Category Archives: Role Based Administration

Cannot Update Exchange 2013 after Installing Exchange 2016 BETA

Exchange 2013, Exchange 2016, Role Based Administration

Recently ran into an issue where I couldn’t update my lab Exchange 2013 CU9 servers to Exchange 2013 CU10.  I wanted to do so because Exchange 2016 had gone RTM and one of the requirement’s for coexistence of Exchange 2016 and Exchange 2013, is for Exchange 2013 to be running at CU10.  One of things to note is that I had previously installed the Exchange 2016 BETA into my lab setup.

The error I got from the Exchange setup program was:

[11/06/2015 21:40:05.0247] [2] [ERROR] The given key was not present in the dictionary.
[11/06/2015 21:40:05.0247] [2] [WARNING] An unexpected error has occurred and a Watson dump is being generated: The given key was not present in the dictionary.
[11/06/2015 21:40:06.0122] [1] The following 1 error(s) occurred during task execution:
[11/06/2015 21:40:06.0122] [1] 0.  ErrorRecord: The given key was not present in the dictionary.
[11/06/2015 21:40:06.0122] [1] 0.  ErrorRecord: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ExchangeRole.StampImplicitScopes()
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.PrepareRoleForUpgradeAndGetOldSortedEntries(ExchangeRole roleToUpgrade, Boolean isDeprecated)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.UpdateCannedRole(ExchangeRole existingRole, ExchangeRole cannedRole, RoleDefinition roleDefinition)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.CreateOrUpdateRole(RoleNameMapping mapping, RoleDefinition definition, List`1 enabledPermissionFeatures, String suffix, String mailboxPlanIndex)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.CreateOrUpdateRole(RoleNameMapping mapping, RoleDefinition definition, List`1 enabledPermissionFeatures)
   at Microsoft.Exchange.Management.Tasks.NonDeprecatedRoleUpgrader.UpdateRole(RoleDefinition definition)
   at Microsoft.Exchange.Management.Tasks.InstallCannedRbacRoles.UpdateRolesInOrg(RoleNameMappingCollection mapping, RoleDefinition[] roleDefinitions, ServicePlan servicePlan)
   at Microsoft.Exchange.Management.Tasks.InstallCannedRbacRoles.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
[11/06/2015 21:40:06.0169] [1] [ERROR] The following error was generated when “$error.Clear();
          if ($RoleDatacenterFfoEnvironment -eq “True”)
          {
            Install-CannedRbacRoles -InvocationMode $RoleInstallationMode -DomainController $RoleDomainController -IsFfo
          }
          else
          {
            Install-CannedRbacRoles -InvocationMode $RoleInstallationMode -DomainController $RoleDomainController
          }
        ” was run: “System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at Microsoft.Exchange.Data.Directory.SystemConfiguration.ExchangeRole.StampImplicitScopes()
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.PrepareRoleForUpgradeAndGetOldSortedEntries(ExchangeRole roleToUpgrade, Boolean isDeprecated)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.UpdateCannedRole(ExchangeRole existingRole, ExchangeRole cannedRole, RoleDefinition roleDefinition)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.CreateOrUpdateRole(RoleNameMapping mapping, RoleDefinition definition, List`1 enabledPermissionFeatures, String suffix, String mailboxPlanIndex)
   at Microsoft.Exchange.Management.Tasks.RoleUpgrader.CreateOrUpdateRole(RoleNameMapping mapping, RoleDefinition definition, List`1 enabledPermissionFeatures)
   at Microsoft.Exchange.Management.Tasks.NonDeprecatedRoleUpgrader.UpdateRole(RoleDefinition definition)
   at Microsoft.Exchange.Management.Tasks.InstallCannedRbacRoles.UpdateRolesInOrg(RoleNameMappingCollection mapping, RoleDefinition[] roleDefinitions, ServicePlan servicePlan)
   at Microsoft.Exchange.Management.Tasks.InstallCannedRbacRoles.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()”.
[11/06/2015 21:40:06.0169] [1] [ERROR] The given key was not present in the dictionary.
[11/06/2015 21:40:06.0169] [1] [ERROR-REFERENCE] Id=361422192 Component=
[11/06/2015 21:40:06.0169] [1] Setup is stopping now because of one or more critical errors.
[11/06/2015 21:40:06.0169] [1] Finished executing component tasks.
[11/06/2015 21:40:06.0201] [1] Ending processing Install-ExchangeOrganization
[11/06/2015 21:40:06.0201] [0] CurrentResult console.ProcessRunInternal:198: 1
[11/06/2015 21:40:06.0201] [0] CurrentResult launcherbase.maincore:90: 1
[11/06/2015 21:40:06.0201] [0] CurrentResult console.startmain:52: 1
[11/06/2015 21:40:06.0201] [0] CurrentResult SetupLauncherHelper.loadassembly:452: 1
[11/06/2015 21:40:06.0201] [0] The Exchange Server setup operation didn’t complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[11/06/2015 21:40:06.0216] [0] CurrentResult main.run:235: 1
[11/06/2015 21:40:06.0216] [0] CurrentResult setupbase.maincore:396: 1
[11/06/2015 21:40:06.0216] [0] End of Setup
[11/06/2015 21:40:06.0216] [0] **********************************************

 

I opened up ADSIEDIT and navigated to the domain root->Configuration->Services->Microsoft Exchange->Organization Name->RBAC->Roles->Apps

image

image

 

Under Roles, there will be an existing entry named My ReadWriteMailbox Apps.

image

Delete this entry, or rename it (I renamed it to My ReadWriteMailbox Apps2).

image

After that, I re-ran Exchange 2013 CU10 Setup and everything completed as expected.  If you renamed the object above, you’ll see that setup recreated the proper role:

image

 

 

Notice I have my duplicated entry that I renamed alongside my newly created one.

Get a “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.” in Exchange 2010.

Role Based Administration

 

In our environment, like most bigger organizations, we have separate teams for helpdesk, and separate teams for engineering.  Helpdesk should have rights to perform actions on certain items, such as users and distribution groups, but not on the server level.  We utilize Role Based Administration in Exchange 2010 to give our helpdesk team the ability to manage end users, but not the servers.  I recently received a ticket regarding the helpdesk guys not being able to add certain users to a distribution list, they would receive the error “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.”:

 

image

There was a bug in Exchange 2010 SP1 that was fixed in RU 3 for 2010 SP1 (http://support.microsoft.com/kb/2487852), but we are running Exchange 2010 SP2 RU1, so we were way past that.

What was the issue?  Role based administration.  We had assigned the helpdesk group the “Recipient Management” role.  When I checked the group that the helpdesk tech was trying to add the user to, I noticed that the group was a Mail Universal Security Group.  The tech had no trouble adding the user to a Mail Universal Distribution Group.

We could see the issue when the tech tried to create a new distribution group.  A distribution group type worked fine, but when he tried to create a security group he got the error that “A parameter cannot be found that matches parameter name ‘Type’”:

image

So we needed to add the management role “Security Group Creation and Membership” to the group the helpdesk team was in.

Since we were running in a resource forest setup, we needed to create a new role group, and matching Universal Security Group in the management domain and add the role group to this group.  Then we could add the users we want to it.

In our management domain, aptly named management.corp we created a group called Group-HelpDesk-SecurityGroup and add our helpdesk technicians to this group.  Then in the Exchange Management Shell, as an Organization Admin we run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

Then run:

New-RoleGroup “NameofRoleGroup” –LinkedForeignGroup Group-Helpdesk-SecurityGroup –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –Roles “Security Group Creation and Membership”

Now, have the helpdesk technicians close and reopen their Exchange Consoles or Exchange Management Shell and they should be able to add the group members to distribution lists, as well as security groups.

ADDED BONUS:

If your wondering how to create a linked group and assign it to a role, follow the below.  In this case we want to add a group called REMOTE-ORGMGMT to the role “Organization Management” in Exchange 2010.

Create group in management.corp called “REMOTE-ORGMGMT” and add the admins to this group that you want to have this right.  In the Exchange Management Shell run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

$roles = Get-RoleGroup “Organization Management”

New-RoleGroup “MANAGEMENT-OrganizationManagement” –LinkedForeignGroup “REMOTE-ORGMGMT” –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –roles $roles.roles

Then have the Management.corp admin users close and re-open their Exchange Management Consoles and you should be all set.