Warning – The Exchange Trusted Subsystem Is Not A Member Of The Local Administrators Group On Specified Witness Server

I got an email about a “no-sense” warning message that comes up when you try to create a DAG and the witness server is a non Exchange 2010 server. The Exchange admin who sent me the email was confused as to why Exchange was generating the warning even after following all the steps in the correct order.

Not everyone have the luxury of having a split role Exchange 2010 environment. In fact, Microsoft recommends using multi-role servers with hardware load balancers. When a non Exchange 2010 server is used as the witness server, an extra step must be taken, which is to add the “Exchange Trusted Subsystem” group to the local admin group on the witness server. In that scenario, when a DAG is created with the witness share on another online server (say file server), everything goes fine, but a warning message gets displayed.

Warning:
The Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server “server fqdn”

Let me explain. I am creating a DAG named DAG01 with HEXFE as the witness server.

Sure enough, I have “Exchange Trusted Subsystem” as a member of the local admin on the witness box as it is a non Exchange 2010 server.

I get a warning while completing the DAG wizard.

Why does Exchange 2010 complain about Exchange Trusted Subsystem not being in the local admin group when I have done it for sure?

The short answer is that the warning is a bug, which hasn’t been fixed for a while. The code that runs during the creation checks to see if the witness server is part of the Exchange Trusted Subsystem, which it shouldn’t be checking in the first place. And to confuse the matter, the error message is saying something totally different to what Exchange is doing behind the scenes.

Microsoft has confirmed it to be an issue, which will be fixed in a later rollup. Until then, the “fix” is to just ignore the warning ;)