Security descriptor error during Exchange Server 2007 schema extension

by Paul on September 9, 2008

During Exchange Server 2007 schema extension you may encounter a security descriptor error which will cause setup to fail.  The error may occur specifically during the “setup /PrepareAD” stage.

>setup /preparead

Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check

    Organization Checks              ......................... COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation         ......................... FAILED
     You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.

The Exchange Server Setup operation did not complete. For more information,visit
http://support.microsoft.com and enter the Error ID.

Exchange Server setup encountered an error.

To resolve this issue use the following steps:

  1. Download and install the ADAM tools from Microsoft.
  2. Go to Start -> Programs -> ADAM and launch ADAM Tools Command Prompt.
  3. In the command prompt, run the following command (substitute your domain name where appropriate):
    C:\WINDOWS\ADAM>dsacls "CN=Deleted Objects,DC=domain,DC=com,dc=au" /takeownership
    Owner: DOMAIN\Domain Admins
    Group: NT AUTHORITY\SYSTEM
    
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow BUILTIN\Administrators  SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
    Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                  DELETE
                                  READ PERMISSONS
                                  WRITE PERMISSIONS
                                  CHANGE OWNERSHIP
                                  CREATE CHILD
                                  DELETE CHILD
                                  LIST CONTENTS
                                  WRITE SELF
                                  WRITE PROPERTY
                                  READ PROPERTY
    
    The command completed successfully
  4. Re-run Exchange setup.  It should now successfully extend the schema.

Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806

{ 1 trackback }

Weekend reading - subject: exchange
09.13.08 at 4:51 am

{ 13 comments… read them below or add one }

Kay Malm 12.19.08 at 4:07 am

Adamsp1 downloaded to server which is running 64 bit Windows 2008. attempted to run file. not enough disk space error. System is part of a domain.

Paul 12.19.08 at 7:08 am

Kay, to my knowledge you cannot use ADAM on Windows Server 2008, you must use Active Directory Lightweight Directory Services that ships as a component of 2008.

Here is a link to get you started:
http://technet.microsoft.com/en-us/library/cc754361.aspx

Kay Malm 12.27.08 at 2:02 am

Installed Lightweight directory services. Still fails with the same message.

Paul 12.27.08 at 7:19 pm

What still fails, the ADAM install?

Once you’ve installed ADLDS you still need to run the dsacls command before trying Exchange setup again. Have you done that?

Kay Malm 12.30.08 at 1:12 am

I ran the dsacls command and still fails - do not have permission to read the security description.

Paul 12.30.08 at 9:11 am

Kay, you may need to continue on with the additional step at the end of this Microsoft article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806

Kay Malm 12.31.08 at 1:40 am

Please refer back to original request. ADAM fails to install - error “Not enough storage is available to process this command.” I have available 249 GB of space available. I am already a member of the Domain Administrators Group. Exchange fails to install because as Administrator I do not have permission to read the security description. Why are we back to doing what I have already tried?

Paul 12.31.08 at 7:26 am

Kay, I’m not saying install ADAM, I’m saying once you’ve got ADLDS installed on the server and you’ve run the DSACLS command try also following the final step in that article I linked to.

Also, you could try installing ADAM on a Windows Server 2003 server in your environment instead.

I don’t have any further suggestions right now because my experience has always been that the steps I wrote about in the blog post fix the problem.

Kay Malm 01.01.09 at 2:56 am

If I don’t have ADAM installed, how do I use the tools? I do not know the correct syntax for my deleted objects or CN,DC portions of command. Where do I find this?

Paul 01.01.09 at 1:20 pm

According to the article the version of DSACLS.exe that ships with ADAM is required for the fix.

The syntax for the deleted objects container is as follows:

“CN=Deleted Objects,DC=domain,DC=com,dc=au”

In that example there the domain is “domain.com.au”. So you just need to change that part of the string to match your domain, eg:

business.net would be “dc=business,dc=net”
microsoft.com would be “dc=microsoft,dc=com”

Kay Malm 01.03.09 at 6:37 am

I tried running the command and there is no Object.

Paul 01.07.09 at 8:57 am

Update: Kay and I took this discussion to email and identified the issue. To summarise:

dsacls “CN=Deleted Objects,DC=domain,DC=com” /takeownership

1) Make sure you include the space in Deleted Objects
2) Make sure you enclose the LDAP string in quotes
3) Make sure you replace “dc=domain,dc=com” with the right values for your domain name

Glad the problem is solved Kay!

Ganesh 02.18.09 at 11:47 pm

Hello,
During exchange 2007 sp1 setup the same error accured
You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.

FOR RESOLVE THE PROBLEM

CHANGE YOUR CD DRIVE LETTER TO E:\

And Run the exchange setup again.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>