This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 61%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hi Expert !
Can someone help us please! just a quick background ww have existing exchange 2010 server and we are intoducing exchange 2013 server in same child domain as exchange 2010 resided.
Take note the following we have adjusted and made changes :
Unfortunately, we unable to resolve the issue on the following changes made above. please see the exchange setup logs error below :
After initiating prepareAD 98% failed on below error:
Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for
installation.
Performing Microsoft Exchange Server Prerequisite Check
Prerequisite Analysis COMPLETED
Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareA
D'. No Exchange 2007 server roles have been detected in this topology. After thi
s operation, you will not be able to install any Exchange 2007 servers.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms
.exch.setupreadiness.NoE12ServerWarning.aspx
Configuring Microsoft Exchange Server
Organization Preparation FAILED
The following error was generated when "$error.Clear();
$createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
$createMsoSyncRoot = $RoleIsDatacenter;
#$RoleDatacenterIsManagementForest is set only in Datacenter deploymen
t; interpret its absense as $false
[bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $tr
ue);
if ($RolePrepareAllDomains)
{
initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$
createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isMa
nagementForest;
}
elseif ($RoleDomain -ne $null)
{
initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot
:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$is
ManagementForest;
}
else
{
initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -
CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
" was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Acti
ve Directory operation failed on ServerName.ChildDomain.ParentDomain.local. This error is n
ot retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF
_ACCESS_RIGHTS), data 0
---> System.DirectoryServices.Protocols.DirectoryOperationException: The user h
as insufficient access rights.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32
messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOu
t, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryReq
uest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(Directo
ryRequest request, LdapOperation ldapOperation, Nullable1 clientSideSearchTimeo ut, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest (ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyO bjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(Pool edLdapConnection connection, DirectoryRequest request, DirectoryException de, In t32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest (ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyO bjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSa ve, IEnumerable1 properties, Boolean bypassValidation)
at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSessi
on.Save(ADConfigurationObject instanceToSave)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.CreateMoni
toringMailboxContainer(MesoContainer meso)
at Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalPr
ocessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String fun
cName, Action func, Boolean terminatePipelineIfFailed)".
The Exchange Server setup operation didn't complete. More details can be found
in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
Thanks in Advanced!
Homer
Hi @Homer Sibayan ,
Are you running the PS with Admin mode? As the error messages says:
Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on ServerName.ChildDomain.ParentDomain.local. This error is not retriable. Additional information: Access is denied.
And have you prepared schema first? I'm not quite sure about what "Transfer Schema" means, sorry for this.
Please try this to update the group policy for your admin groups:
And also see if this thread could help: https://social.technet.microsoft.com/Forums/en-US/bb9f379f-5d7f-4aa2-a63e-6cba1841cce4/exchange-server-2016-preparead-failing-exchage-2010-hybrid-coexistence?forum=Exch2016SD
Best regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi ZhengqiLou-MSFT
Are you running the PS with Admin mode? As the error messages says: Yes We run this as admin.
Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on ServerName.ChildDomain.ParentDomain.local. This error is not retriable. Additional information: Access is denied.
And have you prepared schema first? I'm not quite sure about what "Transfer Schema" means, sorry for this.
What i mean is since we have parent and child domain, and our exchange 2013 is to be installed in child domain we must transfer the (FSMO) Schema master role in child domain controller where 2013 is reside. this is requirement before running prepare schema and prepareAD if exchange 2013 is on the child domain.
Thanks
Homer
Hi @Homer Sibayan ,
Thank you for sharing these details.
What's the result of the above suggestions? Will add the permission for the admin group work?
And have you tried use the Delegation of Control Wizard to create a custom task: Open ADUC > right click on your domain name > Delegate Control > Next > Add the user or group > Create a custom task to delegate > The folder, existing objects in this folder.... > Select all three permission and choose Full Control.
Best regards,
Lou
Hi ZhengqiLou-MSFT
May we know what is the roll back plan for this two recommendation incase didn't work?
Please try this to update the group policy for your admin groups:
______________________________________________________________________-
Use the Delegation of Control Wizard to create a custom task: Open ADUC > right click on your domain name > Delegate Control > Next > Add the user or group > Create a custom task to delegate > The folder, existing objects in this folder.... > Select all three permission and choose Full Control.
Thanks
Hi @Homer Sibayan ,
For the first one, you could remove the users added and then run GPupdate /Force:
And the second one, open ADUC > click View > Advanced Features > right click domain.com > Properties > Security > find the added one and remove.
Hope this could work.
Best regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Homer Sibayan ,
Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark the helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
If you are still stuck in this issue, please feel free to post your questions.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi ZhengqiLou-MSFT
Good Day
We have performed the Following Troubleshooting steps below however did not resolved the issue.
__-
Use the Delegation of Control Wizard to create a custom task: Open ADUC > right click on your domain name > Delegate Control > Next > Add the user or group > Create a custom task to delegate > The folder, existing objects in this folder.... > Select all three permission and choose Full Control.
Thanks
Hi @Homer Sibayan ,
I searched about the error messages once again and it still points to the Permission error.
Can you try "Run as a different user" and use the administrator account of your Exchange 2010 to open the Powershell? And could you just run the Exchange Setup Wizard(Setup.exe) in admin mode?
Best regards,
Lou