Share via

Delegated setup fails in Exchange 2013

  • Article

In Exchange 2013, a member of Delegated Setup can't install Exchange if legacy administrative groups exist. I describe the problem over on my new blog, and provide a simple script to work around it:

https://bill-long.com/2014/02/04/delegated-setup-fails-in-exchange-2013/

Comments

  • Anonymous
    January 01, 2003
    Hi Tony,

    It looks like this error has to do with not being able to add the computer account (such as CN=Server1,CN=Computers,DC=contoso,DC=com) to the Managed Availability Servers group (such as CN=Managed Availability Servers,OU=Microsoft Exchange Security Groups,DC=contoso,DC=com). It seems like the Delegated Setup group should already have permissions to do this. You may be able to work around it by granting Delegated Setup additional permissions on the domain context. I'm not sure what permissions are missing, but if you grant that group enough rights, it will eventually work.

    As for determining root cause, you would need to open a case so we can try and understand why the default permissions aren't working as intended.
  • Anonymous
    March 17, 2015
    Hi Bill

    I've been trying to get Delegated Setup working in a single domain AD with Exchange 2010 and existing Exchange 2013 servers. I've provisioned the server with an Exchange Org admin account which worked just fine, but when I try to run the actual installation on the server using an account that has been made a member of the Delegated Setup group, I get this when trying to install the Client Access role (please bear in mind I've shorted this because I ran out of characters, but I've tried to leave the important stuff in):

    Error:
    The following error was generated when "$error.Clear();
    if (![String]::IsNullOrEmpty($RoleDomainController))
    {
    $masSid = add-ManagedAvailabilityServerGroupMember -DomainController $RoleDomainController -ServerName $RoleNetBIOSName
    }
    " was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on DC2010-2.exchange14.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)


    Seems to suggest that the account I'm using doesn't have enough rights, but the object is pre-staged already. Just wondered if you might have any ideas based on the above output.