Bennett Adelson Technical Blog

Posts from the consultants at Bennett Adelson

Exchange 2010 RTM Setup Fails with Event ID 1002


While working through an Exchange 2010 RTM installation (to be updated to SP2 of course when the time came) at a customer site, we ran into an error that at first had us baffled:

Exchange Server component Mailbox Role failed.
Error: Error:
The following error was generated when “$error.Clear();
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
{
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like “$srvname.*” )
{
Write-ExchangeSetupLog -info “Setup DiscoverySearchMailbox Permission.”;
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
{
Write-ExchangeSetupLog -info “Mounting database before stamp DiscoverySearchMailbox Permission…”;
mount-database $dismbx.Database;
}

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
” was run: “Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.”.

Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

The trust relationship between the primary domain and the trusted domain failed.

The bolded portion was the key, although we (okay, I – MCB) completely misread it.  We took this to mean that it was an issue with the member server trust, but that of course is a completely different error:

The trust relationship between this workstation and the primary domain failed.

We (okay, I – TB) finally figured out what was up – the customer had two broken domains trusts in the environment.  When asked, the customer said, “oh, yeah, I think we know about that, they are before anyone’s time and we were afraid to touch them.”  That of course was not a helpful answer, but they were onboard with whacking the trusts since they didn’t work anyway.

One of the things that caused us pain here is that there are substantial number of web pages and forum posts about this particular error, but they all relate to SP installation on an existing installation.  They go through recreating system mailboxes and all kinds of other hoops, but that was in our case the completely wrong thing to do.

Once we removed the bad trusts, the installation worked.  Yay.  It’s a case perhaps of “RTFEM.”  There’s a good question here of exactly why Exchange Setup cares here – it knows enough information to find the group in question without going through trusts, but it insists on doing so anyway.  One could even go so far as to this being a bug, although without knowing the team’s reasoning it’s difficult to jump to that conclusion.

In any event, hopefully this post helps other people out.

– Tom Bridge and Michael C. Bazarewsky
”Exchange Rock Stars” (Tom made us say that)

Leave a Reply or Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: