Learn Exchange the Guru way !!!


Exchange 2007: PrepareAD will fail if Deleted Objects OU is missing

Recently I was building a lab for my customer and did the prepareAD which gave me this error. Let us see how we proceeded.


It is a new windows 2008 R2 AD environment.

We successfully completed the prepardschema. Enabled the replication. Tested AD replication.

After all came healthy we decided to go ahead with /prepareAD.



We got the following error while running /prepareAD /OrganizationName:ORGNAME


Configuring Microsoft Exchange Server


Organization Preparation ……………………. FAILED

You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=domain,DC=net.





Create a domain user

Replicate this user to all domain controllers

Delete this user

Replicate this change to all domain controllers





We need to have “Deleted Objects” organization unit present in the AD to give the permissions on this OU for Exchange groups. So make sure you have deleted objects OU created.






Prabhat Nigam

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

Leave a Reply