Exchange 2013 CU1
Server 2012 member server
New install, nothing on this server previously.
All windows updates completed to 4/10/2013
Account used is full administrator and confirmed that this account has rights in Organizational Management and Server Management.
Co-existance with Exchange 2010, migration has been started

In ECP, in any function that has a picker for Organization Unit (example like rules in Dynamic Group), when the box opens you get the error "Exception has been thrown by the target of an invocation"

The error log displays:

https://xxx.xxxxx.com:444/ecp/DDI/DDIService.svc/GetList?schema=OrganizationalUnitPicker&msExchEcpCanary=WOPb_kFW1UaYtHsSmmFUtNJIbzJ0B9AI2n9s_4DiXWprkg3QFgDPXItPUSetvJNF_bnM8wV_zfY.(https://xxx.xxxxx.com/ecp/DDI/DDIService.svc/GetList?schema=OrganizationalUnitPicker&msExchEcpCanary=WOPb_kFW1UaYtHsSmmFUtNJIbzJ0B9AI2n9s_4DiXWprkg3QFgDPXItPUSetvJNF_bnM8wV_zfY.)
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary. at System.Collections.Generic.Dictionary`2.get_Item(TKey key) at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.BuildOUTree(DataTable dataTable) at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)

Everything else works fine and I been migrating users from Exchange 2010 with no other problems.

Ideas?

Tagging alone on this one as I have the same problem...

Hi,

Did you have customize the IIS?

Please check the IIS log when the issue occurs and post the error you found.

Thanks.

Hi,

Are you sure that you have already installed 2010 or 2013 in the Exchange Organization? Or was there any Exchange attribute in schema had already created and then removed?

If you stil have any other already created and removed any old Exchange attributes but the records of it still existing, it is normal that you get this error. Please try again, after deleting the unnecessary records, using the following steps;

Adsi.edit
Configuration -> Services -> Microsoft Exchange -> Administrative Groups ->

No customizations were made, this was a brand new Windows Server 2012 and a brand new Exchange 2013 CU1 installation. As mentioned in the first message, this is installed into an existing Exchange 2010 environment for co-existence and migration. All the users have been already migrated to the new Exchange 2013 server.

Everything else works except the "Picker" on any screen that deals with Active Directory/OU. Pickers that select users, databases, other things all work.

IIS logs does not show anything special:

2013-04-16 13:21:52 172.20.201.17 POST /ecp/DDI/DDIService.svc/GetList workflow=GetCount&ua=0&schema=Notification&msExchEcpCanary=8uq9QQufU0a2IsQp_W5mXtd61328CNAITz9uM5zxPjjX48uSsB6nxjL_hTq-KkzilFbPILh-rwY. 443 administrator@yyy.com 172.20.201.222 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://xxx.yyy.com/ecp/ 200 0 0 578
2013-04-16 13:21:52 172.20.201.17 POST /ecp/DDI/DDIService.svc/GetList schema=MailboxService&msExchEcpCanary=8uq9QQufU0a2IsQp_W5mXtd61328CNAITz9uM5zxPjjX48uSsB6nxjL_hTq-KkzilFbPILh-rwY. 443 administrator@yyy.com 172.20.201.222 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://xxx.yyy.com/ecp/UsersGroups/Mailboxes.slab?showhelp=false 200 0 0 78
2013-04-16 13:21:52 172.20.201.17 POST /ecp/DDI/DDIService.svc/GetList schema=MailboxService&msExchEcpCanary=8uq9QQufU0a2IsQp_W5mXtd61328CNAITz9uM5zxPjjX48uSsB6nxjL_hTq-KkzilFbPILh-rwY. 443 administrator@yyy.com 172.20.201.222 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://xxx.yyy.com/ecp/UsersGroups/Mailboxes.slab?showhelp=false 200 0 0 171
2013-04-16 13:21:53 172.20.201.17 GET /ecp/UsersGroups/ViewUserMailboxDetails.aspx isNarrow=t&id=54d21878-0659-48b7-ac5e-28bdb9a83d1e 443 administrator@yyy.com 172.20.201.222 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://xxx.yyy.com/ecp/UsersGroups/Mailboxes.slab?showhelp=false 200 0 0 171 

I only see errors in the event log:

Current user: 'yyy.com/Users/Administrator'
Web service call 'https://arh10.yyy.com:444/ecp/DDI/DDIService.svc/GetList?schema=OrganizationalUnitPicker&msExchEcpCanary=8uq9QQufU0a2IsQp_W5mXtd61328CNAITz9uM5zxPjjX48uSsB6nxjL_hTq-KkzilFbPILh-rwY.(https://mail.yyy.com/ecp/DDI/DDIService.svc/GetList?schema=OrganizationalUnitPicker&msExchEcpCanary=8uq9QQufU0a2IsQp_W5mXtd61328CNAITz9uM5zxPjjX48uSsB6nxjL_hTq-KkzilFbPILh-rwY.)' failed with the following error:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.BuildOUTree(DataTable dataTable)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.BuildOUTree(DataTable dataTable)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.BuildOUTree(DataTable dataTable)
   at Microsoft.Exchange.Management.DDIService.OrganizationalUnitPickerService.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)

As an aside, if I create something like a dynamic distribution group in Exchange 2013 ECP and just let it create the policy in the default OU, I can go into the Exchange 2010 Console and edit it with no problems.

You can be sure that you are receivig this error because of an object still exist in Schema (already trashed, deleted). When you click Active Directory OU on the Exchange, I cannot remember which Schema object you see. But I am sure if you scrutiny carefully, you could solve the problem.

Additionally, according to my personal experience, Exchange 2013 has still some problems with AD Schema, in spite of CU1!

Good luck.

I need a bit more information on what I am supposed to be looking for. Going into ADSIEDIT at Configuration -> Services -> Microsoft Exchange -> Administrative Groups  shows me 2 groups.

(a) CN=Exchange Administrative Group (FYDIBOHF23SPDLT)
(b) CN=First Administrative Group

(a) is showing all my databases and servers
Advanced Security
Arrays
Database Availability Groups
Databases
Folder Hierarchies
Routing Group
Servers

(b) is only showing
Advanced Security
Routing Groups

If we presume that there is problem with the Active Directory OU objects I think, you do not need to look at these.

Meantime, can you please try again with Firefox?

Just tried Firefox and Chrome - same error.

I think this is a local install issue. I am going to try building a temporary Server 2012 and just install the CAS role on it to see if the same problem exists.

I can rule out a local install issue. I just built a Server 2012 test server and just installed the Exchange 2013 CAS role only. Logged into the local ECP instance and tried again to use a picker that browses the Active Directory OU's. (In this case I used Dynamic Group as my test). Same error.

Have no idea where to go now.....

Hi,

Is the command "Get-OrganizationalUnit" or other commands with the -OrganizationalUnit switch works fine in Exchange Management Shell?

I would do some tests for you in my lab and see if the problem could be reproduced.

Thanks,

Andy

Can you please follow this way: Please control the Active Directory OUs in schema using Adsi.edit.

Default Naming Context -> DC -> OU


Is there any record which you cannot see at Active Directory Users and Computers Console? If any, please delete and try again with Exc

@Chao Lu
The get-organizationalunit command works fine and returns all the OU's correctly. This is a very simple AD, nothing unusual. Exchange in this AD environment has been in place for a long time. Starting as Server 2003 with Exchange 2003, then Exchange 2007, Exchange 2010, and now Exchange 2013.

Here is a tiny snippet, but all the rest of the OU are the same. One thing I do notice is Exchange version says ExchangeVersion      : 0.0 (6.5.6500.0)

bjectCategory       : xxxxxxyyyyyxx.com/Configuration/Schema/Domain-DNS
ObjectClass          : {top, domain, domainDNS}
WhenChanged          : 4/18/2013 11:10:33 PM
WhenCreated          : 10/17/2001 5:23:23 AM
WhenChangedUTC       : 4/19/2013 3:10:33 AM
WhenCreatedUTC       : 10/17/2001 9:23:23 AM
OrganizationId       :
OriginatingServer    : ARH7.xxxxxxyyyyyxx.com
IsValid              : True
ObjectState          : Unchanged

RunspaceId           : 1793efc5-2f96-4bd7-9a8b-d83a2118367f
Type                 : OrganizationalUnit
CanonicalName        : xxxxxxyyyyyxx.com/Microsoft Exchange Security Groups
IsWellKnownContainer : False
DirSyncStatusAck     : {}
AdminDisplayName     :
ExchangeVersion      : 0.0 (6.5.6500.0)
Name                 : Microsoft Exchange Security Groups
DistinguishedName    : OU=Microsoft Exchange Security Groups,DC=xxxxxxyyyyyxx,DC=com
Identity             : xxxxxxyyyyyxx.com/Microsoft Exchange Security Groups
Guid                 : aa2608b9-9ca2-439f-86dd-e40f412f28b0
ObjectCategory       : xxxxxxyyyyyxx.com/Configuration/Schema/Organizational-Unit
ObjectClass          : {top, organizationalUnit}
WhenChanged          : 7/30/2012 10:06:15 PM
WhenCreated          : 4/23/2007 4:05:29 PM
WhenChangedUTC       : 7/31/2012 2:06:15 AM
WhenCreatedUTC       : 4/23/2007 8:05:29 PM
OrganizationId       :
OriginatingServer    : ARH7.xxxxxxyyyyyxx.com
IsValid              : True
ObjectState          : Unchanged

RunspaceId           : 1793efc5-2f96-4bd7-9a8b-d83a2118367f
Type                 : OrganizationalUnit
CanonicalName        : xxxxxxyyyyyxx.com/Domain Controllers/CS
IsWellKnownContainer : False
DirSyncStatusAck     : {}
AdminDisplayName     :
ExchangeVersion      : 0.0 (6.5.6500.0)
Name                 : CS
DistinguishedName    : OU=CS,OU=Domain Controllers,DC=xxxxxxyyyyyxx,DC=com
Identity             : xxxxxxyyyyyxx.com/Domain Controllers/CS
Guid                 : 9a7b7dbd-a1b7-4f84-a034-53de1f9b184b
ObjectCategory       : xxxxxxyyyyyxx.com/Configuration/Schema/Organizational-Unit
ObjectClass          : {top, organizationalUnit}
WhenChanged          : 7/30/2012 10:05:39 PM
WhenCreated          : 4/14/2005 1:45:26 PM
WhenChangedUTC       : 7/31/2012 2:05:39 AM
WhenCreatedUTC       : 4/14/2005 5:45:26 PM
OrganizationId       :
OriginatingServer    : ARH7.xxxxxxyyyyyxx.com
IsValid              : True
ObjectState          : Unchanged

RunspaceId           : 1793efc5-2f96-4bd7-9a8b-d83a2118367f
Type                 : OrganizationalUnit
CanonicalName        : xxxxxxyyyyyxx.com/Domain Controllers/HQ
IsWellKnownContainer : False
DirSyncStatusAck     : {}
AdminDisplayName     :
ExchangeVersion      : 0.0 (6.5.6500.0)
Name                 : HQ
DistinguishedName    : OU=HQ,OU=Domain Controllers,DC=xxxxxxyyyyyxx,DC=com
Identity             : xxxxxxyyyyyxx.com/Domain Controllers/HQ
Guid                 : afa59ca0-375c-4a4e-84cb-6af4074345eb
ObjectCategory       : xxxxxxyyyyyxx.com/Configuration/Schema/Organizational-Unit
ObjectClass          : {top, organizationalUnit}
WhenChanged          : 7/30/2012 10:05:39 PM
WhenCreated          : 4/14/2005 1:45:13 PM
WhenChangedUTC       : 7/31/2012 2:05:39 AM
WhenCreatedUTC       : 4/14/2005 5:45:13 PM
OrganizationId       :
OriginatingServer    : ARH7.xxxxxxyyyyyxx.com
IsValid              : True
ObjectState          : Unchanged

RunspaceId           : 1793efc5-2f96-4bd7-9a8b-d83a2118367f
Type                 : OrganizationalUnit
CanonicalName        : xxxxxxyyyyyxx.com/HQ
IsWellKnownContainer : False
DirSyncStatusAck     : {}
AdminDisplayName     :
ExchangeVersion      : 0.0 (6.5.6500.0)
Name                 : HQ
DistinguishedName    : OU=HQ,DC=xxxxxxyyyyyxx,DC=com
Identity             : xxxxxxyyyyyxx.com/HQ
Guid                 : f3314770-6f12-4de2-9704-0525f71dd297
ObjectCategory       : xxxxxxyyyyyxx.com/Configuration/Schema/Organizational-Unit
ObjectClass          : {top, organizationalUnit}
WhenChanged          : 7/30/2012 10:06:04 PM
WhenCreated          : 4/14/2005 1:47:27 PM
WhenChangedUTC       : 7/31/2012 2:06:04 AM
WhenCreatedUTC       : 4/14/2005 5:47:27 PM
OrganizationId       :
OriginatingServer    : ARH7.xxxxxxyyyyyxx.com
IsValid              : True
ObjectState          : Unchanged

@Yavuz Erin Demir
Laying ADSIEDIT and Active Directory Users and Computers screen side by side, all entries in both are displayed identically.

More info:

I built a test standalone server with its own active directory and never having older version of exchange on it. Installed Exchange 2013. As expected, everything works. Using ADSIEDIT I compared the Microsoft Exchange Service directories and all the sub CN's are there. I also checked the security settings on every CN. Identical.

The old Exchange 2010 server us basically unused in that there are no mailboxes or public folders, its just sitting there. If I go in to Exchange 2010 EMC to Distribution Groups, I can create a new dynamic distribution group and it works perfectly for the Exchange 2013 users. If I create the dynamic group in Exchange 2013 EMC (and just don't pick an OU since that is broken), it does not work at all.

Anyone have any thoughts on this??

Hi,

We did some tests in our lab but could not reproduce this issue. Do you mean that you have built your own test environment? If you create the same OUs with the same name in your test environment, could this issue be reproduced?

Thanks,

Andy

@Chao Lu

Testing Results Existing Network - when I add another Exchange 2013 CAS to this existing Network (Exchange 2010 and Exchange 2013 coexistence, though everything has been converted into Exchange 2013, Exchange 2010 box is just sitting there since I need the management tools for the things I can't get to in Exchange 2013 ECP), the above error still happens on the new machine. (any Picklist that display OU or AD gets a fatal error)

Testing Results New network - We wanted to make sure the problem wasn't the way we were building the Server 2012 servers, so we built a lab network with a new Active Directory domain. Exchange 2013 installed into this new network worked perfectly (any picklist in ECP that display OU). So this rules out how we built the servers.

This is pointing to something either missing or some security setting in our existing active directory domain. There are no replication errors in AD or DFS Sysvol. There are 2 global catalogues in the same site as the Exchange 2013 CAS/MBX server. There are no active directory related errors in any of the event logs. The only error that show up is the error from when we click the pick list for OU/AD (see first message in this thread).

We need some tool that can "test" the active directory objects to see if any is missing or at the wrong security. The Schema update when installing Exchange 2013 was obviously successful as we have had a perfect migration of all the Exchange 2010 mailboxes and services to Exchange 2013.

I have compared the Lab Exchange 2013 server in its own AD to the Exchange 2013 Server in our production AD with ADSIEDIT and all the objects in Services/Exchange are there and have correct securities.

DCDIAG reports no errors and passes all tests.

I just discovered that I'm having the exact same issue. 

In ECP, when I try to pick an OU for creating a new mail-user or mailbox, in the OU picker box I get "Exception has been thrown by the target of an invocation." and it never shows anything else.

In the Application log on the server, I get EventID 5 errors from MSExchange Control Panel exactly like the one you posted earlier in the thread.

This is an Exchange 2013 CU1 server running on Windows Server 2012.  Clean install with nothing special about it.  It only has a single mailbox (mine).  I don't remember this happening previously, but I've been mostly working with the 2013 server in my test environment so I might not have noticed it.  Test environment works fine with no issues.

Just discovered it, so haven't done much troubleshooting yet except a google search that brought up this thread (and nothing else).

Hi,

Yes, we understand that the issue only happens when you try to pick up a OU in EAC, from this symptom, we thought that the issue might be related to the name of some OU. But since you could not reproduce this issue in Exchange 2010, we thought we might not be able to find this kind of tools and we suggest you to create the same OUs with the same name in your test environment and see if the issue could be reproduced. If the OU's name is the root cause, we might be able to reproduce this issue in the lab.

Thanks

Andy

We are making progress on this. We have been able to duplicate this error in my test lab. Since the test lab is brand new and the Active Directory domain is new and there is no Exchange 2010 in its environment. Here is what we can rule out so far:

1. It is not caused by the an upgrade/migration of Exchange 2010.
2. It is not an issue with the NetBIOS Name being different from the DNS name.
3. It is not a Server 2012 build or Exchange 2013 prerequisite loading issue.

Even thought the domain name / AD name / Computer name are different, for this test we keep the OU and Site names the same. When I move the single test computer/DC out of the OU and into the domain controller root in AD (Then reboot), everything works. If there are no OU's under domain controller, if I create the OU's under domain controller, but still leave the object in the root, it fails.

Going to experiment with renaming OU's and Site Names (The site names and the OU's are the same so thinking maybe a conflict (Though never an issue before, this has been this way for 13 years.

Bingo - we can now duplicate the problem at will in the lab (Not testing yet in production)....

The failure will happen if there are any OU's underneath the Domain Controllers OU. In the LAB, there is just one server (AD/DC). If it sits in the root of Domain Controllers and there is no other OU's there, it works everytime. Add an OU in Domain Controllers (Doesn't matter the name - or if anything is in it) - wait 5 minutes, try again, it will fail. Do nothing but delete the OU, wait 5 minutes, it works.

Here is the test OU structure we are using:

Server LAB1, when in:
Domain Controllers/HQ - fails
Domain Controller (root) - fails
Domain Controller/CS - fail
Domain Controller (root) - Delete HQ OU - fails
Domain Controller (root) - Delete CS OU - fails
Domain Controller (root) - Delete both HQ and CS OU - WORKS!!

A reboot was not needed in any of these tests, just close IE, wait 5 minutes and open again.

Hi,

Thanks fo your detailed reply and update. Looks like the solution might be "do not create any sub OU and do not put the Domain controllers under the sub OU of "Domain Controller"".

You could schedule a down time to try it in your production environment and see if it works.

Thanks,

Andy

Hi,

Thanks fo your detailed reply and update. Looks like the solution might be "do not create any sub OU and do not put the Domain controllers under the sub OU of "Domain Controller"".

You could schedule a down time to try it in your production environment and see if it works.

Thanks,

Andy

We have now made the same change to the production environment and ECP is now working.

Even though this works, I still consider this a defect/bug. ECP will fail is ANY OU exists in the Domain Controllers Object, even if it is not populated. Although we all know it is not ever recommended to move DC's out of the Domain Controllers object, it has always been allowed that you can have one OU deep in the object (to assist with GPO segregation). Plus this has never been an issue with other product and has been in place since Windows 2000.

Unfortunately this doesn't look like the fix for me.  I've never had any OUs under the domain controllers OU in my root domain or any subdomains.  I double-checked and that's still the case.  Going to try to do some comparison of OU properties between test and production to see if I see anything similar/related.

The issue with OUs in the Domain Controllers OU should be fixed in CU2. How many OUs do you have in your environment? I have seen the same issue when there are no OUs in the Domain Controllers OU but there are over 500 OUs in the environment