Article ID: 973848 - Last Review: July 30, 2009 - Revision: 1.2

On a Windows Server 2008-based computer, Exchange Server 2010 installation cannot be successful at the organization preparation process

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

When you try to install Exchange Server 2010 on a computer that is running Windows Server 2008, the installation fails during the organization preparation process. Additionally, the following error message is logged in the Exchange Setup log:
The execution of: "$error.Clear(); if ($RolePrepareAllDomains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$RoleIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-DomainPermissions -CreateTenantRoot:$RoleIsDatacenter; }", generated the following error: "Length of the access control list exceed the allowed maximum.".

Note This problem typically occurs if it is a single Exchange server in a forest that is installed and uninstalled multiple times.
Back to the top

CAUSE

This issue occurs because of a hard-code limitation in Active Directory on the size of discretionary access control list (DACL). When this issue occurs, information in the Exchange setup log indicates that ACLs that are too large are stored in the Microsoft Exchange System Objects container.
Back to the top

RESOLUTION

To resolve this issue, follow the follow steps to remove those ACLs from this object.
  1. Click Start, click Run, type ldp, and then click OK.
  2. In the LDP console, click the Connection menu, click Connect, type domain controller name, and then click OK.
  3. On the Connection menu, click Bind, type the credentials of the domain administrator, and then click OK.
  4. On the View menu, click Tree.
  5. In BaseDN drop-down list, select the appropriate domain context, such as "DC=Contoso,DC=com," and then click OK.
  6. In the tree view, under DC=<domainname>,DC=com, locate to the object "CN=Microsoft Exchange System objects,DC=<domainname>,DC=com".
  7. Right-click the object in step 6, click Advanced, select Security Descriptor, make sure that the SACL option and the "Text dump" option are unchecked and then click OK.

    This will open a new window with security descriptor details
  8. In this security descriptor Window, click to select the DACL check box.
  9. In the middle pane of the Security descriptor Window, select and delete all the access control entries (ACEs) that have “\0ADEL:” in the Trustee column. Multiple ACEs can be selected and then click Delete ACE to delete them.
  10. Close the security descriptor as soon as you delete the corresponding ACE's
  11. Close the LDP console.
  12. Force Domain Controller replication.
  13. Rerun Exchange setup and it will install successfully.
Back to the top
APPLIES TO
  • Microsoft Exchange Server 2007 Enterprise Edition
  • Microsoft Exchange Server 2007 Standard Edition
  • Microsoft Exchange Server 2010 Coexistence
  • Microsoft Exchange Server 2010 Enterprise
  • Microsoft Exchange Server 2010 Standard
Back to the top
Keywords: 
kbtshoot kbexpertiseinter kbsurveynew KB973848
Back to the top