exchange 2010sp1 installation error (done via dvd with included sp1)

Not open for further replies.


Hi there !
our environment:
ad domain/forest functional level: 2003
adcs: w2k8r2 - 64bit
our domain is double-labelled, e.g. company.local
we run 1 exchange server (all roles except edge and um) as a VM,
which is not yet upgraded to sp1.
this steps were done back in April 2010 without errors: /PrepareSchema /PrepareAD /OrganizationName:eek:ur-orgname /PrepareDomain
ADSIEDIT checked and i saw the our-orgname Organization
I ran into an error when installing exch2010sp1 (from the exch2010 dvd with included sp1)
on a normal server which is domain-joined :
prereqs i took BEFORE running this task:
1) install hotfixes:

Windows6.1-KB977020-v2-x64.msu ok
Windows6.1-KB979744-x64.msu (KB979744 - LockConvoy On Windows Server 2003 Post KB 971988) ok
Windows6.1-KB979099-x64.msu (Update for Rights Management Services Client for Windows Server 2008 R2 x64 Edition (KB979099) ok
Windows6.1-KB982867-v2-x64.msu (not applicable) > nach netfw 3.5 sp1 installieren: see point 18)
Windows6.1-KB983440-x64.msu (KB983440 - Win7 rollup package (PR for QFE 810219)) ok
FilterPack64bit.exe ok

2) check powershell: ok
ps prompt > help about_windows-powershell, check that you have version 2.0
(package included in w2k8r2)

3) select features > expand remote server administration tools > expand role administration tools > expand ad ds and lds tools > expand ad ds tools > selct ad ds snap-ins and command-line tools ok
4) select features > expand .NET Framework 3.5.1 features , selct .NET Framework 3.5.1 check box ok
5) expand wcf activation, select http activation + click add required role services ok
6) select rpc over http proxy check box + click add required role services ok
7) next > on web server iis page click next ok
8) on select role services page, under security, select the digest authentiaction check box ok
9) under performance select dynamic content compression check box ok
10) under iis6 mgmt compatibility, select iis6 mgmt console check box ok
11) next > install ok
12) close ok
13) start > administrative tools, click services ok
14) in services list, point to administrative tools + click services ok
15) in services list double-click net.tcp port sharing service ok
16) in net.tcp port sharing service > properties > startup type: automatic and apply ok
17) start, wait for service to start, ok, close service console ok

18) Windows6.1-KB982867-v2-x64.msu (not applicable) > after netfw 3.5 sp1 : ok
19) reboot server ok
20) install LanguagePackBundle.exe via setup.exe while installing exchange2010(sp1);
point to this file (don't rename it !)
option from setup.exe (exchange2010sp1-dvd) is step 3: choose exchange language option > install all languages from the language bundle and point to " LanguagePackBundle.exe"
21) run setup.exe with typical exchange server installation
my installer-user was member of EnterpriseAdmins, SchemaAdmins and Organization Management (exchange)
nslookup to my domain without errors;
ping to DC without errors;
correct DNS-settings;
firewall disabled;
checked " automatically install windows server roles and features required for exchange servers"
22) after all went through i received following error message:
the following error was generated when " $error.Clear(); Set-LocalPermission" was run: " the process
does not possess the 'SeSecurityPrivilege' privilege which is required for this operation

> googled around and found out that it is an old SeSecurityPrivilege problem here:
from this blog:
I ran the policytest.exe file that you can find in the \setup\serverroles\common folder from the Exchange 2007 source media. This program confirms whether the SeSecurityPrivilege right has been found on the domain controllers in the Active Directory site. This right is set on the Domain Controller Security Policy by the /PrepareDomain process. Specifically, the process grants the Manage Auditing and Security Log right. Policytest.exe confirmed that the right was present on all domain controllers.
> remember above in my post that /PrePareDomain was done back in April/2010 !
> here is my result of the policytest.exe:
This tool will check every domain controller in the local
domain to see if the " Manage auditing and security logs"
privilege granted to the " Exchange Enterprise Servers"
group by DomainPrep has replicated to that DC. If the
policy change has not yet replicated to all DCs, then
you should avoid making policy changes on any DC that
has not received those changes yet.
You must have Domain Admin rights to run this tool
successfully. If you see an error that says:
!! LsaEnumerateAccountRights returned error 5 !!
then you don't have permission to open the LSA on the
given DC.
Local domain is " clgroup.local" (CLGROUP)
LookupAccountName returned error 1332
Abnormal exit from PolicyTest
> the consequence of that error is:
1) cannot initialize my EMC
2) all the roles (cas,hub,mbx) were cancelled
> what am i supposed to do next ?
1) configure my default domain controllers policy (Manage Auditing and Security Log right...) or wait for ad sync ?
2) after that run setup.exe from dvd again ?
> i believe i can assign the roles afterwards, but no idea how to get access to EMC console
Hope someone has an idea,
some additional infos:

- can't open EMC

- don't see any MSExchange services (under services.msc), although the bin files are under c:/program files/microsoft/exchange server/V14

- after that error: configured default domain controllers policy: Manage Auditing and Security Log right and inserted Exchange Servers in there

additional patches:

found something on EHLO:
the update for the update ? didn't apply until now though

> should i rerun setup again ?


Hi Vinc,
I have run into a issue looks like yours.
The reason is some necessary DLLs for starting Exchange services were missing.
Do you run the EXBPA for the exchange 2010 RTM server, any information?
I would suggest that you prompt a backup and rebuild of the server using /recoverserver, if the The RTM install was working normally, and then upgrade to SP1 was attempted again.
If it is urgent, I also would suggest you open a ticket from MS. Because that if you want confirm the issue, we must retrieve many logs to analyze.
Not open for further replies.