Link to home
Start Free TrialLog in
Avatar of Hani Naser
Hani NaserFlag for Canada

asked on

cannot run exchange management shell using admin from trusted forest

We have 2 forests contoso.com adataum.com ; a forest trust was confugured between the 2 forests . The email services are on contoso.com , we need to allow U_exchAdmin_adatum group at adatum.com to manage exchange services on contoso.com.

We we able to allow U_exchAdmin_adatum users to log to ecp on contoso.com  , but could not run exchange management shell .

when attempting to log to exchange management shell getting the following error :

New-PSSession : [Exch07.contoso.com] Connecting to remote server Exch07.contoso.com failed with the following error
message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer
Exch07.contoso.com. Verify that the computer exists on the network and that the name provided is spelled correctly.

Open in new window


ran the following command on Exch07:
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

Open in new window


was showing "Adminsitrators" and "Remote Management users" are allowed access ; made the group "adatum\U_exchAdmin_adatum" members of the local admin on Exch07 , but that did not resolve the issue.

Did you face such issue or have some hints how this may be resolved?

Thanks
Avatar of FOX
FOX
Flag of United States of America image

can you ping that fqdn from your side? Do you have a dns record of that machine from your side.
Avatar of Hani Naser

ASKER

I log to Exch07 using adatum credentials , able to log to ecp , but cannot run exchange management shell . I am running that locally on the server so ping is not the issue . what you need to focus on is winrm , this is a forest trust should support kerberos .In my view something is not working as expected in that area....
Did you add "U_exchAdmin_adatum" to the Schema Admins?

If you can;t log into the management tools or run PS localy then it's not a network or WinRM Issue, it's a permissions issue, Exchange Admins need to be In a few AD groups and Schema Admins if I recall.

(Note: it's been a while since I worked on Exchange regularly, and I have a feeling I may be thinking about the requirements to instal exchange, not administrer it)
Thank you Ben for your help , the group is member of organization management , I used to make it member of schema admin if need to install exchange ;

here are the permission needed on exchange
https://docs.microsoft.com/en-us/exchange/permissions/feature-permissions/infrastructure-permissions?view=exchserver-2019 

but you guided me in a good direction to run  Get-ManagementRoleAssignment and compare between the contoso.com admin account and adatum.com account.  I will keep posted of the progress.
I am checking the effective rols using the following commands ..

Get-ManagementRoleAssignment -GetEffectiveUsers | Where-Object {$_.EffectiveUserName -eq "Username"} | select-object Role

Get-ManagementRoleAssignment -GetEffectiveUsers | Where { $_.EffectiveUserName -like “Username” }

either one will provide empty results ...
ASKER CERTIFIED SOLUTION
Avatar of Hani Naser
Hani Naser
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Ben for your contribution
@Hani,  You're welcome, thanks for posting back your exact issue and findings!