On a Windows Server 2008-based computer, Exchange Server 2010 installation cannot be successful at the organization preparation process

Article ID: 973848 - View products that this article applies to.

SYMPTOMS

When you try to install Exchange Server 2010 on a computer that is running Windows Server 2008, the installation fails during the organization preparation process. Additionally, the following error message is logged in the Exchange Setup log:

The execution of: "$error.Clear(); if ($RolePrepareAllDomains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$RoleIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-DomainPermissions -CreateTenantRoot:$RoleIsDatacenter; }", generated the following error: "Length of the access control list exceed the allowed maximum.".

Note This problem typically occurs if it is a single Exchange server in a forest that is installed and uninstalled multiple times.

Back to the top | Give Feedback

CAUSE

This issue occurs because of a hard-code limitation in Active Directory on the size of discretionary access control list (DACL). When this issue occurs, information in the Exchange setup log indicates that ACLs that are too large are stored in the Microsoft Exchange System Objects container.

Back to the top | Give Feedback

RESOLUTION

To resolve this issue, follow the follow steps to remove those ACLs from this object.

Click Start, click Run, type ldp, and then click OK.
In the LDP console, click the Connection menu, click Connect, type domain controller name, and then click OK.
On the Connection menu, click Bind, type the credentials of the domain administrator, and then click OK.
On the View menu, click Tree.
In BaseDN drop-down list, select the appropriate domain context, such as "DC=Contoso,DC=com," and then click OK.
In the tree view, under DC=<domainname>,DC=com, locate to the object "CN=Microsoft Exchange System objects,DC=<domainname>,DC=com".
Right-click the object in step 6, click Advanced, select Security Descriptor, make sure that the SACL option and the "Text dump" option are unchecked and then click OK.

This will open a new window with security descriptor details
In this security descriptor Window, click to select the DACL check box.
In the middle pane of the Security descriptor Window, select and delete all the access control entries (ACEs) that have “\0ADEL:” in the Trustee column. Multiple ACEs can be selected and then click Delete ACE to delete them.
Close the security descriptor as soon as you delete the corresponding ACE's
Close the LDP console.
Force Domain Controller replication.
Rerun Exchange setup and it will install successfully.