i have test network with two domain (main.domain, new.domain) in one forest.

main.domain contains Exchange 2013 SP1 CU8.

I can successfully create any objects in new.domain as Main\administrator

when i try to create or add mailbox to exist user in new.domain then i got error:

i added "MAIN\Exchange trusted subsystem" into new.domain with Full permissions, and then i still receive error, but account is created without password and disabled:

i compared permission on MAIN.domain and NEW.domain, and MAIN contains more permissions for Exchange.

How i can automatically create same/necessary permissions in NEW.domain?

i did in NEW.domain "setup /PrepareAD / PrepareSchema" - doesn't help.

Thank you!

• Edited by Anahaym Tuesday, May 05, 2015 12:00 PM

If using Main/administrator, you can try to add Main/administrator into new.domain with full access permission, and then check the result.

main\admin has by default full permissions, because hi is Enterprise admin

i created new administator main\exadmin as copy main\admin without Enterprise Admin group (because it has some limit on Exchange), gave him full permissions on specific OU - doesn't work.

If using New/administrator, you should add new/administrator into Recipient Management group which in Microsoft Exchange Security Groups OU.

Best regards,

added new\administrator (hi is not in "Main\Enterprise Admin" group) into "Recipient Managment" - doesn't helped

• Edited by Anahaym Wednesday, May 06, 2015 5:48 PM

In which domain is the schema master FSMO role held?

for MAIN.domain

C:\>netdom query fsmo
Schema master               DC02.main.domain.org
Domain naming master        DC02.main.domain.org
PDC                         DC02.main.domain.org
RID pool manager            DC02.main.domain.org
Infrastructure master       DC02.main.domain.org
The command completed successfully.

for NEW.domain

C:\>netdom query fsmo
Schema master               DC02.main.domain.org
Domain naming master        DC02.main.domain.org
PDC                         DC03.new.domain.org
RID pool manager            DC03.new.domain.org
Infrastructure master       DC03.new.domain.org
The command completed successfully.

Assuming it's MAIN.domain, did you run "setup /Prepare/Domain"?

yes, i did:

i did in NEW.domain "setup /PrepareAD / PrepareSchema" - doesn't help.

or which "setup" did you mean?

Did you opt to use split AD permissions?

no, i didn't

Since the schema master is main.domain.org, that's where you would/should have run the "/PrepareAD" and "/PrepareSchema" switches.  In new.domain.org, you need to run the "/PrepareDomain" switch with setup.  I think your mixing up your domains.  Running the "/PrepareAD" switch in main.domain.org takes care of the '/preparedomain' piece; there's no need to run both.

I just also found this which might be similar to your issue:

https://social.technet.microsoft.com/Forums/exchange/en-US/a404dfe5-af69-4bba-9562-487e9b13f11f/unable-to-create-a-usermailbox-using-eac?forum=exchangesvradmin