Exchange 2013 to CU23 upgrade error

Question

Hello! I tried to upgrade Exchange 2013 to CU23 and got an error. Please help me fix this.

This group exists in Active Directory: "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management". Firewall disabled.

[06.08.2023 08:11:22.0628] [1] [ERROR] The following error was generated when "$error.Clear(); 
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
          $srvname = $dismbx.ServerName;
          if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
          {
          Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -eq $null )
          {
          Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
          mount-database $dismbx.Database;
          }

          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -ne $null )
          {
          $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
          $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
          if( $dmRoleGroup -ne $null )
          {
            trap [Exception]
            {
              Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
              continue;
            }
            
            Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
          }
          }
          }
          }
        " was run: "Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.

   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.NTAccount.Translate(Type targetType)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetSecurityPrincipal(IRecipientSession session, SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   at Microsoft.Exchange.Management.RecipientTasks.SetMailboxPermissionTaskBase.InternalValidate()
   at Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission.InternalValidate()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[06.08.2023 08:11:22.0628] [1] [ERROR] Couldn't resolve the user or group "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.
[06.08.2023 08:11:22.0628] [1] [ERROR] The trust relationship between the primary domain and the trusted domain failed.

[06.08.2023 08:11:22.0628] [1] [ERROR-REFERENCE] Id=MailboxServiceControlLast___05b3bbd421504e0c93fefa6d5d1ae590 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[06.08.2023 08:11:22.0628] [1] Setup is stopping now because of one or more critical errors.
[06.08.2023 08:11:22.0628] [1] Finished executing component tasks.
[06.08.2023 08:11:22.0643] [1] Ending processing Install-MailboxRole
[06.08.2023 08:22:20.0008] [0] CurrentResult setupbase.maincore:396: 0
[06.08.2023 08:22:20.0008] [0] End of Setup

Answer 1

Hello Nemurenai,

Thank you for your question and for reaching out with your question today.

The error message suggests that the installation process encountered an issue with resolving the user or group "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management." It indicates a trust relationship failure between the primary domain and the trusted domain.

To resolve this issue, you can try the following steps:

1. Ensure that there is a functional trust relationship between the primary domain and the trusted domain. Verify that the trust is established correctly and functioning without any issues.
2. Check the DNS configuration on both the primary and trusted domains to ensure proper name resolution. Verify that the DNS records are correctly configured for the domains.
3. Make sure that the user or group "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management" exists and is accessible in the Active Directory. Confirm that the user or group is not disabled, deleted, or experiencing any issues.
4. Ensure that the account you are using to perform the upgrade has the necessary permissions and is a member of the required groups, such as the Enterprise Admins group or Organization Management role group.
5. If the user or group "DOMAIN.LOCAL/Microsoft Exchange Security Groups/Discovery Management" is from a foreign forest, verify that there is a two-way trust or an outgoing trust established between the primary domain and the foreign forest.
6. Check the event logs on the domain controllers and Exchange servers for any related errors or warnings that might provide more details about the trust relationship failure.
7. Consider consulting with your IT team or a Microsoft Exchange expert for further assistance in troubleshooting and resolving the trust relationship issue.

It's important to note that making changes to trust relationships and domain configurations can have significant implications on your network infrastructure and should be approached with caution. It's recommended to have a backup and a clear understanding of the potential impact before making any modifications.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.