Unable able to initialize Exchange management (EMC and EMS don't work) - Access Denied

Status
Not open for further replies.
M

MarkEmery

I have all the symptoms of this discussion:

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8f9a1881-d66d-4d8a-a6ff-06729a701999/

But it has been marked as answered and a number os poeple still have the problem not fixed by suggestions in that post.

I have the BuildtoBuildUpgrade on the RoleInstallationMode (can't help but think the cause of this error is the root cause of what's wrong) on a server that has never had Exchange of any sort installed.

All my other exchange servers are already 2007 std edition no 2003 left for some time now. All DCs are Server 2008 or 2008R2, forest and domain is at 2008 functional level.

I have sucessfully installed another server 2008R2 with CAS, HUB and database Exchange 2010 roles, it can administer itself but not the server with CAS only role.

This server that has failed has only CAS Exchange 2010 role on server 2008R2 and is in the same site as the 2007 servers, diferent site to the working 2010 server.

Error from EMS :

[cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info

rmation, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed

Error from EMC:

[cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info

rmation, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command " . 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1

which gives this error:

At C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1:48 char:21

+ Set-ADServerSettings <<<< -ViewEntireForest $false -WarningAction SilentlyContinue
+ CategoryInfo : ObjectNotFound: (Set-ADServerSettings:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Something seems missing from the install, I suspect related to the incorrect BuildtoBuild status in the install log.
 
M

Mike Pfeiffer

I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command " . 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1 You need to have the Exchange snapin loaded before you can dot source that script. That's why you are getting a CommandNotFoundException error.
Have you looked through both of these docs?
Troubleshooting Exchange 2010 Management Tools startup issues
http://msexchangeteam.com/archive/2010/02/04/453946.aspx
Troubleshooting the Exchange Management Shell (Under Connection Issues)
http://technet.microsoft.com/en-us/library/dd351136.aspx
 
D

danmo1982

Me too

have also, followed Davids suggestion, and it fails at step 6. ($Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos) with access denied

anyone have a solution to the problem
 
A

Anbu Selvan

Hi,

Can you try in CAS Server as below?

&middot; From &ldquo;Start&rdquo;->&rdquo;Run&rdquo; type in " dcomcnfg " and hit &ldquo;Enter&rdquo;

&middot; From the Component Services Console, expand &ldquo;Component Services&rdquo; -> &ldquo;Computers&rdquo;

&middot; Right click on &ldquo;My Computer&rdquo; and select &ldquo;Properties&rdquo;

&middot; On the &ldquo;Default Properties&rdquo; tab, find the Default Impersonation Level and change it from &ldquo;Identify&rdquo; to &ldquo;Impersonate&rdquo;

In addition,

You can also try the following:

Strangely enough this error is spawned because there is/are Exchange 2007 CAS Server(s) that do not give permissions to Exchange 2010 to enumerate IIS.
As you may know is this very odd because the EMC 2010 does not display any Exchange 2007 Server!
The Solution is to add the security group &ldquo;Exchange Trusted Subsystem&rdquo; as member of Local Administrators group on an ALL Exchange Server 2007 boxes

http://msexchangegeek.com/2009/09/18/get-owavirtualdirectory-returns-an-iis-directory-entry-couldnt-be-created-the-error-message-is-access-is-denied/
With Anbu
 
M

MarkEmery

Have tried this suggestion looked promising, Also found Exchange 2010 Rollup 3 and Exchange 2007 SP2 Rollup 4 and installed both of those on respective servers.

Rebooted servers, no change to the access denied error on the CAS role server. I still have one Exchange 2007 SP2 server to put the rollup on and reboot, can't do that one until the weekend.

Found command winrm get winrm/config/service give an error:
Error number: -2144108387 0x8033809D
An unknown security error occurred.

Which might actually be the root cause of the security issue. No idea how to approach that error.
 
M

MarkEmery

Both WinRM commands

winrm get winrm/config/service
winrm quickconfig

Give this error:

WinRM already is set up to receive requests on this machine.
WSManFault
Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
Error number: -2144108387 0x8033809D
An unknown security error occurred.
 
A

Anbu Selvan

Hi,

Instead of focusing the issue with Exchange, have you try to check the health status of Active Directory?

It is replicating the domain controllers? Are you pointing GC for the deployment? Have you done the Exchange Preparation well?

Is it possible to try with different Hardware box with CAS transport?

Just update us.

With Anbu
 
M

MarkEmery

AD and Exchange Prep are fine.

I already have another CAS server working properly what's the point of trying another? it is this problem server that needs to work.
 
A

Anbu Selvan

Hi,

Are you getting the same error in the CAS server which has issue?

With Anbu
 
C

Chinthaka Shameera

Hello,

Can you reproduse the problem and let us know the event error and first 5 events in Security Event Log ?

Sametime run EXBPA and lets see any issuses

regards

Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/
 
M

MarkEmery

using ADSIEDIT make sure that SPN HTTP/<servername> is on the machine account of your server

(<servername> is your server's FQDN) I found that SPN was on the SIP service account running OCS on the server, moved it to the machine account for the server rebooted and Exchange 2010 management console now works and remote management and OCS still works as well (as far as I can tell) using the modified SIP service account.

use the script below to locate HTTP/* SPN to find where they are registered.

Script for SPN query http://technet.microsoft.com/en-au/library/ee176972.aspx

(Also ran WINRM QUICKCONFIG to confirm HTTP configured correctly.)
 
T

TEK-BOT

Hi MarkEmery - do you mind posting the steps you did in ADSIEDIT to fix this issue? When accessing our CAS/HUB server on a second site, I am also getting the error " The following error occurred when searching for On-Premises Exchange server: [CASSERVERNAME] Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

We can access our two CAS/HUB servers in our primary site and but cannot access the CAS/HUB at second site. We do not have the OCS though so I am not sure if the fix will work for us...Thanks for your help.
 
R

Rodney B

!!!!!FIXED!!!!!!

This took me the whole day and I am really grumpy

I am running a Server 2008R2 Exchange 2008SP1 OCS 2007R2 on the same VM server

After install of OCS I lost access to my exchange console, thanks to Mark Emery I tracked down my problem, IIS was running under the CWAService account

On the server, which is also a DC I ran the bellow two commands to delete the SPN

setspn -d http/servername domain\servername
setspn -d http/servername.domain.local domain\servername

Then I ran the following two commands to repair the SPN
setspn -s http/servername domain\servername
setspn -s http/servername.domain.local domain\servername

This will reset your service to run under the machine account

After a reboot I can now access the exchange console
 
Status
Not open for further replies.
Top