We have an Exchange 2007 server in production and we have an Exchange 2010 server that will soon be replacing our 2007 one. We had a situation where we had to re-run "setup/PrepareAD" from Exchange 2010 SP1 disk. This resolved our issue, however, now we have duplicate security groups inside of the "Microsoft Exchange Security Groups" Organizational Unit (I.E. Delegated Setup & Delegated Setup1, Help Desk & Help Desk1, etc...). It looks like the Exchange Servers are using the groups with the "1" after them. Is it safe to say that in order to resolve this, we should delete both the originals and the duplicates and re-run "Setup/PrepareAD" again?

I would verify which groups are being used by your Exchange 2007 servers by looking at the delegation model and deleting the ones not used. Deleting everything will remove your exchange servers from these groups and all permissions assigned on the server. This will be hard to redo manually since the preparead will recreate them but not reassign servers, users, groups to these.

Is it safe to say that in order to resolve this, we should delete both the originals and the duplicates and re-run "Setup/PrepareAD" again? Yes its safe setup will detect there presence if not present it will create them. Also wait a while before you run the setup for the replication to happen. Make Sure they are not used by existing 2007 Server. Custom permision assigned to these groups will be lost and only defualt will be restored so make sure you consider that. Jasjit Singh Dhindsa | ITIL v3 | IASA Foundation Certified | MCITP:EMA Exchange 2010/2007 | MCTS:OCS 2007 | Exchange 2010/2007 | MCSA:Messaging/Security | MCSE:Messaging/Security

Thanks for the quick replies. Jasjit, what setup are you referring to when you say: "Also wait a while before you run the setup for the replication to happen."?

I meant "Setup /prepareAD"Jasjit Singh Dhindsa | ITIL v3 | IASA Foundation Certified | MCITP:EMA Exchange 2010/2007 | MCTS:OCS 2007 | Exchange 2010/2007 | MCSA:Messaging/Security | MCSE:Messaging/Security

I see. So, to confirm you are saying to wait a while after removing the groups before running it correct?

Got to disagree with Jasjit, the groups will be recreated but servers and users will NOT be readded to them.... Better take note of the members in each group. The PrepareAD only creates the groups, the installation of a role actually populates the contens depending on the role installed.

Thats right. You dont want to be in a situaltion where it shows as delted on some DC and on some it still exist and then you running the setup again. Also i have edited my orginal post to make sure if you have assigned any customer permision or if they are used by Exchange 2007 Server in some respect as then you might be risking the production Exchange Server 2007.Jasjit Singh Dhindsa | ITIL v3 | IASA Foundation Certified | MCITP:EMA Exchange 2010/2007 | MCTS:OCS 2007 | Exchange 2010/2007 | MCSA:Messaging/Security | MCSE:Messaging/Security

I understand what both of you are saying. What if I were to write down everything in "Members" and "Member Of" then after the "Setup/PrepareAD", re-add those members?

The PrepareAD only creates the groups, the installation of a role actually populates the contens depending on the role installed. Totally Agree with Iafontma on this point.Jasjit Singh Dhindsa | ITIL v3 | IASA Foundation Certified | MCITP:EMA Exchange 2010/2007 | MCTS:OCS 2007 | Exchange 2010/2007 | MCSA:Messaging/Security | MCSE:Messaging/Security

If i were you I would verify which ones are used and delte the other ones and not ake any chances of messing with delteing all of them and recreating them. Groups can always be renamed after if you dont like the "1" at the end

Thanks for all of the information! Lafontma, what is the best way for me to verify which ones are used?

Get-ManagementRoleAssignment will list all the roles and associated role assignee...

If i were you I would verify which ones are used and delte the other ones and not ake any chances of messing with delteing all of them and recreating them. Groups can always be renamed after if you dont like the "1" at the end

The "Get-ManagementRoleAssignment" cmdlet doesn't work in Exchange 2007. I can use it in Exchange 2010 though. Are you aware of the command for 2007? Thanks.

Sorry forgot that you were running 2007. There aint really an equivalent since 2007 did not use roles for management. I would just open ADSIEDIT, goto the configuration/services/Microsoft Exchange/Org.. and verify the permissions in the security tab.

Thanks. I just checked and it has 5 Security Groups (Organizational Management, Public Folder Management, Delegated Setup, Exchange Servers, and Exchange Trusted Subsystem) where it has both the original and duplicate listed under the security tab. It also appears that their permissions mirror one another.

Do remember to take system state backup of your Active Directory as well before this deletion exercise.Jasjit Singh Dhindsa | ITIL v3 | IASA Foundation Certified | MCITP:EMA Exchange 2010/2007 | MCTS:OCS 2007 | Exchange 2010/2007 | MCSA:Messaging/Security | MCSE:Messaging/Security

Since the permissions mirror each other , which frankly is normal, verify the membership of the groups, probably some are empty or contain only sid's..

Yes, it looks like most of the memberships of the groups with the "1" or either empty or mirror what is in the originals.