Unable able to initialize Exchange management (EMC and EMS don't work) - Access Denied

Status
Not open for further replies.
M

MarkEmery

I have all the symptoms of this discussion:

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8f9a1881-d66d-4d8a-a6ff-06729a701999/

But it has been marked as answered and a number os poeple still have the problem not fixed by suggestions in that post.

I have the BuildtoBuildUpgrade on the RoleInstallationMode (can't help but think the cause of this error is the root cause of what's wrong) on a server that has never had Exchange of any sort installed.

All my other exchange servers are already 2007 std edition no 2003 left for some time now. All DCs are Server 2008 or 2008R2, forest and domain is at 2008 functional level.

I have sucessfully installed another server 2008R2 with CAS, HUB and database Exchange 2010 roles, it can administer itself but not the server with CAS only role.

This server that has failed has only CAS Exchange 2010 role on server 2008R2 and is in the same site as the 2007 servers, diferent site to the working 2010 server.

Error from EMS :

[cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info

rmation, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed

Error from EMC:

[cas.xxx.local] Connecting to remote server failed with the following error message : Access is denied. For more info

rmation, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command " . 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1

which gives this error:

At C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1:48 char:21

+ Set-ADServerSettings <<<< -ViewEntireForest $false -WarningAction SilentlyContinue
+ CategoryInfo : ObjectNotFound: (Set-ADServerSettings:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Something seems missing from the install, I suspect related to the incorrect BuildtoBuild status in the install log.
 
M

Mike Pfeiffer

I have determined the Access Denied error is occuring during the operation to load the Exchange cmdlets, not while executing a cmdlet. I did that by opening a command windows and trying to load the exchange cmdlets manually from the local source C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command " . 'C:\Program Files\Microsoft\Exchange Server\V14\bin\Exchange.ps1 You need to have the Exchange snapin loaded before you can dot source that script. That's why you are getting a CommandNotFoundException error.
Have you looked through both of these docs?
Troubleshooting Exchange 2010 Management Tools startup issues
http://msexchangeteam.com/archive/2010/02/04/453946.aspx
Troubleshooting the Exchange Management Shell (Under Connection Issues)
http://technet.microsoft.com/en-us/library/dd351136.aspx
 
D

danmo1982

Me too

have also, followed Davids suggestion, and it fails at step 6. ($Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos) with access denied

anyone have a solution to the problem
 
A

Anbu Selvan

Hi,

Can you try in CAS Server as below?

&middot; From &ldquo;Start&rdquo;->&rdquo;Run&rdquo; type in " dcomcnfg " and hit &ldquo;Enter&rdquo;

&middot; From the Component Services Console, expand &ldquo;Component Services&rdquo; -> &ldquo;Computers&rdquo;

&middot; Right click on &ldquo;My Computer&rdquo; and select &ldquo;Properties&rdquo;

&middot; On the &ldquo;Default Properties&rdquo; tab, find the Default Impersonation Level and change it from &ldquo;Identify&rdquo; to &ldquo;Impersonate&rdquo;

In addition,

You can also try the following:

Strangely enough this error is spawned because there is/are Exchange 2007 CAS Server(s) that do not give permissions to Exchange 2010 to enumerate IIS.
As you may know is this very odd because the EMC 2010 does not display any Exchange 2007 Server!
The Solution is to add the security group &ldquo;Exchange Trusted Subsystem&rdquo; as member of Local Administrators group on an ALL Exchange Server 2007 boxes

http://msexchangegeek.com/2009/09/18/get-owavirtualdirectory-returns-an-iis-directory-entry-couldnt-be-created-the-error-message-is-access-is-denied/
With Anbu
 
M

MarkEmery

Have tried this suggestion looked promising, Also found Exchange 2010 Rollup 3 and Exchange 2007 SP2 Rollup 4 and installed both of those on respective servers.

Rebooted servers, no change to the access denied error on the CAS role server. I still have one Exchange 2007 SP2 server to put the rollup on and reboot, can't do that one until the weekend.

Found command winrm get winrm/config/service give an error:
Error number: -2144108387 0x8033809D
An unknown security error occurred.

Which might actually be the root cause of the security issue. No idea how to approach that error.
 
M

MarkEmery

Both WinRM commands

winrm get winrm/config/service
winrm quickconfig

Give this error:

WinRM already is set up to receive requests on this machine.
WSManFault
Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
Error number: -2144108387 0x8033809D
An unknown security error occurred.
 
A

Anbu Selvan

Hi,

Instead of focusing the issue with Exchange, have you try to check the health status of Active Directory?

It is replicating the domain controllers? Are you pointing GC for the deployment? Have you done the Exchange Preparation well?

Is it possible to try with different Hardware box with CAS transport?

Just update us.

With Anbu
 
M

MarkEmery

AD and Exchange Prep are fine.

I already have another CAS server working properly what's the point of trying another? it is this problem server that needs to work.
 
A

Anbu Selvan

Hi,

Are you getting the same error in the CAS server which has issue?

With Anbu
 
C

Chinthaka Shameera

Hello,

Can you reproduse the problem and let us know the event error and first 5 events in Security Event Log ?

Sametime run EXBPA and lets see any issuses

regards

Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/
 
M

MarkEmery

using ADSIEDIT make sure that SPN HTTP/<servername> is on the machine account of your server

(<servername> is your server's FQDN) I found that SPN was on the SIP service account running OCS on the server, moved it to the machine account for the server rebooted and Exchange 2010 management console now works and remote management and OCS still works as well (as far as I can tell) using the modified SIP service account.

use the script below to locate HTTP/* SPN to find where they are registered.

Script for SPN query http://technet.microsoft.com/en-au/library/ee176972.aspx

(Also ran WINRM QUICKCONFIG to confirm HTTP configured correctly.)
 
T

TEK-BOT

Hi MarkEmery - do you mind posting the steps you did in ADSIEDIT to fix this issue? When accessing our CAS/HUB server on a second site, I am also getting the error " The following error occurred when searching for On-Premises Exchange server: [CASSERVERNAME] Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

We can access our two CAS/HUB servers in our primary site and but cannot access the CAS/HUB at second site. We do not have the OCS though so I am not sure if the fix will work for us...Thanks for your help.
 
R

Rodney B

!!!!!FIXED!!!!!!

This took me the whole day and I am really grumpy

I am running a Server 2008R2 Exchange 2008SP1 OCS 2007R2 on the same VM server

After install of OCS I lost access to my exchange console, thanks to Mark Emery I tracked down my problem, IIS was running under the CWAService account

On the server, which is also a DC I ran the bellow two commands to delete the SPN

setspn -d http/servername domain\servername
setspn -d http/servername.domain.local domain\servername

Then I ran the following two commands to repair the SPN
setspn -s http/servername domain\servername
setspn -s http/servername.domain.local domain\servername

This will reset your service to run under the machine account

After a reboot I can now access the exchange console
 
Status
Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
L Unable to Sync Web/Android MS To Do with Windows Outlook Tasks Using Outlook 3
A Unable to save recurring Meeting to Documents folder due to error Using Outlook 2
O Outlook 365 - suddenly unable to send using Gmail POP3 Using Outlook 10
S Outlook 2010 unable to change default font Using Outlook 7
Q Unable to Sync Quicken reminder with Outlook 2016 64Bit Using Outlook 1
S Unable to remove rule outlook 2010 Using Outlook 0
L Wierd Office 365 Contact unable to edit body of random contacts Using Outlook 5
X Unable to send an email from one account to another on same PC Using Outlook 2
Mark Foley Unable to subscribe to published calendar in Outlook 2010 Using Outlook 4
S Unable to Edit Contact Information in Certain Contact Folders Using Outlook 3
P Deleted Items - Unable to Iterate All of Items Outlook VBA and Custom Forms 1
G Unable to dismiss reminders from share point list calendar shared in Outlook Using Outlook 2
R Unable to install without email account Using Outlook 4
E Unable to open Outlook 2010 after adding new email account Using Outlook 4
A Outlook 2016- unable to have all subfolders expanded when opening outlook Using Outlook 11
avant-guvnor Unable to view certain emails in Outlook 2016 Using Outlook 16
M Unable to Configure Gmail Account in Outlook 2007 Using Outlook 1
D Unable to Send On Behalf of Another User Exchange Server Administration 0
J Unable to link email messages in BCM using a single microsoft office 365 account in outlook 2013 BCM (Business Contact Manager) 1
Tim King Outlook 365 unable to change accounts Using Outlook 0
R Unable to send mail using Cox.net Using Outlook 1
T Unable to 'Upload a file' using popup 'Browse' button Using Outlook 0
D Unable to add email address to contact Using Outlook 3
G Outlook calendar entry corrupted. Constant pop up when you open outlook. Unable to delete or remove. Using Outlook 2
O OL2000: Unable to create IMAP account Using Outlook 2
wallisellener Unable to reply/post/create new thread using Chrome BCM (Business Contact Manager) 5
Rupert Dragwater unable to change font sizes in some replies Using Outlook 3
C Unable to see meeting attendees Outlook 2010 Using Outlook 5
M Unable to email from Word or Excel Using Outlook 11
O Unable to check name. Using Outlook 3
T Unable to create contacts subfolder in EAS profile Using Outlook.com accounts in Outlook 6
UncleBill Unable to delete items from gmail IMAP Trash using Outlook 2010 Outlook VBA and Custom Forms 5
B Unable to search delegated mailfile Using Outlook 3
K Unable to activate QueryBuilder in Outlook 2010 (32bit) with Windows 7 (64bit) Using Outlook 1
C Unable to forward email with URL Using Outlook 2
R New computer, OL2010 unable to display shared calendar appointments Exchange Server Administration 3
S unable to send email from my second address (outlook 2007) Using Outlook 2
A "Unable to display the folder" error when accessing Group mailbox Using Outlook 0
C Outlook 2010, two exchange mailboxes configured.Unable to see 2ndrymeeting req Using Outlook 2
H Outlook 2010 unable to send iCloud account e-mail after iOS 7 upgrade Using Outlook 12
B Unable to apply rule on Exchange server functional account Exchange Server Administration 1
J Archives: Unable to locate emails Using Outlook 1
S Unable to send or reeceive email in new Exchange 2010 Exchange Server Administration 0
B Unable to Accept meetings that are already Tentatively accepted Using Outlook 2
M Unable to read HTML Using Outlook 2
A Unable to send with attachments in Outlook 2013 (Exchange ActiveSync) Using Outlook 2
F Outlook 2010 unable to delete emails from scanner Using Outlook 1
T Unable to open msg files in Outlook 2010 Using Outlook 11
R catalog Content Index failed-Unable to mount database.(hr=0x80004005,ec=-501) Exchange Server Administration 0
R problem with incomming e-mail I am unable to print full e-mail letter Using Outlook 1

Similar threads

Top