Exchange 2010 SP1 Setup Error – Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust…

MS Exchange

I came across another error while installing Exchange 2010 SP1 mailbox role for a customer who has an existing Exchange 2003 environment. This was a 2010 SP1 install on a brand new server, no upgrade! The error was as below.

Mailbox Role
Failed

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
            $srvname = $dismbx.ServerName;
            if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
            {
              Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
              if( $mountedMdb -eq $null )
              {
                Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission…";
                mount-database $dismbx.Database;
              }

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
              if( $mountedMdb -ne $null )
              {
                $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
                $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
                if( $dmRoleGroup -ne $null )
                {
                  Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
                }
              }
            }
          }
        " was run: "Couldn’t resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.".

Couldn’t resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

The trust relationship between the primary domain and the trusted domain failed.

Elapsed Time: 00:03:46

Finalizing Setup
Cancelled

Exchange 2010 SP1 Mailbox setup error

This is a known error while upgrading to 2010 SP1 from RTM, but this was the first time I came across this one for a brand new 2010 SP1 install. The solution is to remove the Discovery Mailbox user account created as part of the PrepareAD and to run the Exchange setup again.

The Discovery mailbox user has to be re-created and a mailbox needs to be provisioned after Exchange installs successfully. I will explain the steps for that in my next post.

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

8 thoughts on “Exchange 2010 SP1 Setup Error – Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust…”

  1. Had exactly the same issue on a new Exchange 2010 SP1 install – I noticed when navigating to the DiscoverySearchMailbox via EMC, it did not have users assigned under security tab!

    All I did was reboot the server, login to Exchange Management Console, locate the DiscoverySearchMailbox in Recipient Configuration -> Mailbox and assign Manage Full Access Permission for the Domain/Enterprise admins (and domain administrator)

    Run Exchange setup again and voila, completes successfully.

    Hope this helps someone

    Reply
  2. i have the similar problem in my org , after googling the error msg i found your post on this issue ,now i confused with “Discovery mailbox” and “DiscoverySearchMailbox” because from some other’s post they advice to delete DiscoverySearchMailbox and recreate it again after the installation of mailbox role, but in your post it is “Discovery Mailbox” user account. so which solution is apply for this issue .or both can used to solve this issue ,also kindly reply what i have to do to show the recreated DiscoverySearchMailbox account in the EMS mailbox pane after mailbox enable cmd.

    Thanks for u r post

    Reply

Leave a Comment