none
Permissions Error when running /PrepareAD for Exchange 2013 CU2

    Question

  • I'm getting the following when attempting to run /PrepareAD on both our domain controllers. The user is a member of Domain Admins, Enterprise Admins, and Schema Admins. Not sure what the problem is:

    [10/13/2013 22:54:50.0812] [2] Used domain controller AD-1.DOMAIN.LOCAL to write object CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL.
    [10/13/2013 22:54:50.0843] [2] Used domain controller AD-1.DOMAIN.LOCAL to read object CN=Microsoft Exchange System Objects,DC=DOMAIN,DC=LOCAL.
    [10/13/2013 22:54:50.0874] [2] [ERROR] Active Directory operation failed on AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/13/2013 22:54:50.0890] [2] [ERROR] The user has insufficient access rights.
    [10/13/2013 22:54:50.0890] [2] Ending processing initialize-DomainPermissions
    [10/13/2013 22:54:50.0890] [1] The following 1 error(s) occurred during task execution:
    [10/13/2013 22:54:50.0890] [1] 0.  ErrorRecord: Active Directory operation failed on AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/13/2013 22:54:50.0890] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
     ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
       at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
       at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
    [10/13/2013 22:54:50.0921] [1] [ERROR] The following error was generated when "$error.Clear();
              $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
              $createMsoSyncRoot = $RoleIsDatacenter;

              #$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
              [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

              if ($RolePrepareAllDomains)
              {
                  initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
              elseif ($RoleDomain -ne $null)
              {
                  initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
              else
              {
                  initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
            " was run: "Active Directory operation failed on AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".
    [10/13/2013 22:54:50.0921] [1] [ERROR] Active Directory operation failed on AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/13/2013 22:54:50.0921] [1] [ERROR] The user has insufficient access rights.
    [10/13/2013 22:54:50.0921] [1] [ERROR-REFERENCE] Id=DomainGlobalConfig___27a706ffe123425f9ee60cb02b930e81 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
    [10/13/2013 22:54:50.0921] [1] Setup is stopping now because of one or more critical errors.
    [10/13/2013 22:54:50.0936] [1] Finished executing component tasks.
    [10/13/2013 22:54:50.0952] [1] Ending processing Install-ExchangeOrganization
    [10/13/2013 22:54:50.0968] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
    [10/13/2013 22:54:50.0968] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [10/13/2013 22:54:50.0968] [0] End of Setup
    [10/13/2013 22:54:50.0968] [0] **********************************************

    Monday, October 14, 2013 7:18 PM

Answers

All replies

  • are you running cmd in an elevated mode ?

    right click cmd and select Run as administrator


    Tarek Majdalani | MS Windows Expert-IT Pro MVP |www.elmajdal.net

    • Proposed as answer by ElMajdalMVP Monday, October 14, 2013 7:54 PM
    Monday, October 14, 2013 7:34 PM
  • Make sure that you're run the command prompt with admin rights and that the Administrator is the the Enterprise Admin group.
    Monday, October 14, 2013 7:35 PM
  • I ram running the CMD prompt with elevated rights.
    Monday, October 14, 2013 10:15 PM
  • Please post the log from: <SystemDrive>:\ExchangeSetupLogs folder
    Tuesday, October 15, 2013 3:30 AM
  • Chaen, that's what's above in my first response. Do you need the full document? It's quite large.

    Tuesday, October 15, 2013 12:02 PM
  • Will you be able to post some of the logs, at least close to the end of the document, Just to understand your infrastructure a little, is this a single forest, single domain or single forest and multiple domains?
    Tuesday, October 15, 2013 7:30 PM
  • Single forest, Single Domain. Let me see how far up I can grab the file from without overloading the forum.
    Tuesday, October 15, 2013 7:59 PM
  • Is there a way I can upload the file or send the logs?

    Wednesday, October 16, 2013 12:30 AM
  • [10/15/2013 20:34:58.0658] [2] Used domain controller -WIN-AD-1.DOMAIN.LOCAL to write object DC=DOMAIN,DC=LOCAL.
    [10/15/2013 20:34:58.0658] [2] Can't remove the access control entry on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for attribute "ExtendedRight (ObjectType: ab721a53-1e2f-11d0-9819-00aa0040529b)" because the ACE isn't present.
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: WriteProperty, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0689] [2] Can't remove the access control entry on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Windows Permissions" because the ACE doesn't exist on the object.
    [10/15/2013 20:34:58.0689] [2] Can't remove the access control entry on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Windows Permissions" because the ACE doesn't exist on the object.
    [10/15/2013 20:34:58.0689] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0705] [2] An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0705] [2] Can't remove the access control entry on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Windows Permissions" because the ACE doesn't exist on the object.
    [10/15/2013 20:34:58.0705] [2] An inherited access control entry has been specified: [Rights: ExtendedRight, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0705] [2] An inherited access control entry has been specified: [Rights: ExtendedRight, ControlType: Allow]  and was ignored on object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL".
    [10/15/2013 20:34:58.0705] [2] Used domain controller -WIN-AD-1.DOMAIN.LOCAL to write object CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL.
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "NT AUTHORITY\Authenticated Users".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0705] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0720] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "NT AUTHORITY\NETWORK SERVICE".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Servers".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Organization Management".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0736] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0752] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0752] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0752] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Exchange Trusted Subsystem".
    [10/15/2013 20:34:58.0752] [2] The appropriate access control entry is already present on the object "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" for account "DOMAIN\Delegated Setup".
    [10/15/2013 20:34:58.0752] [2] Used domain controller -WIN-AD-1.DOMAIN.LOCAL to write object CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL.
    [10/15/2013 20:34:58.0752] [2] Used domain controller -WIN-AD-1.DOMAIN.LOCAL to read object CN=Microsoft Exchange System Objects,DC=DOMAIN,DC=LOCAL.
    [10/15/2013 20:34:58.0783] [2] [ERROR] Active Directory operation failed on -WIN-AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/15/2013 20:34:58.0798] [2] [ERROR] The user has insufficient access rights.
    [10/15/2013 20:34:58.0798] [2] Ending processing initialize-DomainPermissions
    [10/15/2013 20:34:58.0798] [1] The following 1 error(s) occurred during task execution:
    [10/15/2013 20:34:58.0798] [1] 0.  ErrorRecord: Active Directory operation failed on -WIN-AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/15/2013 20:34:58.0798] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on -WIN-AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
     ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
       at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMonitoringMailboxContainer(MesoContainer meso)
       at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
    [10/15/2013 20:34:58.0830] [1] [ERROR] The following error was generated when "$error.Clear();
              $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
              $createMsoSyncRoot = $RoleIsDatacenter;

              #$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
              [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);

              if ($RolePrepareAllDomains)
              {
                  initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
              elseif ($RoleDomain -ne $null)
              {
                  initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
              else
              {
                  initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
              }
            " was run: "Active Directory operation failed on -WIN-AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".
    [10/15/2013 20:34:58.0830] [1] [ERROR] Active Directory operation failed on -WIN-AD-1.DOMAIN.LOCAL. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [10/15/2013 20:34:58.0830] [1] [ERROR] The user has insufficient access rights.
    [10/15/2013 20:34:58.0830] [1] [ERROR-REFERENCE] Id=DomainGlobalConfig___27a706ffe123425f9ee60cb02b930e81 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
    [10/15/2013 20:34:58.0830] [1] Setup is stopping now because of one or more critical errors.
    [10/15/2013 20:34:58.0830] [1] Finished executing component tasks.
    [10/15/2013 20:34:58.0845] [1] Ending processing Install-ExchangeOrganization
    [10/15/2013 20:34:58.0861] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
    [10/15/2013 20:34:58.0861] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [10/15/2013 20:34:58.0861] [0] End of Setup
    [10/15/2013 20:34:58.0861] [0] **********************************************
    Wednesday, October 16, 2013 12:32 AM
  • Also, something struck me as odd:

    I have two "Microsoft Exchange Security Groups" in my AD Users and Computers.

    One has the following:

    Exchange Organization Administrators

    Exchange Public Folder Administrators

    Exchange Recipient Administrators

    Exchange Servers

    Exchange Trusted Subsystem

    Exchange View-Only Administrators

    ExchangeLEgacyInterop.

    The other group has:

    Compliance Management

    Delegated Setup

    Discovery Management

    Exchange Windows Permissions

    Help Desk

    Hygiene Management

    Managed Availabilty Servers

    Organization Management

    Public Folder Management

    Recipient Management

    Records Management

    Server Management

    UM Management

    View-Only Organization Management

    Any chance this is throwing things off?




    • Edited by pronaMR Wednesday, October 16, 2013 1:16 AM
    Wednesday, October 16, 2013 1:15 AM
  • It might, it keep saying that the objects are present in the error log, you should try to do a clean up If this is the first time that you're setting up Exchange in this forest, if not, you should contact Microsoft for support so that you don't cause any major down time.
    Wednesday, October 16, 2013 1:24 PM
  • We're installing an Exchange 2013 Server in a 2007 environment.

    I think I realized something that might've caused a problem:I ran the /PrepareSchema and/ PrepareAD with the Exchange2013 disc. I then realized it needs to be the CU2 version to run in coexistence with 2007.

    I am now trying to do the /PrepareAD with the CU2 installation and I'm getting that error.

    Would this be causing any issue?

    Wednesday, October 16, 2013 2:19 PM
  • You’ll need to install Update Rollup 10 (RU10) for Exchange 2007 Service Pack 3 (SP3) on all the Exchange 2007 servers in your organization before you can install Exchange 2013 CU2

    Tarek Majdalani | MS Windows Expert-IT Pro MVP |www.elmajdal.net

    Wednesday, October 16, 2013 2:47 PM
  • We have installed the Update Rollup 10 for Exchange prior to installing CU2.
    Wednesday, October 16, 2013 4:50 PM
  • One last thing to add:

    beside that the user is already a member of Domain Admins, Enterprise Admins, and Schema Admins, Make sure that the user you are using to install Exchange Server 2013 is a member of the Organization Management as well


    Tarek Majdalani | MS Windows Expert-IT Pro MVP |www.elmajdal.net

    Wednesday, October 16, 2013 4:58 PM
  • Thanks for the quick reply. The profile I'm using to /PrepareAD is a member of all of these groups.
    Wednesday, October 16, 2013 5:10 PM
  • Hi pronalMR,

    It seems like a issue that the Exchange Trusted Subsystem not having the correct permissions.

    I found a blog applied to Exchange 2010, just for your reference:

    Exchange 2010 and the Exchange Trusted Subsystem

    http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx

     

    Thanks

    Mavis


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Friday, October 18, 2013 10:21 AM
  • Hi,

    It seems issue with the Schema preparation. Need to prepare schema first.

    setup /PrepareSchema
    setup /PrepareAD
    setup /PrepareDomain:<FQDN of domain you want to prepare>

    Cheers!

    Friday, October 18, 2013 12:36 PM
  • I have an article for Installing Exchange 2013 on Windows 2012.

    Run the script first to add all required roles and features.

    Installing Microsoft Exchange Server 2013 Prerequisites On Windows Server 2012

    If you followed the steps in the article, you should not face any issue.


    Tarek Majdalani | MS Windows Expert-IT Pro MVP |www.elmajdal.net

    Friday, October 18, 2013 5:14 PM