During Exchange Server 2007 schema extension you may encounter a security descriptor error which will cause setup to fail.  The error may occur specifically during the “setup /PrepareAD” stage.

>setup /preparead

Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check

    Organization Checks              ......................... COMPLETED

Configuring Microsoft Exchange Server

    Organization Preparation         ......................... FAILED
     You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.

The Exchange Server Setup operation did not complete. For more information,visit
http://support.microsoft.com and enter the Error ID.

Exchange Server setup encountered an error.

To resolve this issue use the following steps:

  1. Download and install the ADAM tools from Microsoft.
  2. Go to Start -> Programs -> ADAM and launch ADAM Tools Command Prompt.
  3. In the command prompt, run the following command (substitute your domain name where appropriate):
    C:\WINDOWS\ADAM>dsacls "CN=Deleted Objects,DC=domain,DC=com,dc=au" /takeownership
    Owner: DOMAIN\Domain Admins
    Group: NT AUTHORITY\SYSTEM
    
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow BUILTIN\Administrators  SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
    Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                  DELETE
                                  READ PERMISSONS
                                  WRITE PERMISSIONS
                                  CHANGE OWNERSHIP
                                  CREATE CHILD
                                  DELETE CHILD
                                  LIST CONTENTS
                                  WRITE SELF
                                  WRITE PROPERTY
                                  READ PROPERTY
    
    The command completed successfully
  4. Re-run Exchange setup.  It should now successfully extend the schema.

Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806

One Response to “Security descriptor error during Exchange Server 2007 schema extension”

  1. Weekend reading - subject: exchange Says:

    [...] Security descriptor error during Exchange Server 2007 schema extension [...]

Leave a Reply