locked
An IIS directory entry couldn't be created. Access denied RRS feed

  • Question

  • Exchange 2010 install into existing Exchange 2007 SP2 Organisation. Getting the above when attempting to view the Client Access roles Outlook Web App & Exchange Activesync in the Exchange 2010 EMC. 

    I notice, rather alarmingly, that the Exchange 2010 EMC only lists the Exchange 2010 server in the domain - by design ?

    Finally any notes on recommended practice for removal of the Exchange 2007 server or is it basically move mailboxes etc and un-install ?

    Thanks in advance and great work !

    Ian

    Thursday, August 27, 2009 10:26 AM

Answers

  • Can you verify that "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group is a member of local admin group of all Exchange 2007 server? 

    If not, add it and restart all servers and check...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    • Marked as answer by konnexion Friday, August 28, 2009 9:01 AM
    Thursday, August 27, 2009 3:41 PM
  • Ian,

    You can see some of the attributes of Exchange 2007 servers but to manage Exchange 2007 server or recipients it requires to use Exchange 2007 Management console. 

    You can install Management tools of 2007 & 2010 on same machine, refer Henrik's note here.

    Transition from 2007 to 2010 is inserting Exchange 2010 server roles into 2007 environment, move data and settings, and decommission 2007 servers.

    You can follow below sequence to introduce Exchange 2010 server roles into Exchange 2007 environment (starting from Internet facing AD site)...
    - CAS
    - Hub
    - Unified Messaging
    - Mailbox
    - Edge

    You can move mailboxes with New-MoveRequest cmdlet and yes with from Exchange 2007 SP2 mailboxes it is online mailbox move so users won't see any interruption during movement.

    About error, you can refer my another response here...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    • Marked as answer by konnexion Friday, August 28, 2009 9:02 AM
    Thursday, August 27, 2009 6:39 PM

All replies

  • I'm experiencing the same issue. I can't view the Outlook Web App, Exchange ActiveSync, or Offline Address Book Distribution tabs.

    If I run the Get-OwaVirtualDirectory cmdlet, I get the following output:

    An IIS directory entry couldn't be created. The error message is Access is denied.
    . HResult = -2147024891
        + CategoryInfo          : NotInstalled: (MB2\Exchange (Default Web Site):ADObjectId) [Get-OwaVirtualDirectory], II
       SGeneralCOMException
        + FullyQualifiedErrorId : 401839E9,Microsoft.Exchange.Management.SystemConfigurationTasks.GetOwaVirtualDirectory

    The server it references is running the Exchange 2007 SP2 Mailbox role.

    I did a search and found this: http://exchangeshare.wordpress.com/2008/07/05/2147024891-access-is-denied-error-in-emc/ - could that be the issue? Our Exchange 2007 servers are running WS2003, while the 2010 server is WS2008 R2.
    Thursday, August 27, 2009 2:49 PM
  • Can you verify that "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group is a member of local admin group of all Exchange 2007 server? 

    If not, add it and restart all servers and check...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    • Marked as answer by konnexion Friday, August 28, 2009 9:01 AM
    Thursday, August 27, 2009 3:41 PM
  • Thanks! That solved the problem.
    Thursday, August 27, 2009 6:03 PM
  • Ian,

    You can see some of the attributes of Exchange 2007 servers but to manage Exchange 2007 server or recipients it requires to use Exchange 2007 Management console. 

    You can install Management tools of 2007 & 2010 on same machine, refer Henrik's note here.

    Transition from 2007 to 2010 is inserting Exchange 2010 server roles into 2007 environment, move data and settings, and decommission 2007 servers.

    You can follow below sequence to introduce Exchange 2010 server roles into Exchange 2007 environment (starting from Internet facing AD site)...
    - CAS
    - Hub
    - Unified Messaging
    - Mailbox
    - Edge

    You can move mailboxes with New-MoveRequest cmdlet and yes with from Exchange 2007 SP2 mailboxes it is online mailbox move so users won't see any interruption during movement.

    About error, you can refer my another response here...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    • Marked as answer by konnexion Friday, August 28, 2009 9:02 AM
    Thursday, August 27, 2009 6:39 PM
  • Just to clarify, should I be able to see my Exchange 2007 SP2 servers in the Management Console, even if I can't edit their attributes?

    Because I added the security group as suggested above and now don't get the virtual directory error anymore, but I still don't see the E2K7 servers in the EMC.

    Thursday, August 27, 2009 11:42 PM
  • Hi Maurice,

    Exchange 2007 servers are not visible via the Exchange 2010 Management Console, so what you see is expected behaviour.

    Actually, this is a good thing if you ask me. It's not supported to modify Exchange 2007 servers from the E2K10 EMC, and by not showing them in this console version, there's less chance of corrupting objects and so on.

    Henrik Walther | MVP: Exchange | MCM: Exchange 2007 | MSExchange.org
    • Proposed as answer by Amit Tank Friday, August 28, 2009 9:02 AM
    Friday, August 28, 2009 6:06 AM
  • Good to know this fact Henrik.

    Thanks,

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    Friday, August 28, 2009 6:35 AM
  • Thanks Amit - that did the trick !

    Ian

    Friday, August 28, 2009 9:01 AM
  • I am getting the same error and the "exchange trusted subsystem" is already in the list of local admins?  Any thoughts?
    Wednesday, September 30, 2009 2:43 PM
  • Nevermind..i'm an idiot..it wasn't in the 2007 server local admins...works now, thanks.
    Wednesday, September 30, 2009 2:52 PM
  • THanks, worked like a charm.

    Wednesday, November 11, 2009 9:49 PM
  • What if you are an idiot and your Exchange 2007 box is a domain controller?  There are no local groups that can be modified and Microsoft does not support demoting a DC after Exchange 2007 is installed on it.
    Friday, November 20, 2009 2:34 AM
  • Hi Marty,

    if you have the Exchange 2007 box installed on a domain controller you can add the "Exchange Trusted Subsystem" security group as member of the bultin group "Administrators". I've verified that solution in a test environment.

    best regards
    Friday, November 20, 2009 3:29 PM
  • Thanks Michael,

    Isn't it a kind of bug or something anyway?
    I spent 1 hours for this problem, and finally get the solution.

    Thans again. ^^

    Wednesday, December 2, 2009 8:09 AM
  • My Exchange 2007 box has the following groups assigned as members of the administrators group:

    Exchange Organization administators
    Exchange Trusted Subsystem

    When I open the EMC from either of the Exchange 2010 machines, I get the same error listed above:

    An IIS directory entry couldn't be created. The error message is Access is denied.

    I get a similar error from the PowerShell command line when invoking the following cmdlets:

    Get-WebServicesVirtualDirectory
    Get-OWAVirtualDirectory
    etc...

    When I run these same cmdlets from the Ex2k7 PowerShell console, I can see the 2010 servers just fine.

    Is the exception expected? If so, that seems broken. I understand the need to limit editing to the 2010 console - I'm sure you didn't have time to support backward compatibility in the management tool... but throwing an exception? The cmdlet will stop when it hits the problem server alphabetically, so I don't get any results after the "known" error. Is there a way around this?

    Wednesday, December 16, 2009 11:20 AM
  • Yes, adding "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group as a member of local admin group of all my Exchange 2007 server s solved the same problem I was having after installing Exchange Server 2010 in my existing Exchange 2k7 environment. Thanks a lot Amit for the great tip.
    Thursday, March 4, 2010 9:18 PM
  • Just want to chime in that I also suffered this deployment error with exchange 2010.  After manually adding:

    "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem"

    to the local admin group of each existing exchange2k7 server and rebooting the new 2k10 server the issue was resolved.  Sounds like Microsoft needs to update their upgrade guidance documentation or fix the bug in the installer?

    Anyhow, thanks for the solution that resolved this problem.


    Thursday, March 11, 2010 4:44 PM
  • I also have run across this issue, but in my case it was caused by the Site ID having been changed, Exchange was installed on the Default Web Site and then the ID was later changed. Broke EMC and web access. Returned site ID back to 1, performed iisreset and all was hunky dory.
    Tuesday, March 16, 2010 2:47 PM
  • Had the exact same issue here after introducing my first Exchange 2010 CAS box.  Adding the "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" to my Exchange 2007 server and re-booting the Exchange 2010 CAS box did the trick!

     

    I agree, MS needs to update it's documentation on this known issue.

    Tuesday, May 11, 2010 9:00 PM
  • Thanks Amit !!!
    Thursday, October 28, 2010 5:32 PM
  • Can you verify that "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group is a member of local admin group of all Exchange 2007 server? 

    If not, add it and restart all servers and check...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com


    Thank you, Amit!!!!

    This exact thing helped me out today.  Certainly appreciate the work!

    Wednesday, August 31, 2011 3:32 PM
  • Can you verify that "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group is a member of local admin group of all Exchange 2007 server? 

    If not, add it and restart all servers and check...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    This worked for me, but i will add 1 edit... you only have to restart the 2010 server(s)
    Monday, November 7, 2011 6:33 PM
  • Hello Amit,

    I have a similar problem but with exchange 2010 ru5.

    we have 2 cas servers and 1 mailbox server. now under the "Server Configuration" in "Client Access" under the cas server xvm01 in outlook web acess, i cannot see the owa. it gives the above error. and also the owa is not working.

     

    appreciate if you could nudge me in the right direction. i have checked you above resolution. and i have also added Exchange Trusted Subsystem in iis default site with full permission.

     

    waiting for your reply

     

    Amit

    Tuesday, November 29, 2011 8:24 PM
  • Adding the security groep to local admin group on the old server

    running get-autodiscovery again on new server, solved ...

    very nice :)

    Friday, February 24, 2012 9:11 AM
  • worked for me.  Thanks !!!
    Thursday, July 12, 2012 3:33 PM
  • thank you, it works perfect
    Monday, September 24, 2012 9:47 AM