During Exchange Server 2007 schema extension you may encounter a security descriptor error which will cause setup to fail. The error may occur specifically during the “setup /PrepareAD” stage.
>setup /preparead
Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks ......................... COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation ......................... FAILED
You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.
The Exchange Server Setup operation did not complete. For more information,visit
http://support.microsoft.com and enter the Error ID.
Exchange Server setup encountered an error.
To resolve this issue use the following steps for Windows Server 2003. For Windows Server 2008 skip to step 3, and be sure to launch an elevated privileges command prompt to run the commands.
- Download and install the ADAM tools from Microsoft.
- Go to Start -> Programs -> ADAM and launch ADAM Tools Command Prompt.
- In the command prompt, run the following command (substitute your domain name where appropriate):
C:\WINDOWS\ADAM>dsacls "CN=Deleted Objects,DC=domain,DC=com,dc=au" /takeownership Owner: DOMAIN\Domain Admins Group: NT AUTHORITY\SYSTEM Access list: {This object is protected from inheriting permissions from the parent} Allow BUILTIN\Administrators SPECIAL ACCESS LIST CONTENTS READ PROPERTY Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY The command completed successfully - Re-run Exchange setup. It should now successfully extend the schema.
Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806
Updated: 25/2/2010 with Windows Server 2008 information.
About Paul Cunningham
Adamsp1 downloaded to server which is running 64 bit Windows 2008. attempted to run file. not enough disk space error. System is part of a domain.
Kay, to my knowledge you cannot use ADAM on Windows Server 2008, you must use Active Directory Lightweight Directory Services that ships as a component of 2008.
Here is a link to get you started:
http://technet.microsoft.com/en-us/library/cc754361.aspx
Installed Lightweight directory services. Still fails with the same message.
What still fails, the ADAM install?
Once you’ve installed ADLDS you still need to run the dsacls command before trying Exchange setup again. Have you done that?
I ran the dsacls command and still fails – do not have permission to read the security description.
Kay, you may need to continue on with the additional step at the end of this Microsoft article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;892806
Please refer back to original request. ADAM fails to install – error “Not enough storage is available to process this command.” I have available 249 GB of space available. I am already a member of the Domain Administrators Group. Exchange fails to install because as Administrator I do not have permission to read the security description. Why are we back to doing what I have already tried?
Kay, I’m not saying install ADAM, I’m saying once you’ve got ADLDS installed on the server and you’ve run the DSACLS command try also following the final step in that article I linked to.
Also, you could try installing ADAM on a Windows Server 2003 server in your environment instead.
I don’t have any further suggestions right now because my experience has always been that the steps I wrote about in the blog post fix the problem.
If I don’t have ADAM installed, how do I use the tools? I do not know the correct syntax for my deleted objects or CN,DC portions of command. Where do I find this?
According to the article the version of DSACLS.exe that ships with ADAM is required for the fix.
The syntax for the deleted objects container is as follows:
“CN=Deleted Objects,DC=domain,DC=com,dc=au”
In that example there the domain is “domain.com.au”. So you just need to change that part of the string to match your domain, eg:
business.net would be “dc=business,dc=net”
microsoft.com would be “dc=microsoft,dc=com”
I tried running the command and there is no Object.
Update: Kay and I took this discussion to email and identified the issue. To summarise:
dsacls “CN=Deleted Objects,DC=domain,DC=com” /takeownership
1) Make sure you include the space in Deleted Objects
2) Make sure you enclose the LDAP string in quotes
3) Make sure you replace “dc=domain,dc=com” with the right values for your domain name
Glad the problem is solved Kay!
Hello,
During exchange 2007 sp1 setup the same error accured
You do not have permissions to read the security descriptor on CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=com,DC=au.
FOR RESOLVE THE PROBLEM
CHANGE YOUR CD DRIVE LETTER TO E:\
And Run the exchange setup again.
Ganesh workaround worked perfectly for me. Changing the CD drive letter to E: (instead of D:) resolved the ‘Organization Preparation’ step issue where I could not read the ‘Security Descriptor’ on “CN=Deleted O
bjects,CN=Configuration,DC=domain,DC=local”.
Damn Micro$oft and their “never-working-out-of-the-box-that-need-thousands-of-workaround-and-fixes” applications…
Thanks Ganesh !
Ganesh, that workaround is just plain dumb but it works. Why would that ever make a difference. Thanks for the simple solution. I like those.
Thanks for this followup