The Exchange Server is not a member of Exchange Trusted Subsystem

Symptoms

An authorized user or server is unable to perform Microsoft Exchange Server 2010 administrative tasks such as, but not limited to the following:

  • Unable to add the server to a Database Availabilty Group (DAG) with an "Access is denied" (0x80070005) error
  • Getting error "An IIS directory entry couldn't be created. The error message is Access is denied." when running the get-OWAVirtualdirectory cmdlet
  • Microsoft Exchange 2010 Services will not start with Event 2604:

    Log Name: Application
    Source: MSExchange ADAccess
    Event ID: 2604
    Task Category: General
    Level: Error
    Description:
    Process MSEXCHANGEADTOPOLOGY (PID=xxxx). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object ExchangeServerName - Error code=80040a01.

    The Exchange Active Directory Topology service will continue with limited permissions.

Cause

The Exchange 2010 Server is not a member of the Exchange Trusted Subsystem group.

Resolution

To add a server to the Exchange Trusted Subsystem group 
  1. On a domain controller, click Start, click Run, type dsa.msc to open the Active Directory Users and Computers snap-in, and then click OK.
  2. ocate the appropriate domain, and then click the Microsoft Exchange Security Groups container.
  3. In the details pane, double-click Exchange Trusted Subsystem.
  4. Click the Members tab, and then add the server to the Members list.

More Information

In Microsoft Exchange 2010, all tasks that are performed on Exchange objects must be done through the Exchange Management Console (EMC), the Exchange Management Shell (EMS), or the Exchange Web administrative interface: Exchange Control Panel (ECP). Each of these management tools uses Role Based Access Control (RBAC) to authorize all tasks that are performed. 

RBAC is a component that exists on every server running Exchange 2010, with the exception of Edge Transport servers. RBAC checks whether the user performing an action is authorized to do so:
  • If the user isn't authorized to perform the action, RBAC doesn't allow the action to proceed.
  • If the user is authorized to perform the action, RBAC checks whether the user is authorized to perform the action against the specific object being requested:
    • If the user is authorized, RBAC allows the action to proceed.
    • If the user isn't authorized, RBAC doesn't allow the action to proceed.
If RBAC allows an action to proceed, the action is performed in the context of the Exchange Trusted Subsystem and not the user's context. The Exchange Trusted Subsystem is a highly privileged Universal Security Group (USG) that has read/write access to every Exchange-related object in the Exchange organization. It's also a member of the Administrators local security group and the Exchange Windows Permissions USG, which enables Exchange to create and manage Active Directory objects. For more information about the various components of RBAC, see Understanding Role Based Access Control.


Properties

Article ID: 2655050 - Last Review: Sep 18, 2015 - Revision: 1

Feedback