I had an error updating my Exchange 2013 CU 8 to CU 10 last week - set up failed at step 14 of 18 Mailbox Role: Mailbox Service - the error was " Couldn't resolve the user or group "ourdomain/Microsoft Exchange Security Groups/Discovery Management."
I have the full error below. I found two possible solutions to the error by googling and resolved and completed the install issue by deleting the DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} user account from AD (the other possible solution
was to disable the discovery search mailbox, but I could not do this because the install was already half way through. After setup completed, I ran Setup /PrepareAD /IAcceptblablabla... and the DiscoverySearchMailbox was recreated, but the mailbox was not.
I found the commands to recreate the mailbox and user and the discovery search is now working, but I would like to find out why did this setup error occurred. I didn't run PrepareAD prior to install - read some info that this was not needed from CU 8, but
other than that we have a very vanilla setup - single forest domain, 2 DCs, one Exchange Server, small org (30 MBs), no fancy addons, I had disabled the AV prior to install, so I am hoping someone might be able to shed some light on why this error occurred
on an account that existed previously?
Thanks in advance for any help - here is the full error received:
Error: The following error was generated when "$error.Clear(); $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName; $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1; if( $dismbx -ne $null) { $srvname = $dismbx.ServerName; if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" ) { Write-ExchangeSetupLog -info "Setup
DiscoverySearchMailbox Permission."; $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true }; if( $mountedMdb -eq $null ) { Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
mount-database $dismbx.Database; }
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
trap [Exception]
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
continue;
}
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
" was run: "Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "ourdomain/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal,
you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) at
System.Security.Principal.NTAccount.Translate(Type targetType) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
--- End of inner exception stack trace --- at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception,
ErrorCategory category, Object target) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetSecurityPrincipal(IRecipientSession
session, SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose) at Microsoft.Exchange.Management.RecipientTasks.SetMailboxPermissionTaskBase.InternalValidate() at Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.Task.b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Thanks,
George