none
Exchange 2013 SP1, Windows Server 2012 R2. Alternate Service Account is not working RRS feed

  • Question

  • Hello All,

    I`m unable to roll Alternate Service account to the following env:

    2x Exchange 2013 SP1 CAS Only Servers on Windows Server 2012 R2

    3X Exchange 2013 SP1 MB Only Servers on Windows Server 2012 R2

    It was working fine on the same environment in the same domain, but with Exchange 2013 CU3 on Windows Server 2012.

    Here is the output:

    [PS] D:\Exchange Server\scripts>.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServers server6,server7

    GenerateNewPasswordFor contoso\casasa$ -Verbose

    ========== Starting at 04/09/2014 14:57:42 ==========

    VERBOSE: Effective parameters that were passed to this script:

    Key                                                         Value

    ---                                                         -----

    ToSpecificServers                                           True

    GenerateNewPasswordFor                                      contoso\casasa$

    Verbose                                                     True

    Identity                                                    {server6, server7}

    VERBOSE: Examining the state of the local runspace ...

    VERBOSE: Preparing the destination ...

    VERBOSE: Destination server identities: server6 server7

    VERBOSE: Retrieving CAS server objects with credentials (passwords=False):

     server6, server7

    VERBOSE: Retrieving ASA credentials from server server6

    VERBOSE: Creating a new PowerShell session for server6. contoso.com

    VERBOSE: Connecting to server6. contoso.com

    Cannot process argument transformation on parameter 'Identity'. Cannot convert value "server6" to type

    "Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter". Error: "Cannot convert hashtable to an object

    of the following type: Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter. Hashtable-to-Object

    conversion is not supported in restricted language mode or a Data section."

        + CategoryInfo          : InvalidData: (:) [Get-ClientAccessServer], ParameterBindin...mationException

        + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ClientAccessServer

        + PSComputerName        : server6.contoso.com

    VERBOSE: Retrieving ASA credentials from server server7

    VERBOSE: Creating a new PowerShell session for server7. contoso.com

    VERBOSE: Connecting to server7. contoso.com

    Cannot process argument transformation on parameter 'Identity'. Cannot convert value "server7" to type

    "Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter". Error: "Cannot convert hashtable to an object

    of the following type: Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter. Hashtable-to-Object

    conversion is not supported in restricted language mode or a Data section."

        + CategoryInfo          : InvalidData: (:) [Get-ClientAccessServer], ParameterBindin...mationException

        + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ClientAccessServer

        + PSComputerName        : server7. contoso.com

    VERBOSE: Destination servers:

    VERBOSE: Checking version requirements for the destination servers ...

    VERBOSE: Preparing the credential source ...

    VERBOSE: Looking up account casasa$ in domain contoso

    RecordErrors : Couldn't figure out valid servers from the specified destination scope. Check your parameters and try

    again.

    At D:\Exchange Server\scripts\RollAlternateServiceAccountPassword.ps1:996 char:1

    + RecordErrors -ExceptionsOnly { $script:success = Body }

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException

        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors

    Retrieving the current Alternate Service Account configuration from servers in scope

    VERBOSE: Retrieving CAS server objects with credentials (passwords=False):

    Alternate Service Account properties:

    Per-server Alternate Service Account configuration as of the time of script completion:

    ========== Finished at 04/09/2014 14:58:18 ==========

            THE SCRIPT HAS FAILED

    [PS] D:\Exchange Server\scripts>

    I also noticed differences in the behavior of other cmdlets. I guess these are coming from PS 4.0 that comes with Server 2012 R2.

    Can someone suggest resolution, different then revisiting the script?

    Thanks

    Wednesday, April 9, 2014 12:19 PM

Answers

All replies

  • Hi,

    According to the log above, I found that we run the script on both Server6 and Server7. Errors as below:

    Server6: Conversion is not supported in restricted language mode or a Data section.

    Server7: Couldn't figure out valid servers from the specified destination scope. Check your parameters and try again.

    Since we can only run the RollAlternateserviceAccountPassword.ps1 Script on CAS server, the script not works well if Server6 is MBX server.

    For Server7, based on the error message, it seems you still have no right to run the script/cmdlet.

    Please add your account to Organization Management Role group(ADUC->domain.com->Microsoft Exchange Security Groups) to test if possible.

    By the way, from Technet:

    You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access Security" entry in the Client Access Permissions topic.

    Client Access Permissions

    http://technet.microsoft.com/en-us/library/dd638131.aspx

     

    Feel free to contact me if there is any problem.

     

    Thanks

    Mavis

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Mavis Huang
    TechNet Community Support

    Thursday, April 10, 2014 7:11 AM
    Moderator
  • Mavis,

    I`m Organization Administrator, both of these servers are CAS Servers, and I`m running it on one of them.

    Also please note, that In this Domain I have:

    2xCAS + 3XMB Servers with Exchange Version 2013 CU3 on Windows Server 2012 - that have Alternate Service Account already rolled and working correctly.

    And the issue occurs on another set of the same exchange env. in the same domain with:

    2xCAS + 3XMB Servers with Exchange Version 2013 SP1 on Windows Server 2012 R2 - where the error comes from.

    Thnaks.

    Thursday, April 10, 2014 8:19 AM
  • Hi GeorgiIvanov,

    because you're re-introducing array members after maintenance. ve just added Server B to the array, you can use the script to copy the credential (including the password) from Server A to Server B. This is useful if Server B was down or not yet a member of the array when the password was rolled the last time.

    .\RollAlternateServiceAccountPassword.ps1 -CopyFrom ServerA -ToSpecificServers ServerB -Verbose

    And if the server is already updated to array members, the command should be:

    .\RollAlternateserviceAccountPassword.ps1 -ToArrayMembers "CAS01" -GenerateNewPasswordFor "CONTOSO\ServiceAc1$"


    Best regards, Frank Zhang

    Saturday, April 12, 2014 2:35 AM
    Moderator
  • Frank Zhang

    No, that's not the case, and I`m using new computer account for these 2 servers.

    As you can see from the PS Error, somehwer in the script "Get-ClientAccessServer" fails because it requires the "Identity" parameter to be of type "Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter"


    Saturday, April 12, 2014 1:31 PM
    • Marked as answer by GeorgiIvanov Monday, April 21, 2014 8:10 PM
    Friday, April 18, 2014 10:58 AM
  • Hi, 

    Yes, this should be a by design issue in Exchange 2013SP1, I have test it and got the same result. And the above workaround seemed very professional, we can just follow it. 


    Best regards, Frank Zhang

    Wednesday, April 23, 2014 4:23 PM
    Moderator
  • I have registered the bug on connect site.

    Сазонов Илья http://isazonov.wordpress.com/

    Thursday, April 24, 2014 2:15 AM
  • Bug fixed in CU6

    Сазонов Илья http://isazonov.wordpress.com/

    Wednesday, October 15, 2014 7:03 AM