RBAC Cross Domain issues

  • Thread starter Carpadum
  • Start date Views 2,448
Status
Not open for further replies.
C

Carpadum

New 2010 sp1 install. One forest with root and 2 child domains. All users in child domain. ex servers in root domain. Alreay migrated a few mailboxes from 2003 to 2010 with no issues. Everything working fine from client access to HT and MB. Started working with RBAC to assign permissions to some of the IT users that have been migrated and errors occur. also tried to make a 2010 user the owner of a distribution group and errors occur even after adding the user to recipient managment group via AD. Some of the errors follow:

Add user as owner of distribution group (user is in child domain and also in recipient management group and organization management)(action being performed by the forest root enterprise admin...same account that was used to install exchange)

" You do not have sufficent permisions. This operation can only be performed by a manager of the group"

Add user via RBAC to recipient management group (user is in child domain and a domain admin of that domain) User is searchable via RBAC in EMC.

" Active Directory operation failed on DomainControllerServer.ForestRoot.com. The object 'CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=ForestRoot,DC=com' does not exist."

servername and domain replaced for post. The group does exist at that location and I can add the person manually to that group using AD users and computers. If I do the person shows up in RBAC/EMC.

Best Practices Analizer shows no errors in configuration or permissions, however the permissions test says it will take over an hour to run but it only takes a few seconds so I don't know if it is working correctly.

Any ideas what is going on here?
 
A

Alexei Segundo

Can you confirm that DomainControllerServer.ForestRoot.com is a Global Catalog Server and that Recipient Management is a Universal Security group?

Alexei
 
C

Carpadum

Yes it is Universal however the domain controller that it used was not a GC. How can I prevent this? We have 3 or more DC's per domain and GC cannot be on the infrastructure master role.
 
A

Alexei Segundo

Looking at the error again, it seems to indicate that the " Recipient Management" group can't be found on the root domain DC. Clearly, the group does exist and is visible on that DC without it having to be GC. My initial thought was that if the root domain DC was not a GC then it would be unable to see/add members from other domains to the group.

Trying a different tack...

Can you confirm the following:
You ran setup /PrepareAllDomains when introducing Exchange 2010? There is a GC available in each AD site that hosts an Exchange 2010 server?

On a (probably) unrelated note, you can safely ignore the Infrastructure Master rule regarding GCs if you make all your DCs in that domain GCs. Obviously, you would want to consider any potential replication impact before you do this.

Alexei
 
C

Carpadum

yes prep was done on all domains

Yes there is 2 GC's in each site that contain exchange servers

Here is a more complete dump that has been scrubbed. It does look like the GC is being looked at from the child domain where the accounts reside.

Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 10/21/2010 7:48:23 PM
Event ID: 6
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: EXCHSRV.DOMAIN.com
Description:
Cmdlet failed. Cmdlet Update-RoleGroupMember, parameters {Members={USER1, USER2, USER3, USER4}, Identity=65bdd144-f26b-42bc-81d7-2ac3baeab74b}.
Event Xml:
<Event xmlns=" http://schemas.microsoft.com/win/2004/08/events/event" >
<System>
<Provider Name=" MSExchange CmdletLogs" />
<EventID Qualifiers=" 49152" >6</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=" 2010-10-22T00:48:23.000000000Z" />
<EventRecordID>367</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>EXCHSRV.DOMAIN.com</Computer>
<Security />
</System>
<EventData>
<Data>Update-RoleGroupMember</Data>
<Data>{Members={USER1, USER2, USER3, USER4}, Identity=65bdd144-f26b-42bc-81d7-2ac3baeab74b}</Data>
<Data>DOMAIN.com/Users/administrator</Data>
<Data>S-1-5-21-xxxxxxxxxxxxxxxxxxxxx-839522115-500</Data>
<Data>S-1-5-21-xxxxxxxxxxxxxxxxxxxxx-839522115-500</Data>
<Data>Exchange Control Panel-ECP</Data>
<Data>7852</Data>
<Data>
</Data>
<Data>27</Data>
<Data>00:00:00.1716044</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller: 'DC2.child.domain.com', Preferred Global Catalog: 'DC.child.domain.com', Preferred Domain Controllers: '{ dc2.child.domain.com, DC1.domain.com }'</Data>
<Data>Microsoft.Exchange.Data.Directory.ADNoSuchObjectException: Active Directory operation failed on dc1.domain.com. The object 'CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com' does not exist. ---&gt; System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- End of inner exception stack trace -
at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientSession.Microsoft.Exchange.Data.IConfigDataProvider.Save(IConfigurable instance)
at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord()
at Microsoft.Exchange.Management.RbacTasks.RoleGroupMemberTaskBase.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()</Data>
<Data>Context</Data>
<Data>System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)</Data>
</EventData>
</Event>
 
A

Alexei Segundo

Can you try running the command below:

Update-RoleGroupMember " Recipient Management" -Members " USER1" , " USER2" , " USER3" , " USER4" -DomainController dc1.domain.com

This should generate the same error you see from within RBAC. Remember to include all the members of the group in the command (it does a full replace action on the group members).

Then try the same command against a different DC, e.g.

Update-RoleGroupMember " Recipient Management" -Members " USER1" , " USER2" , " USER3" , " USER4" -DomainController DC.child.domain.com

If the second command doesn't work either, try again with the -BypassSecurityGroupManagerCheck parameter.

Alexei
 
C

Carpadum

ok the first one did not work. I tried again using the same domain just a known GC in that domain and it did work. So now the question is why is emc, ecp and powershell not defaulting to using a know GC?
 
A

Alexei Segundo

Good question. I would expect the tools to use a GC (not a DC) when doing anything with Universal groups.

Hopefully someone will chip in with a more informed response. If you have an EA with Microsoft it might be worth raising a support call.

An obvious workaround would be to make all your DCs GCs. The replication overhead caveat applies.

Alexei
 
Status
Not open for further replies.
Top