Hani Naser
asked on
cannot run exchange management shell using admin from trusted forest
We have 2 forests contoso.com adataum.com ; a forest trust was confugured between the 2 forests . The email services are on contoso.com , we need to allow U_exchAdmin_adatum group at adatum.com to manage exchange services on contoso.com.
We we able to allow U_exchAdmin_adatum users to log to ecp on contoso.com , but could not run exchange management shell .
when attempting to log to exchange management shell getting the following error :
ran the following command on Exch07:
was showing "Adminsitrators" and "Remote Management users" are allowed access ; made the group "adatum\U_exchAdmin_adatum " members of the local admin on Exch07 , but that did not resolve the issue.
Did you face such issue or have some hints how this may be resolved?
Thanks
We we able to allow U_exchAdmin_adatum users to log to ecp on contoso.com , but could not run exchange management shell .
when attempting to log to exchange management shell getting the following error :
New-PSSession : [Exch07.contoso.com] Connecting to remote server Exch07.contoso.com failed with the following error
message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer
Exch07.contoso.com. Verify that the computer exists on the network and that the name provided is spelled correctly.
ran the following command on Exch07:
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
was showing "Adminsitrators" and "Remote Management users" are allowed access ; made the group "adatum\U_exchAdmin_adatum
Did you face such issue or have some hints how this may be resolved?
Thanks
can you ping that fqdn from your side? Do you have a dns record of that machine from your side.
ASKER
I log to Exch07 using adatum credentials , able to log to ecp , but cannot run exchange management shell . I am running that locally on the server so ping is not the issue . what you need to focus on is winrm , this is a forest trust should support kerberos .In my view something is not working as expected in that area....
Did you add "U_exchAdmin_adatum" to the Schema Admins?
If you can;t log into the management tools or run PS localy then it's not a network or WinRM Issue, it's a permissions issue, Exchange Admins need to be In a few AD groups and Schema Admins if I recall.
(Note: it's been a while since I worked on Exchange regularly, and I have a feeling I may be thinking about the requirements to instal exchange, not administrer it)
If you can;t log into the management tools or run PS localy then it's not a network or WinRM Issue, it's a permissions issue, Exchange Admins need to be In a few AD groups and Schema Admins if I recall.
(Note: it's been a while since I worked on Exchange regularly, and I have a feeling I may be thinking about the requirements to instal exchange, not administrer it)
ASKER
Thank you Ben for your help , the group is member of organization management , I used to make it member of schema admin if need to install exchange ;
here are the permission needed on exchange
https://docs.microsoft.com/en-us/exchange/permissions/feature-permissions/infrastructure-permissions?view=exchserver-2019
but you guided me in a good direction to run Get-ManagementRoleAssignme nt and compare between the contoso.com admin account and adatum.com account. I will keep posted of the progress.
here are the permission needed on exchange
https://docs.microsoft.com/en-us/exchange/permissions/feature-permissions/infrastructure-permissions?view=exchserver-2019
but you guided me in a good direction to run Get-ManagementRoleAssignme
Good Luck Naser :)
ASKER
I am checking the effective rols using the following commands ..
Get-ManagementRoleAssignme nt -GetEffectiveUsers | Where-Object {$_.EffectiveUserName -eq "Username"} | select-object Role
Get-ManagementRoleAssignme nt -GetEffectiveUsers | Where { $_.EffectiveUserName -like “Username” }
either one will provide empty results ...
Get-ManagementRoleAssignme
Get-ManagementRoleAssignme
either one will provide empty results ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Ben for your contribution
@Hani, You're welcome, thanks for posting back your exact issue and findings!