First 2010 CAS server - no Administrator rights EMC Permissions gone

  • Thread starter Jase Philip
  • Start date Views 1,858
Status
Not open for further replies.
J

Jase Philip

I installed the first Exchange 2010 server (CAS role only) in our single forest domain. It has one existing Exchange 2003 server. I had previously started the GUI install and cancelled it before it got to the install step in order to answer a few other questions in our environment. After running through the install, without any errors, I was unable to get into the EMC or EMS. The error was: " The user " domain\administrator" isn't assigned to any management roles."

I did some research on this forum and the web in general and found the following articles:

http://social.technet.microsoft.com/Forums/en/exchange2010/thread/5fbef5ca-5471-4d6f-91c3-dd632395a0d8

http://gaionlinekb.blogspot.com/2009/11/emc-rbac-authorization-returns-access.html

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/0d5c8a0b-210a-4a44-ae06-e3684db70970

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8b95d8d8-eba6-4cf9-86eb-19c65c258896/

I followed all the steps that I could and still have the same issue. The second article linked above fails at step 6. The server this is installed on is a brand-new 2008 R2 server with nothing else on it.

I am at a loss for solving this and would love and tips or pointers for finding a resolution.

Thanks in advance for your time,

Jase
 
T

Tom_V

Are you using a Domain Administrator and not the local Administrator account to login to the server?

As a test try making a copy of the Administrator account in Active Directory and add the newly created account to the following member groups:

Administrators

Domain Admins

Enterprise Admins

Organization Management

Schema Admins

Login into the domain with the newly created account and try launching the EMC or EMS.

If the behavior is still occurring then try to rerun the prepare AD and prepare schema using the setup file.

In the command prompt navigate to the Exchange setup directory and type:

setup /preparead

setup /ps

MCITP: Enterprise Messaging Administrator 2007/2010 | MCITP: Server Administrator | MCTS: Windows Server 2008 Applications Infrastructure, Configuring | MCP | MCDST
 
J

Jase Philip

Thanks for the reply Tom.
Sadly the above did not work for me. I created a new user - ex2010admin - in active directory by copying the administrator account (which I had used previously). I verified the group membership in all the groups you listed.

I logged into the new CAS server as the new user and launched the EMC. When clicking on the Microsoft Exchange On-Premises item, the middle window pane came back with the following:

The following error occurred when searching for On-Premises Exchange server:

[servername] Processing data from remote server failed with the following error message: The user " domain\ex2010admin" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

The same errors were found when lauching the EMS.

At this point I have no problem wiping the server and trying from scratch, but with the AD and schema prep already having been run, I'm worried that I won't gain anything from doing that. That is why I'm asking the esteemed forum. :)
 
X

Xiu Zhang

Hi,

1. First please check If you have " Allow inheritable permission..." checked for Microsoft Exchange Container and on Org Container ADSIEDIT.

Note: You can follow the steps below to find the settings.

1. Please try to start ADSIedit.

2. Navigate to " Configuration->Services->Microsoft Exchange" /" Configuration->Services->Microsoft Exchange->First Organization"

3. Righte click on it and select to " Properties" .

3. Select " Security" tab.

4. Click " Advance" . There please check if you have ticked " Allow inheritable permission" option.

2. Then please verified the attributes msExchRoleLink and msExchUserLink attributes on CN=Role Management-Organization Management-Delegating,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=….

The value should be " CN=Role Management,CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=…"

3. Please check if " Role Mangement" exists under CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=…

4. Also check if " Allow inheritable permission" ticked for " Role Management" .

After that, please test the issue again.

If the issue still persists, then please follow the steps below to try to solve the problem.

1) Open Windows PowerShell (not the Exchange Management Shell)
a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.
2) Run Start-Transcript c:\RBAC.txt and press enter
a. This will start logging all commands and output you type to a text file.
3) Run Add-PSSnapin *setup and press enter
a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You
can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft.
Doing so could irreparably damage your Exchange installation.
4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.
a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.
b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.
5) Run Remove-PSSnapin *setup and press enter
6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter
a. Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.
7) Run Import-PSSession $Session and press enter
8) Run Get-ManagementRoleAssignment and press enter
9) Run Stop-Transcript and press enter

Regards,

Xiu
 
X

Xiu Zhang

Besides, please check if watermark exists in the registry under
HKLM\Software\Microsoft\ExchangeServer\V14\ClientAccessRole

Regards,

Xiu
 
J

Jase Philip

Xiu,

Thanks for the information.

The second #2 above fixed it for me.

2. Then please verified the attributes msExchRoleLink and msExchUserLink attributes on CN=Role Management-Organization Management-Delegating,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=&hellip;.

The value should be " CN=Role Management,CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=&hellip;"

The value for msExchRoleLink was correct, but the value for msExchUserLink was set to CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=Domain,DC=com

When I replaced it with the information provided, it worked like a charm!

Thank you so much for helping me fix it.
 
K

Kenneth Yeung

In step

4. Also check if " Allow inheritable permission" ticked for " Role Management" .

Is it normal to click it? Becasue I found that is not click. But I am scare to click it. I am affraiding to affect the production.

Thanks

and in 6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

I cannot run it due to not enough permission. I am using EnterPrise Admin already.

I have exchange 2003, any impact on exchange 2003 if I uninstall all exchange 2010 and reinstall it?

And will it fix I cannot login?

Thank
 
Status
Not open for further replies.
Top