Apply missing Exchange 2010 RBAC Management Roles and Policies

If you encounter after installation of Exchange Server 2010 SP1, there are some RBAC Management Roles and Policies missing and you even can’t not access the Exchange Management Console or Exchange Management Shell, you need to follow this steps, when /PrepareAD and /PrepareDomain doesn’t fix the issue:

1. Open Windows PowerShell (not the Exchange Management Shell)

Note: If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

2. Run Start-Transcript c:\RBAC.txt and press enter

Note: This will start logging all commands and output you type to a text file.

3. Run Add-PSSnapin *setup and press enter

Note: This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors. DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

4. Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

Note: This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup. Also, be sure you run with the Verbose switch so we can capture what the cmdlet does.

5. Run Remove-PSSnapin *setup and press enter

6. Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter.

Check EMC and EMS if issue still persist.

 



2 Responses to “Apply missing Exchange 2010 RBAC Management Roles and Policies”

  1.   Alexander Says:

    Great post. I spent about three days to try to fix and find any solutions in internet for Exchange 2010 RBAC issue.
    Many THX.

  2.   MFaklis@sonic.net Says:

    The Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose errored out. See RBAC.txt below:

    **********************
    Windows PowerShell Transcript Start
    Start time: 20140628142301
    Username : EVOLSWSYS\MFaklis
    Machine : ESSSBS2011 (Microsoft Windows NT 6.1.7601 Service Pack 1)
    **********************
    Transcript started, output file is c:\RBAC.txt
    PS C:\Windows\system32> Add-PSSnapin *setup
    PS C:\Windows\system32> Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose
    VERBOSE: [21:24:10.246 GMT] Install-CannedRbacRoleAssignments : Initializing Active Directory server settings for the
    local Windows PowerShell session.
    VERBOSE: [21:24:11.199 GMT] Install-CannedRbacRoleAssignments : Active Directory session settings for
    ‘Install-CannedRbacRoleAssignments’ are: View Entire Forest: ‘True’,
    VERBOSE: [21:24:12.183 GMT] Install-CannedRbacRoleAssignments : Runspace context: Executing user:
    evolswsys.local/MyBusiness/Users/SBSUsers/Michael Faklis, Executing user organization: , Current organization: ,
    RBAC-enabled: Disabled.
    VERBOSE: [21:24:12.199 GMT] Install-CannedRbacRoleAssignments : Beginning processing Install-CannedRbacRoleAssignments
    VERBOSE: [21:24:13.418 GMT] Install-CannedRbacRoleAssignments : Used domain controller ESSSBS2011.evolswsys.local to
    read object DC=evolswsys,DC=local.
    VERBOSE: [21:24:13.824 GMT] Install-CannedRbacRoleAssignments : Used domain controller ESSSBS2011.evolswsys.local to
    read object CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=evolswsys,DC=local.
    VERBOSE: [21:24:13.824 GMT] Install-CannedRbacRoleAssignments : Used domain controller ESSSBS2011.evolswsys.local to
    read object CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=evolswsys,DC=local.
    VERBOSE: [21:24:13.824 GMT] Install-CannedRbacRoleAssignments : Used domain controller ESSSBS2011.evolswsys.local to
    read object CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=evolswsys,DC=local.
    VERBOSE: [21:24:13.840 GMT] Install-CannedRbacRoleAssignments : Used domain controller ESSSBS2011.evolswsys.local to
    read object CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=evolswsys,DC=local.
    VERBOSE: [21:24:13.965 GMT] Install-CannedRbacRoleAssignments : Current ScopeSet is: { Recipient Read Scope: {{, }},
    Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive
    Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [21:24:13.980 GMT] Install-CannedRbacRoleAssignments : Resolved current organization: .
    WARNING: An unexpected error has occurred and a Watson dump is being generated: Value cannot be null.

    Parameter name: rbacContainer
    Install-CannedRbacRoleAssignments : Value cannot be null.
    Parameter name: rbacContainer
    At line:1 char:34
    + Install-CannedRbacRoleAssignments < <<< -InvocationMode Install -Verbose
    + CategoryInfo : NotSpecified: (:) [Install-CannedRbacRoleAssignments], ArgumentNullException
    + FullyQualifiedErrorId : System.ArgumentNullException,Microsoft.Exchange.Management.Tasks.InstallCannedRbacRoleAs
    signments

    PS C:\Windows\system32>

Leave a Reply