Connect to Exchange Management Shell using an account in a trusted domain

Gary Burch 1 Reputation point
2024-08-01T09:45:11.4633333+00:00

There are a couple of AD DS Domains relevant here, which I'll call USER (users log into here on a day-to-day basis, workstations and the majority of servers in the estate are all joined here) and RESOURCE (Exchange is installed here).  Exchange Mailboxes have an AD User object in RESOURCE Domain, which is disabled, and have the LinkedMasterAccount set as the user's account in USER.

A Two-way External trust exists between USER and RESOURCE domains.  IT Staff have admin accounts in both USER and RESOURCE domains.

We've recently audited the RBAC roles we have set up in Exchange, and they need a little care and attention.  One of the issues is that admin accounts in the RESOURCE domain aren't maintained anywhere near as well as those in the USER domain, so I'm trying to delegate all the necessary access to manage Exchange to the admin accounts in USER instead, so that we don't have separate admin accounts in RESOURCE to maintain.

I've managed to set up Linked Role Groups in the USER Domain, mirroring the built-in ones as well as creating some more granular ones that we need, and these seem to work as expected in ECP.  However, they don't seem to be able to connect to any of the Exchange servers from Exchange Management Shell, instead giving the error:

New-PSSession : [exchangeserver1.resource.org] Connecting to remote server exchangeserver1.resource.org failed with the
following error message : WinRM cannot process the request. The following error occurred while using Kerberos
authentication: Cannot find the computer exchangeserver1.resource.org. Verify that the computer exists on the network
and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.

It loops through all the Exchange servers in the environment, giving the same error.

This error occurs from a management box with the Exchange Tools installed, as well as from an Exchange server itself, when logged in as a USER admin account.  Logging into the same servers with a RESOURCE admin account connects and works as expected.

Is there something else I need to set up or configure to allow USER accounts to authenticate?  As far as I can tell, the permissions are all delegated correctly.

Many thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,337 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,670 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
565 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,553 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,596 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 149.2K Reputation points MVP
    2024-08-01T10:27:12.35+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.