I am trying to install Exchange 2013 in a child domain within the following environment.
-1 root domain/2 child domains
-Forest/Domain level - 2008 R2
-Exchange 2010 servers still exist in child domain i'm installing into
-AD preparation has previously been performed and multiple Exchange servers have been installed in the other child domain successfully
-Install is the same CU level as other EX2013 servers (CU18)
The installation always fails at the Mailbox role: Transport service stage with the following error.
The following error was generated when "$error.Clear();
if (($RoleIsDatacenter -eq $false) -and ($RoleIsDatacenterDedicated -eq $false))
$delegatedRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DelegatedSetup_InitInfo.WellKnownGuid;
$delegatedSetupRG = Get-RoleGroup $delegatedRoleGroupGuid;
add-ExchangeAdministrator -role ServerAdmin -Identity $delegatedSetupRG.Identity -Scope $RoleNetBIOSName;
" was run: "System.InvalidOperationException: You can't add or remove user or group 'ad.glasgow.gov.uk/Microsoft Exchange Security Groups/Delegated Setup' because the ServerAdmin security group doesn't exist or can't be found.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Looking in ADSI edit you can see the Exchange server object has been created, permissions assigned to the Delegated Setup group look different from other servers although not sure if this is a consequence of the installation failing. Cant see any reference to the 'ServerAdmin' group anywhere, I have looked at other Exchange setup log files and the section after this normally assigns ACL entries but it fails before this.
[03/21/2018 09:37:04.0454]  Adding the access control entry on the object CN=server,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CNxxxCN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=xxx,DC=xxx,DC=xx: S-1-5-21-2802793933-296545649-555512808-1113; Allow; GenericAll; ContainerInheritAll.
What I've checked and tried so far.
-Delegated Setup group does exist in the root domain along with other Exchange security groups
-Install account was already in Org Management and has been added to Enterprise Admin to rule out permissions
-Rerun the /Preparedomain in the child domain
-Windows FW turned off on server
-DC communication appears to be fine
-Instllation user has also been added to delegated setup Exchange group
Anyone seen this before or got any ideas?