locked
Error when trying to remove last legacy Exchange server RRS feed

  • Question

  • I've installed Exchange 2007 and am following the steps in the MS TechNet article on removing the last legacy Exchange server.  I'm on the last step, trying to run the command:

    Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group

    But I get the following error:

    "Remove-ADPermission : "dc=<my domain name>" was not found. Please make sure you
     have typed it correctly.
    At line:1 char:20
    + Remove-ADPermission  <<<< -user "my domain name\Exchange Servers" -AccessRigh
    ts WriteDACL -InheritedObjectType Group"

    Does this mean that the command has already been run previously?

    Thanks.

    Saturday, April 25, 2009 12:18 AM

Answers

  • Hi,

     

    if we are having Exchange 2007 SP1, there is no need to run cmmdlt below:


    Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers"
    -AccessRights WriteDACL -InheritedObjectType Group


    Because the Write DACL inherit (group) right for the Exchange Servers group has not
    been added to the root of the domain when doing the /domainprep.

     

    Let me explain more. Before Exchange 2007 SP1, running PrepareDomain currently grants all Exchange servers the "Modify Permissions" right at the root of the domain.


    It is changed in Exchange 2007 SP1. If we have prepared Active Directory for Exchange 2007 with Exchange 2007 Service Pack 1 install media, the Write DACL inherit (group) right for the Exchange Servers group has not been added to the root of the domain. In this situation, we do not need to perform this command.

     

    Besides, we can check permission on XYZ from ADSIedit.msc

     
    1. Click Start -> Run -> type “adsiedit.msc”

    2. Expand Domain partition, find DC=XYZ,DC=com
    3. Right-click it, -> Properties -> Security tab -> Advanced.

    4. Remove the object “xyz\Exchange Servers” with the related permission.

     

    Regards,

    Xiu

     

    • Proposed as answer by Amit Tank Tuesday, April 28, 2009 5:33 AM
    • Marked as answer by Xiu Zhang Tuesday, May 5, 2009 7:00 AM
    Tuesday, April 28, 2009 5:28 AM

All replies

  • Lucciano,

    I never ran the above cmdlet for removing my first exchange 2003 from exchange organization after successfull instalation of exchange 2007 server.

    The best thing to follow is

    How to Remove the Last Legacy Exchange Server from an Organization
    http://technet.microsoft.com/hi-in/library/bb288905(en-us).aspx
    Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
    Saturday, April 25, 2009 3:59 AM
  • Lucciano,

    I never ran the above cmdlet for removing my first exchange 2003 from exchange organization after successfull instalation of exchange 2007 server.

    The best thing to follow is

    How to Remove the Last Legacy Exchange Server from an Organization
    http://technet.microsoft.com/hi-in/library/bb288905(en-us).aspx
    Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
    Saturday, April 25, 2009 4:00 AM
  • hi,

    delete the routing groups on ESM

    we dont need Recipient Update Servisi (RUS) anymore on exchange server 2007 and go to esm recipient update service and then go to properties and change the exchange server by browse find your new exchange server.

    and do public folder settings for new exchange server.

    and then goto add remove programs and selecet exchange server follow the wizard.

    please look at ;

    http://www.cozumpark.com/blogs/exchangeserver/archive/2008/03/19/exchange-server-2007-ye-ge-i-lemleri-b-l-m-3.aspx

    it is not in english but you can understand from the pictures which actions I did while uninstalling my exchange server 2003.

    regards,
    Exchange - MVP | www.cozumpark.com | www.mumincicek.com
    Saturday, April 25, 2009 6:55 AM
  • Did you try giving full DN of domain partition like "DC=<DomainName>,DC=<Com>"?

    Remove-ADPermission "dc=<DomainName>,dc=<com>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
    Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
    Saturday, April 25, 2009 10:07 AM
  • Yes, after specifying dc=com I got a little farther. Here is the command that I ran:

    Remove-adpermission "dc=xyz,dc=com" -user "xyz.com\Exchange
    Servers" -AccessRights WriteDACL -InheritedObjectType Group


    But then I got the following error:

    Remove-ADPermission : Cannot remove ACE on object "DC=xyz,DC=com" fo
    r account "xyz\Exchange Servers" because it is not present.
    At line:1 char:20
    + Remove-ADPermission <<<< "dc=xyz,dc=com" -user "xyz.co
    m\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group


    After this error, it was then suggested that I run this command instead:

    Remove-ADPermission "dc=xyz,dc=com" -user "xyz.com\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

    The only difference I can see here is that instead of ... -user "xyz.com\Exchange Servers"...,  it is now changed to ...-user "xyz.com\Exchange Enterprise Servers"


    I have not tried this yet.  I'm probably missing something, but I can't seem to find a group called "Exchange Enterprise Servers".  I do have one called "Exchange Servers".

    Would this work?

    • Proposed as answer by Dale DU-IT Wednesday, October 19, 2011 6:08 PM
    Saturday, April 25, 2009 8:25 PM
  • ah yes, and I have gone through this article, http://technet.microsoft.com/hi-in/library/bb288905(en-us).aspx
    That's where I got this command.  This command is the last step in the article.

    What is the point of this command anyway?

    Saturday, April 25, 2009 8:27 PM
  • Hi,

     

    if we are having Exchange 2007 SP1, there is no need to run cmmdlt below:


    Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers"
    -AccessRights WriteDACL -InheritedObjectType Group


    Because the Write DACL inherit (group) right for the Exchange Servers group has not
    been added to the root of the domain when doing the /domainprep.

     

    Let me explain more. Before Exchange 2007 SP1, running PrepareDomain currently grants all Exchange servers the "Modify Permissions" right at the root of the domain.


    It is changed in Exchange 2007 SP1. If we have prepared Active Directory for Exchange 2007 with Exchange 2007 Service Pack 1 install media, the Write DACL inherit (group) right for the Exchange Servers group has not been added to the root of the domain. In this situation, we do not need to perform this command.

     

    Besides, we can check permission on XYZ from ADSIedit.msc

     
    1. Click Start -> Run -> type “adsiedit.msc”

    2. Expand Domain partition, find DC=XYZ,DC=com
    3. Right-click it, -> Properties -> Security tab -> Advanced.

    4. Remove the object “xyz\Exchange Servers” with the related permission.

     

    Regards,

    Xiu

     

    • Proposed as answer by Amit Tank Tuesday, April 28, 2009 5:33 AM
    • Marked as answer by Xiu Zhang Tuesday, May 5, 2009 7:00 AM
    Tuesday, April 28, 2009 5:28 AM
  • if we are having Exchange 2007 SP1, there is no need to run cmmdlt below:


    Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers"
    -AccessRights WriteDACL -InheritedObjectType Group

    [snipped]

    I'm having the same problem as Luciano: the result keeps on saying that "xyz\Exchange Enterprise Servers" (or "xyz\Exchange Servers") is not present.

    I'm doing a migration/transition from Exchange 2000 to Exchange 2007 SP1 . Does that mean I actually don't need to run this cmdlt?
    Thursday, May 7, 2009 6:22 PM
  • Hi,

    I have reported this issue to PG to verify if we need to run this command. When I get feedback,I will update here. :)

    So far,I found silmilar case which said that we can ignore this step.Besides,we also can use ADSIedit to verify if we have WriteDAL rights on "Exchange Server" or "Exchange Enterprise Server".

    Regards,
    Xiu
    Friday, May 8, 2009 8:54 AM
  • Hi Xiu,

    looks like your reply is the correct answer however, our enviroment never have had Exchange installed, this is the first time that an Exchange Server is installed. So the domain was prepared with the Exchange server 2007 SP1 Media, when i went to adsiedit->domain->.....advanced i found several times domain\Exchange Server entry.

    do i have to delete all those entries?

    this is a little big enviroment with 20.000 users migrated from Lotus Notes. that´s what i'm worried about your steps.

    Thanks
    Capecol MCSA - MCTS Exchange Server 2007
    Thursday, July 16, 2009 11:22 PM
  • Hi,

    I'd like to know if you have installed Exchange Server in your network.

    Please do not modify the AD informaiton via ADSIedit if there's no issue occur.

    After you have installed Exchagne Server,please try to run ExBPA to have a health scan.

    Regards,
    Xiu
    Friday, July 17, 2009 2:16 AM
  • Xiu,

    Exchange is already installed on the network, after i run ExBPA this warning appears, that´s the reason that i´m looking for this behavior.

    Thanks
    Capecol MCSA - MCTS Exchange Server 2007
    Friday, July 17, 2009 2:20 AM
  • Hi,

    Since there's no legacy Exchagne Server in your network, your issue could be the seperate from the original one.

    Please try to startup a new thread, we can forcus on your issue there.

    BTW,please post the detail warning there.

    Thanks

    Regards,
    Xiu
    Friday, July 17, 2009 2:26 AM
  • Does This means that we dont need to Worry about this If exchange 2010 Is running as well ?

     

    Tuesday, March 30, 2010 11:20 AM
  • assuning your domain is apollo.miami.com which its not

    try this

    remove-ADPermission "dc=apollo,dc=miami,dc=com" -user "apollo.miami.com\exchange enterprise servers" -AccessRights WriteDacl -InheritedObjectType Group

    obviously all you would have to do is change this made up domain for yours

    worked for me the coma's between the dc's were the things that stitched me up

    good luck

     

    Thursday, May 20, 2010 11:00 AM
  • I had tried all possible and imaginable combinations, including yours, when I did my migration.  But apparently the "problem" is that I was migrating to EX2007 SP1, and this command wasn't necessary.

    So, that's actually not a problem in the command, but a problem in Microsoft's article.

    Monday, June 14, 2010 9:07 AM
  • Sorry to resurect this but is it "Exchange Enterprise Servers" or "Exchange Servers" or both?  "Exchange Servers" group is in the "Microsoft Exchange Securty Groups" OU.  Both of these have write dalc right.  I also have "Exchange Domain Servers" and "Exchange Services" global security groups.  Can they typically be deleted?

    Thanks.

    Friday, August 13, 2010 6:05 PM
  • Thank you for spelling out the syntax translation of what might be obvious to others but wasn't to me ...and perhaps others in this thread. 

    dc=<domain> should be replaced with dc=xyz,dc=local ...etc as fits your domain name

    <rootdomain> should likewise be replaced with xyz.local ...etc as fits your actual domain name

    The command for Exchange Enterprise Servers completed successfully.  Yes, the ExBPA report was what called this out as an issue for the Exchange 2010 w/SP1 server I'm administering.


    Dale Unroe
    Wednesday, October 19, 2011 6:12 PM