The passive node computer account is unexpectedly assigned Full Control permissions after you install the Passive Clustered Mailbox role in an Exchange Server 2007 cluster environment

Article ID: 951578 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You install the Passive Clustered Mailbox role in a Microsoft Exchange Server 2007 cluster environment in which a clustered mailbox server has already been created. After you do this, you experience the following symptoms:
  • When you review the permissions that are assigned to the server object in the ADSIEdit.msc tool, you see that the passive node computer account is unexpectedly assigned Full Control permissions.
  • When you run the get-ExchangeAdministrator cmdlet, you receive the following message:
    The account is not a member of Exchange View Only Administrators
Note This problem does not occur when you install the Mailbox role, the Client Access role, or the Hub Transport role.
Back to the top | Give Feedback

CAUSE

This problem occurs because the computer account assigns Full Control permissions to the following object when the passive node is installed:
CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, follow these steps:
  1. Open the AdsiEdit.msc tool that is included in Windows Support Tools.
  2. Connect to the domain.
  3. Locate the following object:
    CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
  4. Right-click this object, and then click Properties.
  5. On the Security tab, find the computer account of the passive node.
  6. Remove all permissions for this account except the Read permission.
  7. Click Advanced, and then click Add.
  8. Add the following permissions by using a "This Object Only" scope:
    • Write property msExchEdgeSyncCredential
    • Write property msExchServerSite
  9. Add the following permissions by using a "This object and all child objects" scope:
    • List Contents
    • All properties that are designated with "Read"
  10. Trigger a replication among the domain controllers.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information about Windows Server 2003 Support Tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:
892777
(http://support.microsoft.com/kb/892777/ )
Windows Server 2003 Service Pack 1 Support Tools
926027
(http://support.microsoft.com/kb/926027/ )
Updates to the Windows Server 2003 Support Tools are included in Windows Server 2003 Service Pack 2
Back to the top | Give Feedback

Properties

Article ID: 951578 - Last Review: March 24, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft Exchange Server 2007 Enterprise Edition
Keywords: 
kbexpertiseadvanced kbexpertiseinter kbtshoot kbprb KB951578
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top