Well, (knock on wood) I actually had an Exchange swing migration go smoothly. I did have an issue with the following instruction from here:
After the last Exchange 2003 or Exchange 2000 server has been removed from the Exchange 2007 organization, the Write DACL inherit (group) right for the Exchange Servers group should be removed from the root of the domain by running the following command:
Remove-ADPermission "dc=
I got hung up on the domain part, so here is the command in real life, followed by the result in the Exchange Shell. (Domain names have been changed to the ubiquitous contoso.com to protect the innocent. I'll have to rant on the contoso.com thing in a future post.)
Remove-ADPermission "dc=contoso,dc=com" -user "contoso.com\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "contoso.com" for user "contoso.com\Exchange Servers" with access rights "'WriteDacl'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
You're welcome!
AOS
Decommissioning Exchange servers have been known to induce the following side effects: dizziness, nausea, lack of patience, and vertigo. Do not decommission Exchange servers under the influence of alcohol, tobacco, monoamine oxidase inhibitors (MAOIs) or any controlled substances. Consult your primary care physician before embarking in the consulting industry. If you feel the sudden urge to slash your wrists, seek immediate medical attention.
8 comments:
Hi, this looks the answer I'm looking for, except I'm having problems with the syntax and my domain.
The domain is similar to contoso.nsw.gov.au , so what should my syntax be far as the command goes? Thanks in advance.
Thanks for the tip - this command was confusing me. FYI I received the following output...
Remove-ADPermission : Cannot remove ACE on object "DC=domain,DC=com" for account
"domain\Exchange Servers" because it is not present.
At line:1 char:20
+ remove-adpermission <<<< "dc=domain,dc=com" -user "domain.com\exchange servers
" -accessrights writedacl -inheritedobjecttype group
I guess this means I am good to go.
Thanks,
Thanks, that's solved my problem! The tricky bit for me was that I put a space in the middle, e.g. "dc=contoso, dc=com", so it said "... was not found". (Same thing if I tried doing "dc=contoso.com")
Thank you! That helped me finish my Exchange 2003 decomissioning. Loved the disclaimer.
Thanks Allen,
I've gone the 'Microsoft Way' for a SBS 2003 to SBS 2008 migration and thought I'd followed all directions to a "T". However, now post migration and with the former server demoted and Exchange 2003 entirely gone, I'm seeing an issue in the Exchange 2007 BPA directly the issue you address helpfully in this blog.
For my BPA report instance though, it isn't "Exchange Servers" it is "Exchange Enterprise Servers" for some unknown reason. Having failed with "Exchange Servers" I've just retried with "Exchange Enterprise Servers" syntax and got a different error of access denial. The user account used has all the specified group memberships. uggg
...at least I have the correct syntax though :)
thanks! I couldnt get it!
Very useful info indeed..
Thanks
A Terrabyte!! from
TechWorx IT Solutions
Post a Comment