RBAC Cross Domain issues

Status
Not open for further replies.
C

Carpadum

New 2010 sp1 install. One forest with root and 2 child domains. All users in child domain. ex servers in root domain. Alreay migrated a few mailboxes from 2003 to 2010 with no issues. Everything working fine from client access to HT and MB. Started working with RBAC to assign permissions to some of the IT users that have been migrated and errors occur. also tried to make a 2010 user the owner of a distribution group and errors occur even after adding the user to recipient managment group via AD. Some of the errors follow:

Add user as owner of distribution group (user is in child domain and also in recipient management group and organization management)(action being performed by the forest root enterprise admin...same account that was used to install exchange)

" You do not have sufficent permisions. This operation can only be performed by a manager of the group"

Add user via RBAC to recipient management group (user is in child domain and a domain admin of that domain) User is searchable via RBAC in EMC.

" Active Directory operation failed on DomainControllerServer.ForestRoot.com. The object 'CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=ForestRoot,DC=com' does not exist."

servername and domain replaced for post. The group does exist at that location and I can add the person manually to that group using AD users and computers. If I do the person shows up in RBAC/EMC.

Best Practices Analizer shows no errors in configuration or permissions, however the permissions test says it will take over an hour to run but it only takes a few seconds so I don't know if it is working correctly.

Any ideas what is going on here?
 
A

Alexei Segundo

Can you confirm that DomainControllerServer.ForestRoot.com is a Global Catalog Server and that Recipient Management is a Universal Security group?

Alexei
 
C

Carpadum

Yes it is Universal however the domain controller that it used was not a GC. How can I prevent this? We have 3 or more DC's per domain and GC cannot be on the infrastructure master role.
 
A

Alexei Segundo

Looking at the error again, it seems to indicate that the " Recipient Management" group can't be found on the root domain DC. Clearly, the group does exist and is visible on that DC without it having to be GC. My initial thought was that if the root domain DC was not a GC then it would be unable to see/add members from other domains to the group.

Trying a different tack...

Can you confirm the following:
You ran setup /PrepareAllDomains when introducing Exchange 2010? There is a GC available in each AD site that hosts an Exchange 2010 server?

On a (probably) unrelated note, you can safely ignore the Infrastructure Master rule regarding GCs if you make all your DCs in that domain GCs. Obviously, you would want to consider any potential replication impact before you do this.

Alexei
 
C

Carpadum

yes prep was done on all domains

Yes there is 2 GC's in each site that contain exchange servers

Here is a more complete dump that has been scrubbed. It does look like the GC is being looked at from the child domain where the accounts reside.

Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 10/21/2010 7:48:23 PM
Event ID: 6
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: EXCHSRV.DOMAIN.com
Description:
Cmdlet failed. Cmdlet Update-RoleGroupMember, parameters {Members={USER1, USER2, USER3, USER4}, Identity=65bdd144-f26b-42bc-81d7-2ac3baeab74b}.
Event Xml:
<Event xmlns=" http://schemas.microsoft.com/win/2004/08/events/event" >
<System>
<Provider Name=" MSExchange CmdletLogs" />
<EventID Qualifiers=" 49152" >6</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=" 2010-10-22T00:48:23.000000000Z" />
<EventRecordID>367</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>EXCHSRV.DOMAIN.com</Computer>
<Security />
</System>
<EventData>
<Data>Update-RoleGroupMember</Data>
<Data>{Members={USER1, USER2, USER3, USER4}, Identity=65bdd144-f26b-42bc-81d7-2ac3baeab74b}</Data>
<Data>DOMAIN.com/Users/administrator</Data>
<Data>S-1-5-21-xxxxxxxxxxxxxxxxxxxxx-839522115-500</Data>
<Data>S-1-5-21-xxxxxxxxxxxxxxxxxxxxx-839522115-500</Data>
<Data>Exchange Control Panel-ECP</Data>
<Data>7852</Data>
<Data>
</Data>
<Data>27</Data>
<Data>00:00:00.1716044</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller: 'DC2.child.domain.com', Preferred Global Catalog: 'DC.child.domain.com', Preferred Domain Controllers: '{ dc2.child.domain.com, DC1.domain.com }'</Data>
<Data>Microsoft.Exchange.Data.Directory.ADNoSuchObjectException: Active Directory operation failed on dc1.domain.com. The object 'CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com' does not exist. ---&gt; System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- End of inner exception stack trace -
at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientSession.Microsoft.Exchange.Data.IConfigDataProvider.Save(IConfigurable instance)
at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord()
at Microsoft.Exchange.Management.RbacTasks.RoleGroupMemberTaskBase.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()</Data>
<Data>Context</Data>
<Data>System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)</Data>
</EventData>
</Event>
 
A

Alexei Segundo

Can you try running the command below:

Update-RoleGroupMember " Recipient Management" -Members " USER1" , " USER2" , " USER3" , " USER4" -DomainController dc1.domain.com

This should generate the same error you see from within RBAC. Remember to include all the members of the group in the command (it does a full replace action on the group members).

Then try the same command against a different DC, e.g.

Update-RoleGroupMember " Recipient Management" -Members " USER1" , " USER2" , " USER3" , " USER4" -DomainController DC.child.domain.com

If the second command doesn't work either, try again with the -BypassSecurityGroupManagerCheck parameter.

Alexei
 
C

Carpadum

ok the first one did not work. I tried again using the same domain just a known GC in that domain and it did work. So now the question is why is emc, ecp and powershell not defaulting to using a know GC?
 
A

Alexei Segundo

Good question. I would expect the tools to use a GC (not a DC) when doing anything with Universal groups.

Hopefully someone will chip in with a more informed response. If you have an EA with Microsoft it might be worth raising a support call.

An obvious workaround would be to make all your DCs GCs. The replication overhead caveat applies.

Alexei
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
N RBAC for Full Access & Send-As Exchange Server Administration 3
T RBAC Error on UM/CAS Servers Exchange Server Administration 2
S RBAC for Mail quota increase Exchange Server Administration 2
A RBAC authorization returns Access Denied for user Exchange Server Administration 5
F Re: Restricting Database Access Using RBAC Exchange Server Administration 4
B Re: Restricting Database Access Using RBAC Exchange Server Administration 3
M ECP and RBAC aren't working Exchange Server Administration 4
L Canot access RBAC as administrator Exchange Server Administration 18
R 500 internal server error - Role based Access Control (RBAC) User Editor Exchange Server Administration 2
J Advanced RBAC - restricting delegate configuration Exchange Server Administration 1
C Custom RBAC question Exchange Server Administration 3
D Assign rbac to specific group does not take affect. Exchange Server Administration 15
A EMC - Launching RBAC Editor getting errors Exchange Server Administration 7
V Trouble using RBAC to change passwords and distribution groups Exchange Server Administration 16
Z Need help with an RBAC role Exchange Server Administration 14
I RBAC Authentication error - Remote EMC not able to access Exchange Organization Exchange Server Administration 13
D Red cross Using Outlook 1
W installing exchange 2010 with multiple forest (Cross-forest) Exchange Server Administration 2
J Cross AD Site Free Busy / Availability Issue Exchange Server Administration 3
B Cross Forest Exchange 2007 to Exchange 2010 Mailbox Move question Exchange Server Administration 15
P Exchange 2010 SP1 Cross Site CAS connection disable Exchange Server Administration 2
S Cross forest migration Forefront Identity Manager 2010 Exchange Server Administration 2
S single DAG two AD sites cross site database failure Exchange Server Administration 3
S Cross forest migration legacy namespace OWA Exchange Server Administration 2
M cross forest DAG for mailbox database replication Exchange Server Administration 3
R Migrate Exchange 2003 to Exchange 2007 Cross-Forest Exchange Server Administration 4
N Cross Forest Mail routing from Exchange 2003 to Exchange 2010 Exchange Server Administration 3
S Cross Forest Migration from 2003 SBS to Exchange 2010 Exchange Server Administration 2
B Exchange Availabilty - Cross-Forest/Trusted - Calendar Permissions Using Outlook 3
J Cross Forest Coexistence routing Exchange 2007 and Exchange 2010 with a shared namespace Exchange Server Administration 3
2 moving mailbox cross forest Exchange Server Administration 14
S Federation: Share GAL in Cross-Forest Topology Exchange Server Administration 0
E Exchange 2003 Cross-Forest Migration to Exchange 2010 - Outlook? Exchange Server Administration 7
M Cross-Forest Availibility Service Exchange Server Administration 3
S cross post please read: Exchange Account password prompt in Outlook 2010 Using Outlook 2
B missing cross contact field in the bottom of the contact card Using Outlook 4
S Prevent Cross-Forest New-MoveRequest from deleting the source mailbox Exchange Server Administration 10
K Compacting mailboxes after cross-forest migration? Exchange Server Administration 4
F Re: Cross Forest Migration Issue Exchange Server Administration 9
F Cross Forest Migration Issue Exchange Server Administration 1
K Cross Subnet Client Access Array Exchange Server Administration 8
R Cross forest mailbox move fails 2003 - 2010 EMC Exchange Server Administration 6
K Cross site DAG and CAS Exchange Server Administration 7
M Cross forest mailbox move from Ex2003 to Ex2007 Exchange Server Administration 4
S Can a DAG Cross Site Bounderies Exchange Server Administration 1
J Failed to find the address type 'SMTP:AMD64' during cross-forest mailbox move Exchange Server Administration 2
S Re: Exchange 2010 Archive mailbox cross domain access Exchange Server Administration 1
T BLUE CIRCLE WITH A CROSS IN OUTLOOK BOX. Using Outlook 1
C Exchange 2010 Cross-Forest Administration Problems Exchange Server Administration 16
M Cross-Forest mailbox move and linked mailbox Exchange Server Administration 8
Similar threads


















































Top