The passive node computer account is unexpectedly assigned Full Control permissions after you install the Passive Clustered Mailbox role in an Exchange Server 2007 cluster environment

Article translations Article translations
Article ID: 951578 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You install the Passive Clustered Mailbox role in a Microsoft Exchange Server 2007 cluster environment in which a clustered mailbox server has already been created. After you do this, you experience the following symptoms:
  • When you review the permissions that are assigned to the server object in the ADSIEdit.msc tool, you see that the passive node computer account is unexpectedly assigned Full Control permissions.
  • When you run the get-ExchangeAdministrator cmdlet, you receive the following message:
    The account is not a member of Exchange View Only Administrators
Note This problem does not occur when you install the Mailbox role, the Client Access role, or the Hub Transport role.

CAUSE

This problem occurs because the computer account assigns Full Control permissions to the following object when the passive node is installed:
CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

RESOLUTION

To resolve this problem, follow these steps:
  1. Open the AdsiEdit.msc tool that is included in Windows Support Tools.
  2. Connect to the domain.
  3. Locate the following object:
    CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
  4. Right-click this object, and then click Properties.
  5. On the Security tab, find the computer account of the passive node.
  6. Remove all permissions for this account except the Read permission.
  7. Click Advanced, and then click Add.
  8. Add the following permissions by using a "This Object Only" scope:
    • Write property msExchEdgeSyncCredential
    • Write property msExchServerSite
  9. Add the following permissions by using a "This object and all child objects" scope:
    • List Contents
    • All properties that are designated with "Read"
  10. Trigger a replication among the domain controllers.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about Windows Server 2003 Support Tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:
892777 Windows Server 2003 Service Pack 1 Support Tools
926027 Updates to the Windows Server 2003 Support Tools are included in Windows Server 2003 Service Pack 2

Properties

Article ID: 951578 - Last Review: March 24, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft Exchange Server 2007 Enterprise Edition
Keywords: 
kbexpertiseadvanced kbexpertiseinter kbtshoot kbprb KB951578

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com