The Exchange Server is not a member of Exchange Trusted Subsystem

Symptoms
An authorized user or server is unable to perform Microsoft Exchange Server 2010 administrative tasks such as, but not limited to the following:

  • Unable to add the server to a Database Availabilty Group (DAG) with an "Access is denied" (0x80070005) error
  • Getting error "An IIS directory entry couldn't be created. The error message is Access is denied." when running the get-OWAVirtualdirectory cmdlet
  • Microsoft Exchange 2010 Services will not start with Event 2604:

    Log Name: Application
    Source: MSExchange ADAccess
    Event ID: 2604
    Task Category: General
    Level: Error
    Description:
    Process MSEXCHANGEADTOPOLOGY (PID=xxxx). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object ExchangeServerName - Error code=80040a01.

    The Exchange Active Directory Topology service will continue with limited permissions.

Cause
The Exchange 2010 Server is not a member of the Exchange Trusted Subsystem group.
Resolution
To add a server to the Exchange Trusted Subsystem group 
  1. On a domain controller, click Start, click Run, type dsa.msc to open the Active Directory Users and Computers snap-in, and then click OK.
  2. ocate the appropriate domain, and then click the Microsoft Exchange Security Groups container.
  3. In the details pane, double-click Exchange Trusted Subsystem.
  4. Click the Members tab, and then add the server to the Members list.
More information
In Microsoft Exchange 2010, all tasks that are performed on Exchange objects must be done through the Exchange Management Console (EMC), the Exchange Management Shell (EMS), or the Exchange Web administrative interface: Exchange Control Panel (ECP). Each of these management tools uses Role Based Access Control (RBAC) to authorize all tasks that are performed. 

RBAC is a component that exists on every server running Exchange 2010, with the exception of Edge Transport servers. RBAC checks whether the user performing an action is authorized to do so:
  • If the user isn't authorized to perform the action, RBAC doesn't allow the action to proceed.
  • If the user is authorized to perform the action, RBAC checks whether the user is authorized to perform the action against the specific object being requested:
    • If the user is authorized, RBAC allows the action to proceed.
    • If the user isn't authorized, RBAC doesn't allow the action to proceed.
If RBAC allows an action to proceed, the action is performed in the context of the Exchange Trusted Subsystem and not the user's context. The Exchange Trusted Subsystem is a highly privileged Universal Security Group (USG) that has read/write access to every Exchange-related object in the Exchange organization. It's also a member of the Administrators local security group and the Exchange Windows Permissions USG, which enables Exchange to create and manage Active Directory objects. For more information about the various components of RBAC, see Understanding Role Based Access Control.


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 2655050 - Last Review: 09/18/2015 21:33:00 - Revision: 6.0

Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Service Pack 1, Microsoft Exchange Server 2010 Service Pack 2, Microsoft Exchange Server 2010 Standard

  • kbsurveynew KB2655050
Feedback