locked
New Exchange 2013 (CU13) Install- failing after prepareschema, preparead and preparealldomains succeeded RRS feed

  • Question

  • Our organization is going to migrate from Exchange 2010 to Exchange 2013 CU13. We are going to change our exchange topology by installing hyper-V virtual 2013 servers at each location and setting up a DAG so the locations can fail over to each other if need be. The first site has no exchange server there any more- there were two 2010 servers (Mailbox and CAS) but they were properly uninstalled and no longer show up in the Exchange organization. I also cleaned up and removed any other extraneous servers that may have previously failed or been uncleanly removed- I was able to do all cleanup using Exchange installation tools and did nothave to use ASDI Edit or Schema Management to accomplish any of these tasks- We have a pristine environment. The first Exchange 2013 server is now ready to install. I ran setup.exe /PrepareSchema, setup.exe /PrepareAD, and Setup.exe /PrepareAllDomains. All completed successfully. Then I went to install Exchange. When it got to Organization Preparation 1/9, it failed. Here is the error:

    Error:

    The following error was generated when "$error.Clear();

    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

     

    " was run: "Microsoft.Exchange.Data.Directory.ADObjectEntryAlreadyExistsException: Active Directory operation failed on USMDSVRDC2.corp.local. One or more attribute entries of the object 'CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=corp,DC=local' already exists. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The object exists.

       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)

       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)

       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)

       --- End of inner exception stack trace ---

       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)

       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)

       at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)

       at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientObjectSession.Save(ADRecipient instanceToSave)

       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.AddMember(ADObject obj, IRecipientSession session, ADGroup destGroup, WriteVerboseDelegate writeVerbose)

       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateAndValidateRoleGroups(ADOrganizationalUnit usgContainer, RoleGroupCollection roleGroups)

       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()

       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()

       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

     

    So to me it looks like Exchange is trying to run the prepare steps again and failing because everything is prepared already. How do I get past this- Is there a switch that tells Setup to skip this step?


    Thanks!

    Wednesday, August 3, 2016 2:23 PM

Answers

  • Yes that should be tried, Consolidate those SGs to a single group(Microsoft Exchange Security Groups) under the root.

    Regards,

    Fazal

    • Marked as answer by FatalXcept10n Friday, August 12, 2016 4:15 AM
    Wednesday, August 3, 2016 8:42 PM

All replies

  • Can you post the setup logs for more details, From the error it seems you are running in a Split AD permission mode, Did you run the Setup with PrepareAD /ActiveDirectorySplitPermissions:true switch?

    Regards,

    Fazal

    Wednesday, August 3, 2016 4:35 PM
  • I'll post the logs shortly. The only commands I ran were those three and then got the error running gui setup.

    Thanks!

    Wednesday, August 3, 2016 4:46 PM
  • http://pastebin.com/Sk8tSkaN

    This was the only way to post anything meaningful from the logs. Changed server, domain, and usernames to protect the innocent!


    Thanks!

    Wednesday, August 3, 2016 5:05 PM
  • Do you see an OU called 'Microsoft Exchange Protected Groups' in your AD structure?

    Regards,

    Fazal

    Wednesday, August 3, 2016 5:24 PM
  • No- Would that be in ADUC or do I have to look at the configuration partition with ADSI edit?

    Thanks!

    Wednesday, August 3, 2016 5:28 PM
  • It should have been in ADUC if you were using Split AD permissions, It seems that is not the case. Have you by any chance moved the 'Microsoft Exchange Security Groups' from the root to a different OU

    CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,OU=MTHV Security Groups,OU=MTHV,DC=contoso,DC=local.

    Regards,

    Fazal

    • Proposed as answer by Jason.Chao Thursday, August 4, 2016 4:54 AM
    Wednesday, August 3, 2016 6:15 PM
  • I didn't move them, however I cannot speak to how the previous admins set up 2010 when they implemented it. MTHV is an OU under the domain (we can call it Contoso.com, but you may see contoso.local in the logs because of a text replacement I made)so under contoso.com, we have six companies that we refer to by four-letter acronyms- MTHV corresponds to the site where the Schema Master is located, as well as where the first Exchange 2013 server in the organization will be located. Since we already have a functioning Exchange 2010 infrastructure in place, does that OU need to be moved directly under contoso.com in the ADUC tree, or should I just leave those objects alone?

    Thanks!

    Wednesday, August 3, 2016 6:32 PM
  • Ideally there shall be one group 'Microsoft Exchange Security Groups' in the root.

    Regards,

    Fazal

    Wednesday, August 3, 2016 8:01 PM
  • In the Microsoft Exchange Security Groups container under the MTHV OU, the following groups are listed:

    Exchange Organization Administrators

    Exchange Public Folder Administrators

    Exchange Recipient Administrators

    Exchange Servers

    Exchange View-Only Administrators

    ExchangeLegacyInterop

    There are a number of other security groups in the same-named container directly off of the root.

    Should we consolidate these groups into the Microsoft Exchange Security Groups container right off of root?

    Is the problem here that we have an attempt by Setup to create a group that does not exist in one container, but it cannot because a same-named group already exists in the other container?


    Thanks!

    Wednesday, August 3, 2016 8:07 PM
  • Yes that should be tried, Consolidate those SGs to a single group(Microsoft Exchange Security Groups) under the root.

    Regards,

    Fazal

    • Marked as answer by FatalXcept10n Friday, August 12, 2016 4:15 AM
    Wednesday, August 3, 2016 8:42 PM
  • Hi,

    Agree with Fazal, please removed the group form AD and again ran setup, you could use ADSIEdit to drill down and check all the permissions and settings of the group.

    Please take the following thread and article for your reference:

    https://social.technet.microsoft.com/Forums/office/en-US/18c41b9b-12ea-48ae-8d23-5ac930e2b825/upgrade-exchange-2013-cu5-to-exchange-2013-cu9?forum=exchangesvrdeploy

    https://blogs.technet.microsoft.com/richardroddy/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem/

    Hope it helps.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jason Chao
    TechNet Community Support

    • Proposed as answer by Jason.Chao Friday, August 12, 2016 1:39 AM
    Thursday, August 4, 2016 5:00 AM
  • Hi,

    Would you please provide us with an update on the status of your issue? If the solution helped, if so, please help to mark as answer, it'll be helpful and easily to search for others, thanks for your time.

    Best regards,

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jason Chao
    TechNet Community Support

    Friday, August 12, 2016 1:39 AM
  • Apologies for the delay- I have been working on this since the post and just now have a moment to catch up answering those who helped me. The problem was as Fazal mentioned the existence of the sub-OU. We were using a production environment with a working Exchange 2010 deployment. Not knowing if the groups were needed, just deleting the container and its children could have been catastrophic so I moved the groups in the OU under the MTHV OU out to the Exchange Security Groups OU that was directly off the root of the domain. Then I pushed a full replication and used repadmin to monitor the replication. Once that was complete, I removed accidental deletion protection from the now-empty OU under MTHV and deleted it. We did not encounter any more issues during the install. So for anyone else who runs into this, I recommend leaving all previously created objects intact- just make sure to verify they are in the right place.

    Thanks!

    Friday, August 12, 2016 4:28 AM