First 2010 CAS server - no Administrator rights EMC Permissions gone

Status
Not open for further replies.
J

Jase Philip

I installed the first Exchange 2010 server (CAS role only) in our single forest domain. It has one existing Exchange 2003 server. I had previously started the GUI install and cancelled it before it got to the install step in order to answer a few other questions in our environment. After running through the install, without any errors, I was unable to get into the EMC or EMS. The error was: " The user " domain\administrator" isn't assigned to any management roles."

I did some research on this forum and the web in general and found the following articles:

http://social.technet.microsoft.com/Forums/en/exchange2010/thread/5fbef5ca-5471-4d6f-91c3-dd632395a0d8

http://gaionlinekb.blogspot.com/2009/11/emc-rbac-authorization-returns-access.html

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/0d5c8a0b-210a-4a44-ae06-e3684db70970

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8b95d8d8-eba6-4cf9-86eb-19c65c258896/

I followed all the steps that I could and still have the same issue. The second article linked above fails at step 6. The server this is installed on is a brand-new 2008 R2 server with nothing else on it.

I am at a loss for solving this and would love and tips or pointers for finding a resolution.

Thanks in advance for your time,

Jase
 
T

Tom_V

Are you using a Domain Administrator and not the local Administrator account to login to the server?

As a test try making a copy of the Administrator account in Active Directory and add the newly created account to the following member groups:

Administrators

Domain Admins

Enterprise Admins

Organization Management

Schema Admins

Login into the domain with the newly created account and try launching the EMC or EMS.

If the behavior is still occurring then try to rerun the prepare AD and prepare schema using the setup file.

In the command prompt navigate to the Exchange setup directory and type:

setup /preparead

setup /ps

MCITP: Enterprise Messaging Administrator 2007/2010 | MCITP: Server Administrator | MCTS: Windows Server 2008 Applications Infrastructure, Configuring | MCP | MCDST
 
J

Jase Philip

Thanks for the reply Tom.
Sadly the above did not work for me. I created a new user - ex2010admin - in active directory by copying the administrator account (which I had used previously). I verified the group membership in all the groups you listed.

I logged into the new CAS server as the new user and launched the EMC. When clicking on the Microsoft Exchange On-Premises item, the middle window pane came back with the following:

The following error occurred when searching for On-Premises Exchange server:

[servername] Processing data from remote server failed with the following error message: The user " domain\ex2010admin" isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

The same errors were found when lauching the EMS.

At this point I have no problem wiping the server and trying from scratch, but with the AD and schema prep already having been run, I'm worried that I won't gain anything from doing that. That is why I'm asking the esteemed forum. :)
 
X

Xiu Zhang

Hi,

1. First please check If you have " Allow inheritable permission..." checked for Microsoft Exchange Container and on Org Container ADSIEDIT.

Note: You can follow the steps below to find the settings.

1. Please try to start ADSIedit.

2. Navigate to " Configuration->Services->Microsoft Exchange" /" Configuration->Services->Microsoft Exchange->First Organization"

3. Righte click on it and select to " Properties" .

3. Select " Security" tab.

4. Click " Advance" . There please check if you have ticked " Allow inheritable permission" option.

2. Then please verified the attributes msExchRoleLink and msExchUserLink attributes on CN=Role Management-Organization Management-Delegating,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=….

The value should be " CN=Role Management,CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=…"

3. Please check if " Role Mangement" exists under CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=…

4. Also check if " Allow inheritable permission" ticked for " Role Management" .

After that, please test the issue again.

If the issue still persists, then please follow the steps below to try to solve the problem.

1) Open Windows PowerShell (not the Exchange Management Shell)
a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.
2) Run Start-Transcript c:\RBAC.txt and press enter
a. This will start logging all commands and output you type to a text file.
3) Run Add-PSSnapin *setup and press enter
a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You
can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft.
Doing so could irreparably damage your Exchange installation.
4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.
a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.
b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.
5) Run Remove-PSSnapin *setup and press enter
6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter
a. Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.
7) Run Import-PSSession $Session and press enter
8) Run Get-ManagementRoleAssignment and press enter
9) Run Stop-Transcript and press enter

Regards,

Xiu
 
X

Xiu Zhang

Besides, please check if watermark exists in the registry under
HKLM\Software\Microsoft\ExchangeServer\V14\ClientAccessRole

Regards,

Xiu
 
J

Jase Philip

Xiu,

Thanks for the information.

The second #2 above fixed it for me.

2. Then please verified the attributes msExchRoleLink and msExchUserLink attributes on CN=Role Management-Organization Management-Delegating,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=&hellip;.

The value should be " CN=Role Management,CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=&hellip;"

The value for msExchRoleLink was correct, but the value for msExchUserLink was set to CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=Domain,DC=com

When I replaced it with the information provided, it worked like a charm!

Thank you so much for helping me fix it.
 
K

Kenneth Yeung

In step

4. Also check if " Allow inheritable permission" ticked for " Role Management" .

Is it normal to click it? Becasue I found that is not click. But I am scare to click it. I am affraiding to affect the production.

Thanks

and in 6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

I cannot run it due to not enough permission. I am using EnterPrise Admin already.

I have exchange 2003, any impact on exchange 2003 if I uninstall all exchange 2010 and reinstall it?

And will it fix I cannot login?

Thank
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
S Do you need a CAS Server in Order to Use OWA in Exchange 2010 (E14)? Exchange Server Administration 9
S Any system impact if change exchange 2010 CAS/HUB and Mailbox server IP address Exchange Server Administration 1
J Exchange 2010 CAS Server OWA Redirection to Exchange 2003 Fail Exchange Server Administration 4
N Exchnage 2010 Hub Cas Edge Server Recovery Exchange Server Administration 3
S Exchange 2010 CAS and MB role on same server, does OWA redirect to Exchange 2003 still work? Exchange Server Administration 5
A Does CAS-only server need Forefront security protection for Exchange 2010? Exchange Server Administration 4
T Exchange 2010 CAS Server not installed first Exchange Server Administration 2
M Exchange 2010 CAS to preexisting Exchange 2003 server Exchange Server Administration 3
S exchange 2010 Hub and Cas server error Exchange Server Administration 2
C error trying to install cas 2010 server after failed install Exchange Server Administration 7
A Exchange 2010 Remote CAS Server Question Exchange Server Administration 3
H Re: Multiple OWA sites on one CAS 2010 server? Exchange Server Administration 14
J Access mailbox on Exchange 2003/Exchange 2007 through Exchange 2010 CAS server and IMAP protocol Exchange Server Administration 5
A Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue Exchange Server Administration 3
S Exchange 2010 CAS/HT/Mailbox moved - best practice/steps for decommissioning 2007 Exchange Server Administration 3
M Fundamental CAS question for Exchange 2010 and 2007 Co-existence... Exchange Server Administration 7
D Exchange 2010 CAS at 2 different Sites Exchange Server Administration 2
M Proper way to install Exchange 2010 SP1 on a CAS Array Exchange Server Administration 3
B Exchange 2003 OWA/OA/AS over NAT and Exchange 2010 CAS Exchange Server Administration 4
B Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 15
M Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 2
I Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 4
T ActiveSync proxy problem from Exchange 2010 CAS to Exchange 2007 CAS Exchange Server Administration 5
K Exchange 2010 OWA redirection between 2 CAS Servers Exchange Server Administration 5
S exchange 2010 cas memory usage Exchange Server Administration 2
P Exchange 2010 SP1 Cross Site CAS connection disable Exchange Server Administration 2
H Outlook 2007 periodically disconnects from Exchange 2010 CAS - OWA works Using Outlook 4
S CAS array in Exchange 2010 Exchange Server Administration 1
G Exchange 2010 CAS Array Exchange Server Administration 4
T Exchange 2010 CAS Array setup and lab Exchange Server Administration 18
S NLB exchange 2010 CAS Array Exchange Server Administration 4
H Is possible to have exchange 2007 CAS point to the exchange 2010 CAS? Exchange Server Administration 2
K DR site resiliency design with Exchange 2010 - shared or different namespace for cas. Exchange Server Administration 1
D OWA on 2010 CAS not forwarding authentication to 2003 OWA for legacy users Exchange Server Administration 1
B exchange 2010 cas - exchange 2003 frond end Exchange Server Administration 3
S 2010 CAS &gt; 2003 BE - ActiveSync issues... Exchange Server Administration 1
B cas array exchnage 2010 not working properly on vm Exchange Server Administration 5
O Exchange 2010 Hub/CAS install Exchange Server Administration 2
S What to Use Instead a Hardware-based Load Balancer for an Exchange 2010 CAS Array Exchange Server Administration 21
7 Exchange 2010 sp1 mailbox, hub, cas roles and w3wp.exe / very slow Exchange Server Administration 6
S Exchange 2010 two datacenters two CAS array Exchange Server Administration 4
A Apple Mail not connecting to 2007 through 2010 CAS Using Outlook 7
S CAS access problem with new Outlook 2003 profile to Exchange 2010 Exchange Server Administration 1
A CAS Proxying with Active Sync when migrate from Exchange 2007 to 2010 Exchange Server Administration 1
S CAS array in exchange 2003 and exchange 2010 coexsit environment Exchange Server Administration 4
M Exchange 2010 Resource Forest RPC Distibution with Multiple CAS Exchange Server Administration 1
A Command to show users connected on Exchange 2010 CAS Exchange Server Administration 2
G coexistence between Exchange 2010 HUB/CAS with SP1 and Exchange 2010 mailbox rtm Exchange Server Administration 2
M CAS access and Mailbox servers with Exchange 2010 Exchange Server Administration 13
M Exchange 2010'you can't have 2 stand alone CAS servers' Exchange Server Administration 5
Similar threads


















































Top