Hello, I am having a problem creating new mailboxes for users in another domain in the forest. The forest has a root domain where Exchange 2010 is installed. There is another root domain below that with user accounts. There is a two-way trust between the domains. I have set up accepted domains in the Hub Transport through Edge subscription, and that looks fine. But when I try to create a mailbox for a user in the other root domain I get Access Denied. Now, I believe this has to do with Exchange Permissions not existing on the other root domain. My question is, how can I get them there? Is there something through EMC or Shell that I can do to add Exchange permissions to this other domain? Thanks!

Did you run setup /PrepareDomain on the domain that has the user accounts?

No I haven't. I thought that was not necessary if Exchange was installed at the forest root. There will not be any Exchange servers that actually reside in this domain. Is this something I can run now in that domain without a problem? And where do I run it? On a DC in that domain?

No I haven't. I thought that was not necessary if Exchange was installed at the forest root. There will not be any Exchange servers that actually reside in this domain. Is this something I can run now in that domain without a problem?

You can run it from the root domain, just be sure to specificy the FQDN of the child domain, or run setup/pad to prep all the domains at once. More info: http://technet.microsoft.com/en-us/library/bb125224.aspx Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain. Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization. To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group. To run setup /PrepareDomain, if the domain that you're preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you're preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain. For domains that are in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages: "PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again." "Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid. Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 The server cannot handle directory requests." If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again. You must run this command in every domain in which you will install Exchange 2010. You must also run this command in every domain that will contain mail-enabled users, even if the domain doesn't have Exchange 2010 installed.

Just out of curiosity, would creating a linked Mailbox be appropriate in this scenario instead of running setup /PrepareDomain? We have a single forest, but multiple root domains that have a two-way trust to the forest root. I realize that Linked Mailboxes are commonly used across forests, but maybe this is the best way to manage mailboxes of multiple root domains? Thoughts?

No, a linked mailbox would not be appropriate here.

Just wanted to respond and say that running D:\setup /PrepareDomain from the command line on the DC on the domain in question did the trick. I was immediately able to create a mailbox for a user in that domain. The Exchange AD security groups needed for Exchange to work properly do not get created on seperate root domains unless you run this command. This line from the technet article is the key: " You must also run this command in every domain that will contain mail-enabled users, even if the domain doesn't have Exchange 2010 installed."

Glad you got it working.