Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The passive node computer account is unexpectedly assigned Full Control permissions after you install the Passive Clustered Mailbox role in an Exchange Server 2007 cluster environment

The passive node computer account is unexpectedly assigned Full Control permissions after you install the Passive Clustered Mailbox role in an Exchange Server 2007 cluster environment

View products that this article applies to.

Symptoms

You install the Passive Clustered Mailbox role in a Microsoft Exchange Server 2007 cluster environment in which a clustered mailbox server has already been created. After you do this, you experience the following symptoms:
  • When you review the permissions that are assigned to the server object in the ADSIEdit.msc tool, you see that the passive node computer account is unexpectedly assigned Full Control permissions.
  • When you run the get-ExchangeAdministrator cmdlet, you receive the following message:
    The account is not a member of Exchange View Only Administrators
Note This problem does not occur when you install the Mailbox role, the Client Access role, or the Hub Transport role.

↑ Back to the top

Cause

This problem occurs because the computer account assigns Full Control permissions to the following object when the passive node is installed:
CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Open the AdsiEdit.msc tool that is included in Windows Support Tools.
  2. Connect to the domain.
  3. Locate the following object:
    CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
  4. Right-click this object, and then click Properties.
  5. On the Security tab, find the computer account of the passive node.
  6. Remove all permissions for this account except the Read permission.
  7. Click Advanced, and then click Add.
  8. Add the following permissions by using a "This Object Only" scope:
    • Write property msExchEdgeSyncCredential
    • Write property msExchServerSite
  9. Add the following permissions by using a "This object and all child objects" scope:
    • List Contents
    • All properties that are designated with "Read"
  10. Trigger a replication among the domain controllers.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

For more information about Windows Server 2003 Support Tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:
892777 Windows Server 2003 Service Pack 1 Support Tools
926027 Updates to the Windows Server 2003 Support Tools are included in Windows Server 2003 Service Pack 2

↑ Back to the top

Keywords: KB951578, kbprb, kbtshoot, kbexpertiseinter, kbexpertiseadvanced, kbarchive, kbnosurvey

↑ Back to the top

Article Info
Article ID : 951578
Revision : 3
Created on : 1/16/2015
Published on : 1/16/2015
Exists online : False
Views : 373