I was working with one of our clients for an Exchange admins permission assignments when he came with a question “What will happened if Microsoft Exchange Security Groups were deleted for a running Exchange 2010 organization ? “ . My simple answer was “You can simply restore it from an Active Directory backup ; Or even better , using Active Directory Recycle Bin ( if previously implemented )”
“But what if I have neither valid backup nor Active Directory recycle Bin is enabled ?” He replied . Since I have never faced such issue, I decided to simulate it in a lab and here what I got .
On my lab , I went to Active Directory Users and Computers and deleted all Microsoft Exchange Security Groups
As you might know that those groups are created during the processing of Setup /PrepareAD command upon first Exchange server installation. So , I tried to execute Setup /PrepareAD again , when I got the following error :
The error indicates that the failure was due to that OtherWellKnownObjects attribute on Microsoft Exchange container is pointing to an invalid DN or a deleted object.
Trying to fix the issue using ADSI Edit snap-in failed with the following error :
So , I decided to use LDP.exe to modify the OtherWellKnownObjects attribute [ ldp.exe from run ] . Once LDP opened , I made a connection [ Connections then Connect.. ]
When the Connect window appears , I clicked OK to connect to the local server ( If you are going to connect to a remote server insert the name of the server then click OK )
After connection is in place , I went to View tab and clicked on Tree
At Tree View window I choosed to view Configuration partition as a BaseDN
By now I was able to view configuration partition but as you can see all available is the root only
In order to view all root children I bind by going to Connection tab then click Bind
At Bind window , I clicked OK to bind with the currently logged on user
Now all children objects are shown
I expanded to CN=Microsoft Exchange , right click and choosed Modify
At Modify window I did the following :
- Entered OtherWellKnownObjects as the attribute [ leaved the values blank ]
- Choosed Replace as the to be performed operation
- Clicked Enter , so entry list is populated
- Clicked Run , so attribute value is modified
Opening back ADSI Edit shows that OtherWellKnowObjects attribute has no value ( modified successfully )
Now , Setup.com /PrepareAD was completed successfully
As a result of Setup.com /PrepareAD execution success , all Exchange 2010 security groups were re-created again , as below :
Finally , I re added my Exchange server to both Exchange Servers & Exchange Trusted Subsystems groups ( membership lost due to groups deletion / recreation , hence the same was must be done for Exchange admins )
| | |
Now, my Exchange Security Groups are in place with all Exchange servers and Exchange admins . Finally I performed Exchange servers reboot so that all is up and running .
No comments:
Post a Comment