i have test network with two domain (main.domain, new.domain) in one forest.

main.domain contains Exchange 2013 SP1 CU8.

I can successfully create any objects in new.domain as Main\administrator

when i try to create or add mailbox to exist user in new.domain then i got error:

i added "MAIN\Exchange trusted subsystem" into new.domain with Full permissions, and then i still receive error, but account is created without password and disabled:

i compared permission on MAIN.domain and NEW.domain, and MAIN contains more permissions for Exchange.

How i can automatically create same/necessary permissions in NEW.domain?

i did in NEW.domain "setup /PrepareAD / PrepareSchema" - doesn't help.

Thank you!

• Edited by Anahaym Tuesday, May 05, 2015 12:00 PM

Hi Anahaym,

Which account are you used to create/add mailbox to exist user in new.domain?

Main/administrator Or New/administrator?

If using Main/administrator, you can try to add Main/administrator into new.domain with full access permission, and then check the result.

If using New/administrator, you should add new/administrator into Recipient Management group which in Microsoft Exchange Security Groups OU.

Best regards,

If using Main/administrator, you can try to add Main/administrator into new.domain with full access permission, and then check the result.

main\admin has by default full permissions, because hi is Enterprise admin

i created new administator main\exadmin as copy main\admin without Enterprise Admin group (because it has some limit on Exchange), gave him full permissions on specific OU - doesn't work.

If using New/administrator, you should add new/administrator into Recipient Management group which in Microsoft Exchange Security Groups OU.

Best regards,

added new\administrator (hi is not in "Main\Enterprise Admin" group) into "Recipient Managment" - doesn't helped

• Edited by Anahaym 13 hours 39 minutes ago

In which domain is the schema master FSMO role held?  Assuming it's MAIN.domain, did you run "setup /Prepare/Domain"? If the schema master is in the NEW.domain, did you run "setup /Prepare/Domain" in MAIN.domain? Did you opt to use split AD permissions?

If using Main/administrator, you can try to add Main/administrator into new.domain with full access permission, and then check the result.

main\admin has by default full permissions, because hi is Enterprise admin

i created new administator main\exadmin as copy main\admin without Enterprise Admin group (because it has some limit on Exchange), gave him full permissions on specific OU - doesn't work.

If using New/administrator, you should add new/administrator into Recipient Management group which in Microsoft Exchange Security Groups OU.

Best regards,

added new\administrator (hi is not in "Main\Enterprise Admin" group) into "Recipient Managment" - doesn't helped

• Edited by Anahaym Wednesday, May 06, 2015 5:48 PM

C:\Users\mainadmin\Desktop\EX>Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Performing Microsoft Exchange Server Prerequisite Check
    Prerequisite Analysis                                                                             COMPLETED
Configuring Microsoft Exchange Server
    Extending Active Directory schema                                                                 FAILED
     The following error was generated when "$error.Clear();
        install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema0.ldf")
" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running 'ldifde.exe' to impor
t the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf'. The error code is: 8224. More
 details can be found in the error file: 'C:\Users\mainadmin\AppData\Local\Temp\ldif.err'
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String schemaMasterServer, String
schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
   at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<processrecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the <systemdrive>:\ExchangeSetupLogs folder.</systemdrive></processrecord>

in ExchangeSetup.log :

Entry DN: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=main,DC=domain,DC=org
Add error on entry starting on line 1: Operations Error
The server side error is: 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.
The extended server error is:
000021A2: SvcErr: DSID-030A0B6B, problem 5012 (DIR_ERROR), data 8610

An error has occurred in the program

solved by:

C:\Windows\system32>repadmin /syncall dc02
CALLBACK MESSAGE: The following replication is in progress:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: The following replication completed successfully:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

C:\Windows\system32>repadmin /syncall dc03.new.domain.org
CALLBACK MESSAGE: The following replication is in progress:
    From: 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
    To  : 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
CALLBACK MESSAGE: The following replication completed successfully:
    From: 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
    To  : 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

C:\Windows\system32>repadmin /syncall dc02.main.domain.org
CALLBACK MESSAGE: The following replication is in progress:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org

setup /PrepareDomain in new.domain.org on DC03 domain controller:

C:\Users\newadmin\Desktop\EX>setup /PrepareDomain /IAcceptExchangeServerLicenseTerms
Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Performing Microsoft Exchange Server Prerequisite Check
    Prerequisite Analysis                                                                             100%
     The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'OrgaFAILED           n
t' role group, or 'Enterprise Admins' group to continue.
     For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.LocalDomainPrep.aspx
The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

in ExchangeSetup.log:

[05.08.2015 11:15:54.0765] [1] Failed [Rule:LocalDomainPrep] [Message:The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'Organization Management' role group, or 'Enterprise Admins' group to continue.]
[05.08.2015 11:15:54.0765] [1] [REQUIRED] The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'Organization Management' role group, or 'Enterprise Admins' group to continue.
[05.08.2015 11:15:54.0765] [1] Help URL: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.LocalDomainPrep.aspx
[05.08.2015 11:15:54.0796] [1] Ending processing test-SetupPrerequisites
[05.08.2015 11:15:54.0796] [0] CurrentResult console.ProcessRunInternal:136: 1
[05.08.2015 11:15:54.0811] [0] Exchange Server installation failed during prereq check. Trying to restore the server state back to active.
[05.08.2015 11:15:54.0811] [0] RestoreServer Script Path: C:\Windows\Temp\ExchangeSetup\RestoreServerOnPrereqFailure.ps1
[05.08.2015 11:15:55.0022] [0] Beginning processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0022] [0] Trying to restore server state.
[05.08.2015 11:15:55.0022] [0] Ending processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0100] [0] Active Directory session settings for 'Get-ExchangeServer' are: View Entire Forest: 'True', Configuration Domain Controller: 'DC03.new.domain.org', Preferred Global Catalog: 'DC03.new.domain.org', Preferred Domain Controllers: '{ DC03.new.domain.org }'
[05.08.2015 11:15:55.0100] [0] User specified parameters:  -ErrorAction:'SilentlyContinue' -Identity:'DC03'
[05.08.2015 11:15:55.0100] [0] Beginning processing get-ExchangeServer
[05.08.2015 11:15:55.0114] [0] Searching objects "DC03" of type "Server" under the root "$null".
[05.08.2015 11:15:55.0283] [0] Previous operation run on domain controller 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0283] [0] Previous operation run on domain controller 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0283] [0] Preparing to output objects. The maximum size of the result set is "Unlimited".
[05.08.2015 11:15:55.0299] [0] The operation couldn't be performed because object 'DC03' couldn't be found on 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0330] [0] The operation couldn't be performed because object 'DC03' couldn't be found on 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0330] [0] Ending processing get-ExchangeServer
[05.08.2015 11:15:55.0346] [0] Beginning processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0362] [0] [WARNING] DC03 is not an Exchange Server. Unable to set monitoring and server state to active.
[05.08.2015 11:15:55.0377] [0] Ending processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0377] [0] CurrentResult launcherbase.maincore:90: 1
[05.08.2015 11:15:55.0377] [0] CurrentResult console.startmain:52: 1
[05.08.2015 11:15:55.0377] [0] CurrentResult SetupLauncherHelper.loadassembly:452: 1
[05.08.2015 11:15:55.0394] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[05.08.2015 11:15:55.0394] [0] CurrentResult main.run:235: 1
[05.08.2015 11:15:55.0394] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05.08.2015 11:15:55.0394] [0] CurrentResult setupbase.maincore:396: 1
[05.08.2015 11:15:55.0394] [0] End of Setup
[05.08.2015 11:15:55.0394] [0] **********************************************

fixed by adding new\admin into "main\enterprise Admins" and "Organization Management"

NOW ALL WORKS !!!

only one question:

Anfter refresh page - no warning. Is it ok?

• Edited by Anahaym 19 hours 23 minutes ago

C:\Users\mainadmin\Desktop\EX>Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Performing Microsoft Exchange Server Prerequisite Check
    Prerequisite Analysis                                                                             COMPLETED
Configuring Microsoft Exchange Server
    Extending Active Directory schema                                                                 FAILED
     The following error was generated when "$error.Clear();
        install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema0.ldf")
" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running 'ldifde.exe' to impor
t the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf'. The error code is: 8224. More
 details can be found in the error file: 'C:\Users\mainadmin\AppData\Local\Temp\ldif.err'
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String schemaMasterServer, String
schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
   at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<processrecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the <systemdrive>:\ExchangeSetupLogs folder.</systemdrive></processrecord>

in ExchangeSetup.log :

Entry DN: CN=ms-Exch-ELC-Expiry-Action,CN=Schema,CN=Configuration,DC=main,DC=domain,DC=org
Add error on entry starting on line 1: Operations Error
The server side error is: 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.
The extended server error is:
000021A2: SvcErr: DSID-030A0B6B, problem 5012 (DIR_ERROR), data 8610

An error has occurred in the program

solved by:

C:\Windows\system32>repadmin /syncall dc02
CALLBACK MESSAGE: The following replication is in progress:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: The following replication completed successfully:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

C:\Windows\system32>repadmin /syncall dc03.new.domain.org
CALLBACK MESSAGE: The following replication is in progress:
    From: 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
    To  : 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
CALLBACK MESSAGE: The following replication completed successfully:
    From: 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
    To  : 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

C:\Windows\system32>repadmin /syncall dc02.main.domain.org
CALLBACK MESSAGE: The following replication is in progress:
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 6b2472ac-0549-4ad0-9c41-8ad420b503b8._msdcs.main.domain.org
    To  : 9e7568d5-d398-446e-b55b-5f63b7a0a220._msdcs.main.domain.org

setup /PrepareDomain in new.domain.org on DC03 domain controller:

C:\Users\newadmin\Desktop\EX>setup /PrepareDomain /IAcceptExchangeServerLicenseTerms
Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Performing Microsoft Exchange Server Prerequisite Check
    Prerequisite Analysis                                                                             100%
     The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'OrgaFAILED           n
t' role group, or 'Enterprise Admins' group to continue.
     For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.LocalDomainPrep.aspx
The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

in ExchangeSetup.log:

[05.08.2015 11:15:54.0765] [1] Failed [Rule:LocalDomainPrep] [Message:The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'Organization Management' role group, or 'Enterprise Admins' group to continue.]
[05.08.2015 11:15:54.0765] [1] [REQUIRED] The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'Organization Management' role group, or 'Enterprise Admins' group to continue.
[05.08.2015 11:15:54.0765] [1] Help URL: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.LocalDomainPrep.aspx
[05.08.2015 11:15:54.0796] [1] Ending processing test-SetupPrerequisites
[05.08.2015 11:15:54.0796] [0] CurrentResult console.ProcessRunInternal:136: 1
[05.08.2015 11:15:54.0811] [0] Exchange Server installation failed during prereq check. Trying to restore the server state back to active.
[05.08.2015 11:15:54.0811] [0] RestoreServer Script Path: C:\Windows\Temp\ExchangeSetup\RestoreServerOnPrereqFailure.ps1
[05.08.2015 11:15:55.0022] [0] Beginning processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0022] [0] Trying to restore server state.
[05.08.2015 11:15:55.0022] [0] Ending processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0100] [0] Active Directory session settings for 'Get-ExchangeServer' are: View Entire Forest: 'True', Configuration Domain Controller: 'DC03.new.domain.org', Preferred Global Catalog: 'DC03.new.domain.org', Preferred Domain Controllers: '{ DC03.new.domain.org }'
[05.08.2015 11:15:55.0100] [0] User specified parameters:  -ErrorAction:'SilentlyContinue' -Identity:'DC03'
[05.08.2015 11:15:55.0100] [0] Beginning processing get-ExchangeServer
[05.08.2015 11:15:55.0114] [0] Searching objects "DC03" of type "Server" under the root "$null".
[05.08.2015 11:15:55.0283] [0] Previous operation run on domain controller 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0283] [0] Previous operation run on domain controller 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0283] [0] Preparing to output objects. The maximum size of the result set is "Unlimited".
[05.08.2015 11:15:55.0299] [0] The operation couldn't be performed because object 'DC03' couldn't be found on 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0330] [0] The operation couldn't be performed because object 'DC03' couldn't be found on 'DC03.new.domain.org'.
[05.08.2015 11:15:55.0330] [0] Ending processing get-ExchangeServer
[05.08.2015 11:15:55.0346] [0] Beginning processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0362] [0] [WARNING] DC03 is not an Exchange Server. Unable to set monitoring and server state to active.
[05.08.2015 11:15:55.0377] [0] Ending processing Write-ExchangeSetupLog
[05.08.2015 11:15:55.0377] [0] CurrentResult launcherbase.maincore:90: 1
[05.08.2015 11:15:55.0377] [0] CurrentResult console.startmain:52: 1
[05.08.2015 11:15:55.0377] [0] CurrentResult SetupLauncherHelper.loadassembly:452: 1
[05.08.2015 11:15:55.0394] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[05.08.2015 11:15:55.0394] [0] CurrentResult main.run:235: 1
[05.08.2015 11:15:55.0394] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05.08.2015 11:15:55.0394] [0] CurrentResult setupbase.maincore:396: 1
[05.08.2015 11:15:55.0394] [0] End of Setup
[05.08.2015 11:15:55.0394] [0] **********************************************

fixed by adding new\admin into "main\enterprise Admins" and "Organization Management"

NOW ALL WORKS !!!

only one question:

Anfter refresh page - no warning. Is it ok?

• Edited by Anahaym Friday, May 08, 2015 12:02 PM

I'm sorry, I can't make out the picture so I'm not sure what you're asking about.

just copy link of picture and paste to new tab of your browser. then it will much better

Has the status of this account changed since you posted the picture, or does it still show that "<GUID> isn't a mailbox user?"