locked
Unable able to initialize Exchange management (EMC and EMS don't work) - Access Denied RRS feed

  • Question

  • I have all the symptoms of this discussion:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8f9a1881-d66d-4d8a-a6ff-06729a701999/

    But it has been marked as answered and a number os poeple still have the problem not fixed by suggestions in that post.

    I have the BuildtoBuildUpgrade on the RoleInstallationMode (can't help but think the cause of this error is the root cause of what's wrong) on a server that has never had Exchange of any sort installed.
    All my other exchange servers are already 2007 std edition no 2003 left for some time now. All DCs are Server 2008 or 2008R2, forest and domain is at 2008 functional level.
    I have sucessfully installed another server 2008R2 with CAS, HUB and database Exchange 2010 roles, it can administer itself but not the server with CAS only role.
    This server that has failed has only CAS Exchange 2010 role on server 2008R2 and is in the same site as the 2007 servers, diferent site to the working 2010 server.

    Error from EMS :
    [cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info
    rmation, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
       eption
        + FullyQualifiedErrorId : PSSessionOpenFailed

    Error from EMC:
    [cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info
    rmation, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.


    I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1

    which gives this error:
    At C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1:48 char:21
    + Set-ADServerSettings <<<<  -ViewEntireForest $false -WarningAction SilentlyContinue
        + CategoryInfo          : ObjectNotFound: (Set-ADServerSettings:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

    Something seems missing from the install, I suspect related to the incorrect BuildtoBuild status in the install log.

    Thursday, March 11, 2010 11:51 PM

All replies

  • I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1
    You need to have the Exchange snapin loaded before you can dot source that script. That's why you are getting a CommandNotFoundException error.

    Have you looked through both of these docs?

    Troubleshooting Exchange 2010 Management Tools startup issues
    http://msexchangeteam.com/archive/2010/02/04/453946.aspx

    Troubleshooting the Exchange Management Shell (Under Connection Issues)
    http://technet.microsoft.com/en-us/library/dd351136.aspx
    • Proposed as answer by Mike PfeifferMVP Monday, March 29, 2010 7:24 PM
    • Unproposed as answer by MarkEmery Wednesday, April 21, 2010 2:11 AM
    Friday, March 12, 2010 12:08 AM
  • has a concrete solution been found? i attempted david stome's suggestion in 'emc permissions gone part deux' http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8f9a1881-d66d-4d8a-a6ff-06729a701999 with no change in behavior.
    Monday, March 15, 2010 8:51 PM
  • Mike,

     

    Having the same exact issues. Anything new yet?

    Monday, April 19, 2010 3:57 AM
  • Me too

    have also, followed Davids suggestion, and it fails at step 6. ($Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos)  with access denied

    anyone have a solution to the problem

    Tuesday, April 20, 2010 9:33 AM
  • Hi,

    Can you try in CAS Server as below?

    ·          From “Start”->”Run” type in ‘ dcomcnfg ‘ and hit “Enter”

    ·          From the Component Services Console, expand “Component Services” -> “Computers”

    ·          Right click on “My Computer” and select “Properties”

    ·          On the “Default Properties” tab, find the Default Impersonation Level and change it from “Identify” to “Impersonate”

    In addition,

    You can also try the following:

    Strangely enough this error is spawned because there is/are Exchange 2007 CAS Server(s) that do not give permissions to Exchange 2010 to enumerate IIS.
    As you may know is this very odd because the EMC 2010 does not display any Exchange 2007 Server!
    The Solution is to add the security group “Exchange Trusted Subsystem” as member of Local Administrators group on an ALL Exchange Server 2007 boxes

    http://msexchangegeek.com/2009/09/18/get-owavirtualdirectory-returns-an-iis-directory-entry-couldnt-be-created-the-error-message-is-access-is-denied/


    With Best Regards Anbu
    Tuesday, April 20, 2010 6:43 PM
  • Have tried this suggestion looked promising, Also found Exchange 2010 Rollup 3 and Exchange 2007 SP2 Rollup 4 and installed both of those on respective servers. 

    Rebooted servers, no change to the access denied error on the CAS role server. I still have one Exchange 2007 SP2 server to put the rollup on and reboot, can't do that one until the weekend. 

    Found command winrm get winrm/config/service give an error:
    Error number:  -2144108387 0x8033809D
    An unknown security error occurred.

    Which might actually be the root cause of the security issue. No idea how to approach that error.

    Wednesday, April 21, 2010 2:32 AM
  • Both WinRM commands

    winrm get winrm/config/service
    winrm quickconfig

    Give this error:

    WinRM already is set up to receive requests on this machine.
    WSManFault
        Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config.


    Error number:  -2144108387 0x8033809D
    An unknown security error occurred.

    Wednesday, April 21, 2010 2:36 AM
  • Hi,

    Instead of focusing the issue with Exchange, have you try to check the health status of Active Directory?

    It is replicating the domain controllers? Are you pointing GC for the deployment? Have you done the Exchange Preparation well?

    Is it possible to try with different Hardware box with CAS transport?

    Just update us.


    With Best Regards Anbu
    Wednesday, April 21, 2010 12:51 PM
  • AD and Exchange Prep are  fine.

    I already have another CAS server working properly what's the point of trying another? it is this problem server that needs to work.

    Thursday, April 22, 2010 6:36 AM
  • Hi,

    Are you getting the same error in the CAS server which has issue?


    With Best Regards Anbu
    Friday, April 23, 2010 6:17 PM
  • I tried this with no luck to my problem.
    Sunday, April 25, 2010 3:56 AM
  • Hello,

    Can you reproduse the problem and let us know the event error and first 5 events in Security Event Log ?

    Sametime run EXBPA and lets see any issuses

     

    regards


    Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/
    Sunday, April 25, 2010 7:04 AM
  • Please look at this thread for additional information reguarding this problem.

     

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/3fff6f84-0289-4924-997d-8fee7ea40013

    Sunday, April 25, 2010 3:29 PM
  • using ADSIEDIT make sure that SPN HTTP/<servername> is on the machine account of your server

    (<servername> is your server's FQDN) I found that SPN was on the SIP service account running OCS on the server, moved it to the machine account for the server rebooted and Exchange 2010 management console now works and remote management and OCS still works as well (as far as I can tell) using the modified SIP service account.

    use the script below to locate HTTP/*  SPN to find where they are registered.

    Script for SPN query http://technet.microsoft.com/en-au/library/ee176972.aspx

    (Also ran WINRM QUICKCONFIG to confirm HTTP configured correctly.)

     

    Thursday, May 27, 2010 5:18 AM
  • Hi MarkEmery - do you mind posting the steps you did in ADSIEDIT to fix this issue? When accessing our CAS/HUB server on a second site, I am also getting the error "The following error occurred when searching for On-Premises Exchange server: [CASSERVERNAME] Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

    We can access our two CAS/HUB servers in our primary site and but cannot access the CAS/HUB at second site. We do not have the OCS though so I am not sure if the fix will work for us...Thanks for your help.

    Friday, December 10, 2010 10:57 PM
  • !!!!!FIXED!!!!!!

    This took me the whole day and I am really grumpy

    I am running a Server 2008R2 Exchange 2008SP1 OCS 2007R2 on the same VM server

    After install of OCS I lost access to my exchange console, thanks to Mark Emery I tracked down my problem, IIS was running under the CWAService account

    On the server, which is also a DC I ran the bellow two commands to delete the SPN

    setspn -d http/servername domain\servername
    setspn -d http/servername.domain.local domain\servername

    Then I ran the following two commands to repair the SPN
    setspn -s http/servername domain\servername
    setspn -s http/servername.domain.local domain\servername

    This will reset your service to run under the machine account

    After a reboot I can now access the exchange console

    Monday, December 13, 2010 3:37 AM
  • Dear Rodney,

     

    Thanks for your help..your advice in this forum solved my problem

     

    On the server, which is also a DC I ran the bellow two commands to delete the SPN

    setspn -d http/servername domain\servername
    setspn -d http/servername.domain.local domain\servername

    Then I ran the following two commands to repair the SPN
    setspn -s http/servername domain\servername
    setspn -s http/servername.domain.local domain\servername

    This will reset your service to run under the machine account

    After a reboot I can now access the exchange console

    Monday, August 8, 2011 3:35 PM


  • !!!!!FIXED!!!!!!

    This took me the whole day and I am really grumpy

    I am running a Server 2008R2 Exchange 2008SP1 OCS 2007R2 on the same VM server

    After install of OCS I lost access to my exchange console, thanks to Mark Emery I tracked down my problem, IIS was running under the CWAService account

    On the server, which is also a DC I ran the bellow two commands to delete the SPN

    setspn -d http/servername domain\servername
    setspn -d http/servername.domain.local domain\servername

    Then I ran the following two commands to repair the SPN
    setspn -s http/servername domain\servername
    setspn -s http/servername.domain.local domain\servername

    This will reset your service to run under the machine account

    After a reboot I can now access the exchange console

    your advice in this forum fix my problem...

     

    thanks

    Monday, August 8, 2011 3:36 PM
  • Tried Rodney's fix, but still not working for me...
    Wednesday, November 9, 2011 4:49 PM
  • Thats it.... I forgot the (wrong) SPN that i added before...

    Thank you!

    Thursday, February 9, 2012 10:57 AM