I had an error updating my Exchange 2013 CU 8 to CU 10 last night – set up failed at step 14 of 18 Mailbox Role: Mailbox Service – the error was " Couldn't resolve the user or group "ourdomain/Microsoft Exchange Security Groups/Discovery Management." I have the full error below. I found two possible solutions to the error by googling and resolved and completed the install issue by deleting the DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} user account from AD (the other possible solution was to disable the discovery search mailbox, but I could not do this because the install was already half way through. After setup completed, I ran Setup /PrepareAD /IAcceptblablabla… and the DiscoverySearchMailbox was recreated and all seems well on the server, except the DiscoverySearchMailbox user account is actually disabled now. I have a couple questions about this that hopefully someone may be able to shed some light on –
- Why did this setup error happen in the first place? I didn't run PrepareAD prior to install – read some info that this was not needed from CU 8, but other than that we have a very vanilla setup – single forest domain, 2 DCs, one Exchange Server, small org (30 MBs), no fancy addons, I had disabled the AV prior to install, so why the problem on an account that existed previously.
- Does the DiscoverySearchMailbox account need to be enabled? We have never used this feature in Exchange to my knowledge and I am not sure if it is functional now or not. When I run Get-HealthReport Server, I am getting all healthy and everything seems fine so far. Can anyone provide some more info on the Discovery Search feature and how to test it and/or repair it?
Thanks in advance for any help – here is the full error received:
Error:
The following error was generated when "$error.Clear();
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
{
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
{
Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
{
Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission…";
mount-database $dismbx.Database;
}
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
trap [Exception]
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
continue;
}
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
" was run: "Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "ourdomain/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType)
at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
— End of inner exception stack trace —
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetSecurityPrincipal(IRecipientSession session, SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
at Microsoft.Exchange.Management.RecipientTasks.SetMailboxPermissionTaskBase.InternalValidate()
at Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.Task.b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Thanks,
George
Best Answer
Update: I have now determined that this error was occurring because of a trust relationship with another forest that was unavailable during the installation of the CU. I have recreated the problem and every time the old trust that is no longer being used is still listed under trusts in the Domains and Trusts dialog, the error occurs. Simply removing no longer needed, no longer used trust allows the installation to complete without needing to delete (or do anything with) the discovery search mailbox. Just wanted to update so that this might help someone else facing the same issue.