MSExchangeGuru.com

Recently I was building a lab for my customer and did the prepareAD which gave me this error. Let us see how we proceeded.

 

It is a new windows 2008 R2 AD environment.

We successfully completed the prepardschema. Enabled the replication. Tested AD replication.

After all came healthy we decided to go ahead with setup.com /prepareAD.

 

Issue:

We got the following error while running setup.com /prepareAD /OrganizationName:ORGNAME

===============================================

Configuring Microsoft Exchange Server

 

Organization Preparation ……………………. FAILED

You do not have permissions to read the security descriptor on CN=Deleted Objects,CN=Configuration,DC=domain,DC=net.

===============================================

 

 

Resolution:

Create a domain user

Replicate this user to all domain controllers

Delete this user

Replicate this change to all domain controllers

 

 

 

Conclusion:

We need to have “Deleted Objects” organization unit present in the AD to give the permissions on this OU for Exchange groups. So make sure you have deleted objects OU created.

 

 

 

Reference:

https://technet.microsoft.com/en-us/library/bb676691%28v=exchg.80%29.aspx?f=255&MSPPError=-2147217396

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

Posted March 30th, 2015 under Exchange 2007, Installation, Tips. Tags: CN=Configuration, Deleted Objects, Exchange 2007, PrepareAD, You do not have permissions to read the security descriptor on CN=Deleted Objects
RSS 2.0 feed. Leave a response, or trackback.