Exchange 2010 SP1 Setup Error – Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust…

I came across another error while installing Exchange 2010 SP1 mailbox role for a customer who has an existing Exchange 2003 environment. This was a 2010 SP1 install on a brand new server, no upgrade! The error was as below. Mailbox Role Failed Error: The following error was generated when "$error.Clear();           $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;…

I came across another error while installing Exchange 2010 SP1 mailbox role for a customer who has an existing Exchange 2003 environment. This was a 2010 SP1 install on a brand new server, no upgrade! The error was as below.

Mailbox Role
Failed

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
            $srvname = $dismbx.ServerName;
            if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
            {
              Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
              if( $mountedMdb -eq $null )
              {
                Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission…";
                mount-database $dismbx.Database;
              }

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
              if( $mountedMdb -ne $null )
              {
                $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
                $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
                if( $dmRoleGroup -ne $null )
                {
                  Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
                }
              }
            }
          }
        " was run: "Couldn’t resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.".

Couldn’t resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

The trust relationship between the primary domain and the trusted domain failed.

Elapsed Time: 00:03:46

Finalizing Setup
Cancelled

Exchange 2010 SP1 Mailbox setup error

This is a known error while upgrading to 2010 SP1 from RTM, but this was the first time I came across this one for a brand new 2010 SP1 install. The solution is to remove the Discovery Mailbox user account created as part of the PrepareAD and to run the Exchange setup again.

The Discovery mailbox user has to be re-created and a mailbox needs to be provisioned after Exchange installs successfully. I will explain the steps for that in my next post.

8 Comments

  1. Pumpkinsmoothie says:

    Had exactly the same issue on a new Exchange 2010 SP1 install – I noticed when navigating to the DiscoverySearchMailbox via EMC, it did not have users assigned under security tab!

    All I did was reboot the server, login to Exchange Management Console, locate the DiscoverySearchMailbox in Recipient Configuration -> Mailbox and assign Manage Full Access Permission for the Domain/Enterprise admins (and domain administrator)

    Run Exchange setup again and voila, completes successfully.

    Hope this helps someone

    1. wingadean says:

      Thanks pumpkinsmoothie, your solution worked.
      In my lab environment, i removed the discovery mailbox but didnt really want to do this in my prod environment.

      1. Rajith Enchiparambil says:

        Thanks for the comment Wingadean.

  2. i have the similar problem in my org , after googling the error msg i found your post on this issue ,now i confused with “Discovery mailbox” and “DiscoverySearchMailbox” because from some other’s post they advice to delete DiscoverySearchMailbox and recreate it again after the installation of mailbox role, but in your post it is “Discovery Mailbox” user account. so which solution is apply for this issue .or both can used to solve this issue ,also kindly reply what i have to do to show the recreated DiscoverySearchMailbox account in the EMS mailbox pane after mailbox enable cmd.

    Thanks for u r post

    1. Rajith Enchiparambil says:

      Hi Sameer,

      Both are the same. Discovery Search Mailbox is the official term ;)

  3. Rajith Jose Enchiparambil says:

    Delete the existing user account in Users OU (System Mailbox{….}. Run setup.com /prepareAD
    It will recreate the account. Make sure that the mailbox is enabled. That's all.

  4. Anonymous says:

    Hi i had the same problem :) How did you go about recreating the deleted discovery account?

  5. Anonymous says:

    Hi, i had the same problem :) How did you go about recreating the deleted discovery mailbox?

    Cheers, Chris

Leave a Reply

Your email address will not be published. Required fields are marked *