Upgrade Exchange 2013 – Couldn’t resolve the user or group

4
10433
Exchange Upgrade Issue

Today, I run the maintenance to upgrade the Exchange Server 2013 from CU 20 to CU 23. However, I got the error on step 14 that says “Microsoft.Exchange.Data.Common.LocalizedException: Couldn’t resolve the user or group”. I checked and confirmed the user/group is already in Active Directory. Below is the full detail of the error.

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
          $srvname = $dismbx.ServerName;
          if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
          {
          Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -eq $null )
          {
          Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
          mount-database $dismbx.Database;
          }
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -ne $null )
          {
          $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
          $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
          if( $dmRoleGroup -ne $null )
          {
            trap [Exception]
            {
              Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
              continue;
            }
            Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
          }
          }
          }
          }
        " was run: "Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.NTAccount.Translate(Type targetType)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetSecurityPrincipal(IRecipientSession session, SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)
   at Microsoft.Exchange.Management.RecipientTasks.SetMailboxPermissionTaskBase.InternalValidate()
   at Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission.InternalValidate()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

As you can see in the full error above, there is a line describe the error

was run: "Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "domain.local/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.

Resolution

After a search through the web, there are two ways to fix this issue.

Disable the Discovery Search mailbox and re-enable it after installation

  1. Open Exchange Managemen Shell
  2. Find the Discovery Mailbox Name by run the command “Get-Mailbox -Filter { RecipientTypeDetails -eq “DiscoveryMailbox” }“. After you run this command, you will see the mailbox named “DiscoverySearchMailbox {XXX}” which XXX is a random number.
  3. Disable the Discovery Search Mailbox by running this command. Disable-Mailbox “DiscoverySearchMailbox {XXX}”. Change XXX with the complete name you found in step 2.
  4. Install/Upgrade Exchange Server.
  5. After you finished the Exchange Installation, you can enable the Discovery Search Mailbox again by running the following command. Enable-Mailbox “DiscoverySearchMailbox {XXX}” -Arbitration
  6. Then add full permission to the user-related. Add-MailboxPermission -Identity:”domain.local/Users/DiscoverySearchMailbox {XXX}” -User:”Discovery Management” -AccessRights:”FullAccess”

Delete the  Discovery Search mailbox user from Active Directory.

  1. Open “Active Directory Users and Computers”
  2. Find the “Discovery Search Mailbox” User. By default, the user located on Users OU. The user will be like this DiscoverySearchMailbox{XXX} which XXX is random key/number
  3. Delete the user
  4. Install/Upgrade the Exchange Server.
  5. Once done, you can recreate the user by running a command: setup /PrepareAD /IAcceptExchangeServerLicenseTerms

4 COMMENTS

  1. Thanks for posting this. It worked like a charm when upgrading Exchange 2013 from CU20 to CU23. I used the second method – deleting the discovery user.

LEAVE A REPLY

Please enter your comment!
Please enter your name here