During Exchange Server 2007 schema extension you may encounter a security descriptor error which will cause setup to fail. The error may occur specifically during the “setup /PrepareAD” stage.
>setup /preparead
Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks ......................... COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation ......................... FAILED
You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.
The Exchange Server Setup operation did not complete. For more information,visit
http://support.microsoft.com and enter the Error ID.
Exchange Server setup encountered an error.
To resolve this issue use the following steps:
- Download and install the ADAM tools from Microsoft.
- Go to Start -> Programs -> ADAM and launch ADAM Tools Command Prompt.
- In the command prompt, run the following command (substitute your domain name where appropriate):
C:\WINDOWS\ADAM>dsacls "CN=Deleted Objects,DC=domain,DC=com,dc=au" /takeownership Owner: DOMAIN\Domain Admins Group: NT AUTHORITY\SYSTEM Access list: {This object is protected from inheriting permissions from the parent} Allow BUILTIN\Administrators SPECIAL ACCESS LIST CONTENTS READ PROPERTY Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY The command completed successfully - Re-run Exchange setup. It should now successfully extend the schema.
Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806
September 13th, 2008 at 4:51 am
[...] Security descriptor error during Exchange Server 2007 schema extension [...]