Applies to: Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-10-29

This topic provides information about how to troubleshoot Microsoft Exchange Server 2007 Setup issues that occur when you run one of the following commands:

When you run one of these commands to prepare the Active Directory directory service for the installation of Exchange 2007, Setup may unexpectedly exit. This issue occurs when you run Setup without sufficient permissions to prepare Active Directory for the installation of Exchange 2007. This issue may occur if you are using an account that has not been delegated membership in the correct group or if you modified specific permissions for the required group.

Additionally, when you try to run the Setup/prepareAD command, you may receive the following error message:

You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=<domain>,DC=com

This issue occurs if the CN=Deleted Objects container does not exist in Active Directory or if permissions are missing from this container in Active Directory.

Resolution

To resolve the issue in which Setup exits unexpectedly, perform one or more of the following tasks:

  • Confirm that you have not modified the permissions in the Schema Admins group or the Enterprise Admins group.

  • Run Setup with an account that has sufficient permissions to prepare Active Directory for the installation of Exchange 2007:

    • To prepare the schema by using the Setup.com /PrepareSchema command, the account that you use must be delegated membership in the Schema Admins group and the Enterprise Admins group.

    • To prepare Active Directory by using the Setup.com /PrepareAD command, the account you use must be delegated membership in the Enterprise Admins group.

To resolve the issue in which you receive an error message, perform one of the following tasks:

  • Add an Active Directory user, force replication, and then delete the Active Directory user that you added to create the CN=Deleted Objects container.

  • Use the Dsacls tool to take ownership of the CN=Deleted Objects container, and then grant the appropriate permissions. Dsacls is a command-line tool that is built into Windows Server 2008. The tool is available if the Active Directory Domain Services (AD DS) server role is installed.

Before You Begin

To perform this procedure, the account you use must be delegated the following:

  • Membership in the Domain Admins group in the forest root domain or in the Enterprise Admins group

  • Membership in the local Administrators group

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Procedure

To add sufficient permissions to an account to run Setup

  1. Add a user or a group to the Schema Admins group. For more information, see Add a member to the Schema Admins group.

  2. Add a user or group to the Enterprise Admins group. To do this, follow these steps:

    1. Open Active Directory Users and Computers.

    2. In the console tree, click Users in the forest root domain.

    3. In the details pane, right-click the user or group that you want to add, and then click Properties.

    4. Click the Member Of tab, and then click Add.

    5. In Enter the object names to select, type Enterprise Admins, and then click OK.

  3. Prepare Active Directory for Exchange 2007. For more information, see How to Prepare Active Directory and Domains.

To add and then delete an Active Directory user

  1. Create a test user account, and then force Active Directory replication.

  2. Delete the test user account, and then force Active Directory replication. The CN=Deleted Objects container is created automatically.

  3. Run Setup /prepareAD again.

To use the Dsacls tool to take ownership of the CN=Deleted Objects container and then grant the appropriate permissions

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. At a command prompt, type the following command, and then press ENTER:

    dsacls "CN=<Name_Of_Deleted_Objects_Container>,DC=<Domain_Name>,DC=com" /takeownership

  3. Type the following command, and the press ENTER:

    dsacls "CN=<Name_Of_Deleted_Objects_Container>,DC= <Domain_Name>,DC=com" /g <Domain_Name> \<User_Name>:LCRP