Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

On a Windows Server 2008-based computer, Exchange Server 2010 installation cannot be successful at the organization preparation process

View products that this article applies to.


When you try to install Exchange Server 2010 on a computer that is running Windows Server 2008, the installation fails during the organization preparation process. Additionally, the following error message is logged in the Exchange Setup log:
The execution of: "$error.Clear(); if ($RolePrepareAllDomains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$RoleIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-DomainPermissions -CreateTenantRoot:$RoleIsDatacenter; }", generated the following error: "Length of the access control list exceed the allowed maximum.".

Note This problem typically occurs if it is a single Exchange server in a forest that is installed and uninstalled multiple times.

↑ Back to the top


This issue occurs because of a hard-code limitation in Active Directory on the size of discretionary access control list (DACL). When this issue occurs, information in the Exchange setup log indicates that ACLs that are too large are stored in the Microsoft Exchange System Objects container.

↑ Back to the top


To resolve this issue, follow the follow steps to remove those ACLs from this object.
  1. Click Start, click Run, type ldp, and then click OK.
  2. In the LDP console, click the Connection menu, click Connect, type domain controller name, and then click OK.
  3. On the Connection menu, click Bind, type the credentials of the domain administrator, and then click OK.
  4. On the View menu, click Tree.
  5. In BaseDN drop-down list, select the appropriate domain context, such as "DC=Contoso,DC=com," and then click OK.
  6. In the tree view, under DC=<domainname>,DC=com, locate to the object "CN=Microsoft Exchange System objects,DC=<domainname>,DC=com".
  7. Right-click the object in step 6, click Advanced, select Security Descriptor, make sure that the SACL option and the "Text dump" option are unchecked and then click OK.

    This will open a new window with security descriptor details
  8. In this security descriptor Window, click to select the DACL check box.
  9. In the middle pane of the Security descriptor Window, select and delete all the access control entries (ACEs) that have �\0ADEL:� in the Trustee column. Multiple ACEs can be selected and then click Delete ACE to delete them.
  10. Close the security descriptor as soon as you delete the corresponding ACE's
  11. Close the LDP console.
  12. Force Domain Controller replication.
  13. Rerun Exchange setup and it will install successfully.

↑ Back to the top

Keywords: KB973848, kbsurveynew, kbexpertiseinter, kbtshoot

↑ Back to the top

Article Info
Article ID : 973848
Revision : 3
Created on : 7/30/2009
Published on : 7/30/2009
Exists online : False
Views : 560