Tuesday, October 8, 2013

A universal group cannot have a local group as a member.

Issue: Unable to convert Mail Enabled Groups from EMC in Exchange 2010.

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Action 'Convert to Universal Group' could not be performed on object 'IT Managers'.

IT Managers
Failed
Error:
Active Directory operation failed on dc1.ZtekZone.com. This error is not retriable. Additional information: A universal group cannot have a local group as a member.
Active directory response: 00002146: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

The server cannot handle directory requests.

image

Exchange 2010 and Group Scope

  • To refresh your knowledge here is Active Directory Group Scope and Group Types
Group Scope Group Type
Domain Local Security
Global Distribution
Universal

Exchange 2007 and Exchange 2010 wants all mail enabled groups Scope to be “Universal” regardless of the Group type. This is almost the other way around in Exchange 2003 world, as Exchange 2003 did not care about this much.

Lets take a look at our problem Group and try to understand the issue.

image

This Group Type is “Domain local” it is a Distribution Group, Exchange 2010 is not happy with this group scope type,  as you can see from the picture even Icon for this group is faded out (-:

image

How to solve this problem? We could perfectly locate this group with ADUC and change .the Group Scope to “Universal” and click apply.

image

Now we go back to EMC and take a look at same Group, to see if  Exchange is happy with new Group Type “ Universal” , the answer is yes.As you can see the Icon is changed.

image

Why Exchange forces Mail enabled group Types to be “Universal” ONLY!!!?

Here is the reason Universal group membership is replicated to all Global Catalogs , ALL DC/GC Servers, unlike Global and Domain local Scope type. The Universal groups replication boundaries and expansion capabilities FOREST Wide, thus Exchange 2007 and 2010 wants mail enabled groups and their Group Scope only to be “Universal” This is the case when it comes to Exchange and unfortunately Exchange does not care even you have single Label Domain name space.

Please note that there is no other reason or limitations any other functions goes. So if you are in the middle of the migration and finding this out do not freak out , This is fairly simple to deal with and it has no other side effects to existing functioning Distribution groups goes, since changing Group scope Type does not make any changes on the group membership, ACL’s permissions and etc.

One thing is to remember it could increase the network traffic when it wants to expand if it has forest wide members, but this ensures all members gets the e-mail (-: so give and take thing (-:

Now if you have many of these how to convert them?

Get-DistributionGroup | where { $_.Grouptype -Like "Global*" } | Set-Group -Universal

Now

Get-DistributionGroup | where { $_.Grouptype -Like "Domain*" } | Set-Group -Universal

image

*Note you might be getting errors when you run this script , if a mail enabled group has another mail enabled group as its member, and both Group Scope are not Universal , if you persistently keep running these scripts, you will be able to take care of them and  and when Exchange server is happy you get all these nice futures with the mail enabled groups

image

Oz Casey, Dedeal

( Exchange Server North America MVP)

MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Wednesday, October 2, 2013

Exchange 2010, An Active Manager operation failed, content index catalog files in the following state: 'Failed'.

Running “Move-ActiveMailboxDatabase  fails with fallowing errors”

$Sname1 = E1
$Sname1 = E2
Get-mailboxdatabase -server $Sname1 -status | where {$_.mounted -eq $true} | Move-ActiveMailboxDatabase -ActivateOnServer $Sname2 -Confirm:$False

 

An Active Manager operation failed. Error The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activat
on. Error: Database copy 'db01' on server 'E1.ZtekZone.com' has content index catalog files in the following state: 'Failed'.. [Database: db01, Server: E1.ZtekZone.com]
    + CategoryInfo          : InvalidOperation: (db01:ADObjectId) [Move-ActiveMailboxDatabase], AmDbActionWrapperException
    + FullyQualifiedErrorId : 52C54005,Microsoft.Exchange.Management.SystemConfigurationTasks.MoveActiveMailboxDatabase

 

image

image

Solution

Get-MailboxDatabaseCopyStatus | fl name, ContentIndexState

Or





$DBstatus = Get-MailboxDatabaseCopyStatus
$DBstatus | fl name,*Content*


image


Now if we are dealing with single Database this would work





Update-MailboxDatabaseCopy "db60ssc\E1" -CatalogOnly

image


Now if we have many Databases





Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq "Failed"}

image


To fix all





$DBstatus = Get-MailboxDatabaseCopyStatus
$DBstatus | where {$_.ContentIndexState -eq "Failed"}

image


Now we will use Fallowing Command and append it to above command to fix content index issues








Update-MailboxDatabaseCopy –CatalogOnly

To Update all





Get-MailboxDatabaseCopyStatus * | where {$_.ContentIndexState -eq "Failed"} | Update-MailboxDatabaseCopy –CatalogOnly

 


Reseed the Search Catalog
http://technet.microsoft.com/en-us/library/ee633475.aspx


Enjoy !!

Respectfully,

Oz Casey, Dedeal

( Exchange Server North America MVP)


MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)