When upgrading the Exchange server we can come across this error.
| Error: The following error was generated when “$error.Clear(); $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName; $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName; $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1; if( $dismbx -ne $null) { $srvname = $dismbx.ServerName; if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like “$srvname.*” ) { Write-ExchangeSetupLog -info “Setup DiscoverySearchMailbox Permission.”; $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true }; if( $mountedMdb -eq $null ) { Write-ExchangeSetupLog -info “Mounting database before stamp DiscoverySearchMailbox Permission…”; mount-database $dismbx.Database; }$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true }; if( $mountedMdb -ne $null ) { $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid; $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue; if( $dmRoleGroup -ne $null ) { trap [Exception] { Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue; continue; }Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue; } } } } ” was run: “Microsoft.Exchange.Data.Common.LocalizedException: Couldn’t resolve the user or group “SealionNet.com/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. —> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) at System.Security.Principal.NTAccount.Translate(Type targetType) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose) — End of inner exception stack trace — at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose) at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetSecurityPrincipal(IRecipientSession session, SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose) at Microsoft.Exchange.Management.RecipientTasks.SetMailboxPermissionTaskBase.InternalValidate() at Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission.InternalValidate() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”. |
This is due to the Discovery Search mailbox.
The resolution is to:-
-
- Delete the Discovery Search mailbox user from Active Directory. Start your Active Directory Users and Computers mmc and look for your Discovery Search Mailbox user. Default this user will be placed in the Users organizational unit. It will be named something like: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}.
- After deletion you can restart the installation of your Exchange Service Pack. It will not show the error anymore.
- To recreate the user use: setup /PrepareAD /IAcceptExchangeServerLicenseTerms from the Exchange Powershell window.