQDN with the "setup /PrepareAD /OrganizationName:" command.

Otherwise it would appear that the account you're running it from does not have permission. Make sure you're logged in as a domain admin and use an elevated command prompt (or turn off UAC and reboot).

FQDN = host name + primary dns suffix ???

so my host name is 2k8-DC and dns suffix is ph2304.com

so my FQDN would be 2k8-DC.ph2304.com ???

Everyone else, I know it seems like the account doesn't have permissions, but it does. That's why I am stuck and asking for help.

[capr]

I did a bunch of stuff.... now I get this when I try to do it manually or allow the setup to run setup /prepareAD

Quote

Organization Preparation
Failed

Error:
The following error was generated when "$error.Clear(); initialize-ExchangeUniversalGroups -DomainController $RoleDomainController" was run: "The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:6e5820cf-60ba-4aae-8cc8-d28750d35864,CN=Deleted Objects,DC=PH2304,DC=com on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PH2304,DC=com points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.".

The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:6e5820cf-60ba-4aae-8cc8-d28750d35864,CN=Deleted Objects,DC=PH2304,DC=com on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PH2304,DC=com points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.

Elapsed Time: 00:00:11

I used ADSI Edit to go and try to find this but the only exchange related think is "OU=Microsoft Exchange Security Groups" and in that, otherWellKnownObjects has a <not set> value.

[+sc302]

Keep looking through adsiedit. you are almost there.