Symptoms
A new Exchange infrastructure is deployed and new DAG nodes are being registered in OA. On attempt to install the package Exchange2013Mailstore no errors are displayed, no tasks fail, but the package is not installed. In wpe.log on the Windows Provisioning Server the following error is registered:
ERROR 2017-06-28 16:51:33 (2700/2692): Processing data from remote server 13dag01 failed with the following error message: [AuthZRequestId=ff6ad24e-f441-4579-8224-645be260b27f][FailureCategory=AuthZ-CmdletAccessDeniedException] The user `exchange13.local/Users/pem_admin` isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.
where exchange13.local is a new Active Directory (AD) domain deployed for new Exchange set.
Cause
There is an existing Exchange set of an older version in OA, deployed in another AD domain. Since new Exchange set is deployed in a new AD domain exchange13.local, it has it's own pem_admin service account in AD. Usually, when Exchange is deployed in OA, the user pem_admin is automatically added to all necessary AD groups, but in case additional Exchange infrastructure is deployed in a new AD domain, the user pem_admin is not added to the security group Organization Management.
Such behavior was recognized as a software issue POA-111910: pem_admin domain user isn't added into required AD group automatically during Exchange deployment in a new AD
Resolution
As a workaround, please perform the following steps:
- Go to the domain controller of the reported AD domain (in this example -
exchange13.local) - Run the snap-in Active Directory Users and Computers
- Find the user
pem_admin, open it's properties and go to the Member Of tab - Click Add and type the group name
Organization Management, click OK - On the properties page click OK to save changes.
In order to clarify the status of the software issue POA-111910, please contact your Technical Account Manager.