Since we have upgraded to exchange 2010 sp1 I've been unable to restore from Symantec Backup Exec 2010 R2.
After spending a good 3 hours on the phone to symantec support we've narrowed it down to this potentially orphaned record in AD.
If I recreate the role which is needed and is created by default when a restore job is run from BE 2010 it will create the role but we are still unable to restore.
Further information: Error from BE2010 is "e0000389 - The resource credentials for the restore job were unable to create a role assignment for ApplicationImpersonation. Review the credentials to ensure that it has the rights that are required for ApplicationImpersonation."
A search of the Symantec support website leads you to the following technotes: http://www.symantec.com/business/support/index?page=content&id=TECH125119
which I've followed through, without any joy.
The jobs are being run under the domain administrator account, which has the Exchange Organisation, Server, Hygeine Management roles assigned. Just to be double sure I've assigned the Application Impersonation role to both the Organisation and Server Management roles in exchange, so that shouldn't be the issue.
I've confirmed that this record is no longer needed and have tried using ADSIedit to delete the record, but it doesn't appear in ADSIedit.
PS > I used ADExplorer from sysinternals to find the record.