Share via


prepare AD creates duplicate security groups

some times when you run setup /prepareAD you find duplicate security groups, this happens when you have the issue below

You may get the following error when you run Get-ReceiveConnector cmdlet from
Exchange Management Shell

The Exchange group with GUID
"3f965b9c-f167-4b4a-936c-b8efb19c4784" was not found. This group was
automatically created during Exchange Setup, but has been subsequently
removed.

More Information:
=================

This typically
happens if one or more Exchange Security groups are missing. There are 6
Exchange security groups . Exchange Organization Administrators, Exchange
Public Folder Administrators, Exchange Recipient Administrators, Exchange
Servers, Exchange View-Only Administrators and ExchangeLegacyInterop.

In this situation Exchange security group "ExchangeLegacyInterop" is missing. Running
the Exchange Setup /PrepareAD may fail as well with the following
error

[13/05/2009 10:01:40 PM] [2] [ERROR] The well-known object entry
B:32:9C5B963F67F14A4B936CB8EFB19C4784:CN=ExchangeLegacyInterop\0ADEL:90d1a283-ed42-4ddf-8402-f0dbef0290b2,CN=Deleted
Objects,DC=CAO,DC=local of the otherWellKnownObjects attribute on container
object CN=Configuration,DC=CAO,DC=local points to an invalid DN or a deleted
object. Please remove the entry and rerun the task.

 

Resolution:
=================

You cannot delete the invalid DN value
from ADSIEDIT.msc so you have to use LDAP. Once you have deleted the invalid DN
reference, you need to run the PrepareAD command from the Exchange setup to
create the missing Security Group.

1.) Go to Start -> Run -Type
LDP.exe -> click OK
2.) Click Connection -> Connect and then click
OK
3.) Click Connection -> Bind and then click OK
4.) Click View ->
Tree and for the BaseDN select CN=Configuration,DC=DomainName,DC=local and click
OK
5.) In the left-pane expand the Configuration partition -> Services
-> Microsoft Exchange
6.) Right-click the object Microsoft Exchange and
then click Modify
7.) In the Attribute box type otherWellKnownObjects
8.) In the Values box
type
B:32:9C5B963F67F14A4B936CB8EFB19C4784:CN=ExchangeLegacyInterop\0ADEL:90d1a283-ed42-4ddf-8402-
f0dbef0290b2,CN=Deleted Objects,DC=CAO,DC=local (The invalid DN reference you
want to delete)
9.) Select the Delete radio button
10.) Click the Enter
button
11.) The Entry List text box will populate with [Delete] and the
selected attribute and its value in steps 7 & 8.
12.) Click on the Run
button

 if you by mistake cleared the otherwellknowobjects  value above and you  run setup /prepareAD it will create duplicate security group

 

 

what actually happens here

 

when we run setup /prepareAD, setup will go and check the contents of OtherWellKnownObjects attribute on Microsoft exchange object to see what security groups are existing, so it will find nothing and when it tries to create the security groups it will find that those groups exists in AD so it adds number one after each security group name

 

to resolve this issue the shortest way is to delete all exchange security groups, clear the OtherWellKnownObjects attribute and run exchange setup /prepareAD again

Comments

  • Anonymous
    August 26, 2014
    The comment has been removed
  • Anonymous
    December 22, 2014
    Loay,

    Does that steps you mention above cause any downtime or email service interruption?
  • Anonymous
    December 22, 2014
    Loay,

    Does that steps you mention above cause any downtime or email service interruption?