Hi there!
I'm already running an Exchange2013 on an 2012r2 server, running perfectly.
2 DC
No DNS (external Linux)
The Server WIN2016 Standard is new in the domain, freshly installed. Trying to install exchange 2016 cu 17 and keep getting the error while /PrepareAD. /PrepareSchema runs with no errors. User which installs is Member in all needed Groups.
Setuplog exits with following:
[06.29.2020 16:39:03.0480] [2] [ERROR] An Active Directory Constraint Violation error occurred on ad2013.irt.intra. Zusätzliche Informationen: Die vererbte Zugriffsteuerungsliste (ACL, Access Control List) oder der Eintrag für die Zugriffsteuerung (ACE,
Access Control Entry) konnte nicht erstellt werden.
Active Directory-Antwort: 0000053C: AtrErr: DSID-030F22E5, #1:
0: 0000053C: DSID-030F22E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
[06.29.2020 16:39:03.0480] [2] [ERROR] Ein Wert in der Anforderung ist ungültig.
[06.29.2020 16:39:03.0480] [2] Ending processing initialize-DomainPermissions
[06.29.2020 16:39:03.0480] [1] The following 1 error(s) occurred during task execution:
[06.29.2020 16:39:03.0480] [1] 0. ErrorRecord: Verstoß gegen eine Active Directory-Bedingung (ad2013.irt.intra). Zusätzliche Informationen: Die vererbte Zugriffsteuerungsliste (ACL, Access Control List) oder der Eintrag für die Zugriffsteuerung (ACE,
Access Control Entry) konnte nicht erstellt werden.
Active Directory-Antwort: 0000053C: AtrErr: DSID-030F22E5, #1:
0: 0000053C: DSID-030F22E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
[06.29.2020 16:39:03.0480] [1] 0. ErrorRecord: Microsoft.Exchange.Data.Directory.ADConstraintViolationException: Verstoß gegen eine Active Directory-Bedingung (ad2013.irt.intra). Zusätzliche Informationen: Die vererbte Zugriffsteuerungsliste (ACL, Access
Control List) oder der Eintrag für die Zugriffsteuerung (ACE, Access Control Entry) konnte nicht erstellt werden.
Active Directory-Antwort: 0000053C: AtrErr: DSID-030F22E5, #1:
0: 0000053C: DSID-030F22E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
---> System.DirectoryServices.Protocols.DirectoryOperationException: Ein Wert in der Anforderung ist ungültig.
bei System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
bei System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
bei Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
bei Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
bei Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
bei Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- Ende der internen Ausnahmestapelüberwachung ---
bei Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine,
String memberName)
bei Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
bei Microsoft.Exchange.Data.Directory.ADDataSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner, String callerFilePath, Int32 callerFileLine, String memberName)
bei Microsoft.Exchange.Data.Directory.ADObject.SaveSecurityDescriptor(RawSecurityDescriptor sd, Boolean modifyOwner)
bei Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces)
bei Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
bei Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
bei Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[06.29.2020 16:39:03.0480] [1] [ERROR] The following error was generated when "$error.Clear();
$createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
$createMsoSyncRoot = $RoleIsDatacenter;
#$RoleDatacenterIsManagementForest is set only in Datacenter deployment; interpret its absense as $false
[bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $true);
if ($RolePrepareAllDomains)
{
initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
elseif ($RoleDomain -ne $null)
{
initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
else
{
initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
}
" was run: "Microsoft.Exchange.Data.Directory.ADConstraintViolationException: Verstoß gegen eine Active Directory-Bedingung (ad2013.irt.intra). Zusätzliche Informationen: Die vererbte Zugriffsteuerungsliste
(ACL, Access Control List) oder der Eintrag für die Zugriffsteuerung (ACE, Access Control Entry) konnte nicht erstellt werden.
Active Directory-Antwort: 0000053C: AtrErr: DSID-030F22E5, #1:
0: 0000053C: DSID-030F22E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
---> System.DirectoryServices.Protocols.DirectoryOperationException: Ein Wert in der Anforderung ist ungültig.
bei System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
bei System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
bei Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
bei Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
bei Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
bei Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
--- Ende der internen Ausnahmestapelüberwachung ---
bei Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine,
String memberName)
bei Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
bei Microsoft.Exchange.Data.Directory.ADDataSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner, String callerFilePath, Int32 callerFileLine, String memberName)
bei Microsoft.Exchange.Data.Directory.ADObject.SaveSecurityDescriptor(RawSecurityDescriptor sd, Boolean modifyOwner)
bei Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADObject obj, Boolean remove, ActiveDirectoryAccessRule[] aces)
bei Microsoft.Exchange.Management.Tasks.InitializeDomainPermissions.InternalProcessRecord()
bei Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
bei Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[06.29.2020 16:39:03.0480] [1] [ERROR] An Active Directory Constraint Violation error occurred on ad2013.irt.intra. Zusätzliche Informationen: Die vererbte Zugriffsteuerungsliste (ACL, Access Control List) oder der Eintrag für die Zugriffsteuerung (ACE, Access
Control Entry) konnte nicht erstellt werden.
Active Directory-Antwort: 0000053C: AtrErr: DSID-030F22E5, #1:
0: 0000053C: DSID-030F22E5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
[06.29.2020 16:39:03.0480] [1] [ERROR] Ein Wert in der Anforderung ist ungültig.
[06.29.2020 16:39:03.0480] [1] [ERROR-REFERENCE] Id=DomainGlobalConfig___27a706ffe123425f9ee60cb02b930e81 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[06.29.2020 16:39:03.0480] [1] Setup is stopping now because of one or more critical errors.
[06.29.2020 16:39:03.0480] [1] Finished executing component tasks.
[06.29.2020 16:39:03.0496] [1] Ending processing Install-ExchangeOrganization
----
this seems to be an AD problem with ACLs? Any Ideas? Thanks ALOT!
AD schema is:
Name : Schema
objectVersion : 87
I've searched for a longer while now.. thanks for any ideas!
All the best
Vlad