I am upgrading the last server to SP3 which hosts the mailbox role and is giving the following error

• ERROR

"Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.".
[04/23/2015 20:35:43.0621] [1] [ERROR] Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.
[04/23/2015 20:35:43.0621] [1] [ERROR] The trust relationship between the primary domain and the trusted domain failed.

I researched the error and the resolution is to disable the Discovery Search mailbox.

Are the following commands correct to disable the mailbox and run SP3 and then enabled and add permission?

• Disable-Mailbox DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
• Enable-Mailbox DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} -Arbitration
• Add-MailboxPermission -Identity:"mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} -User:Discovery Management -AccessRights:FullAccess

When I run the first command I get the following prompt:

[PS] C:\Windows\system32>Disable-Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}"

Confirm

Are you sure you want to perform this action?

Disabling mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" will remove the Exchange properties

from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive

or remote archive, the archive will also be marked for removal. In the case of remote archives, this action is

permanent. You can't reconnect this user to the remote archive again.

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

Should I Proceed with it?

Reference

http://www.msdigest.net/2010/11/sp1-install-fails-with-couldnt-resolve-the-user-or-group-mydomain-localmicrosoft-exchange-security-groupsdiscovery-management/

http://mostlyexchange.blogspot.com/2011/12/exchange-2010-sp2-upgrade-issue-with.html

https://vijayjadi.wordpress.com/2012/05/29/couldnt-resolve-the-user-or-group-microsoft-exchange-security-groups-discovery-management-if-the-user-or-group-is-a-foreign-forest-principal-you-must-have-either-a-two-wa/

https://junzho.wordpress.com/2014/07/22/apply-exchange-2013-cu-with-error-couldnt-resolve-the-user-or-group-microsoft-exchange-security-groupsdiscovery-management/

Hi Parvinder,

Yes, you can delete and re-create the Discovery Search Mailbox.

Exchange 2010 Setup will creates one discovery mailbox with the display name Discovery Search Mailbox. However,you can also use the Shell to create additional discovery mailboxes. By default, the additional discovery mailboxes you create won't have any mailbox access permissions assigned.

Best regards,

I selected yes and disabled the discovery mailbox however the setup failed again with the following error:

Detailed ExchangeSetupLog:

https://onedrive.live.com/redir?resid=f3743c55dc76b1ee!15331&authkey=!AJywMixo1SbCLl8&ithint=folder%2clog

Log Snippet:

[04/24/2015 13:06:27.0678] [2] Beginning processing Get-RoleGroup -Identity:'2ede7fc6-3983-4467-90fb-afdca3dfdc95' -DomainController:'OECC-DHCP.Mail.orange.k12.nj.us' -ErrorAction:'SilentlyContinue'

[04/24/2015 13:06:27.0725] [2] Searching objects "2ede7fc6-3983-4467-90fb-afdca3dfdc95" of type "ADGroup" under the root "$null".

[04/24/2015 13:06:27.0834] [2] Previous operation run on domain controller 'OECC-DHCP.Mail.orange.k12.nj.us'.

[04/24/2015 13:06:27.0834] [2] Previous operation run on domain controller 'OECC-DHCP.Mail.orange.k12.nj.us'.

[04/24/2015 13:06:27.0834] [2] Preparing to output objects. The maximum size of the result set is "1000".

[04/24/2015 13:06:27.0865] [2] Ending processing Get-RoleGroup

[04/24/2015 13:06:27.0881] [2] Active Directory session settings for 'Add-MailboxPermission' are: View Entire Forest: 'True', Configuration Domain Controller: 'OECC-DHCP.Mail.orange.k12.nj.us', Preferred Global Catalog: 'OECC-DHCP.Mail.orange.k12.nj.us', Preferred Domain Controllers: '{ OECC-DHCP.Mail.orange.k12.nj.us }'

[04/24/2015 13:06:27.0881] [2] Beginning processing Add-MailboxPermission -DomainController:'OECC-DHCP.Mail.orange.k12.nj.us' -WarningAction:'SilentlyContinue' -Identity:'Mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}' -User:'Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management' -AccessRights:'FullAccess'

[04/24/2015 13:06:27.0912] [2] Searching objects "Mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" of type "ADUser" under the root "Mail.orange.k12.nj.us/Users".

[04/24/2015 13:06:27.0928] [2] Previous operation run on global catalog server 'OECC-DHCP.Mail.orange.k12.nj.us'.

[04/24/2015 13:06:27.0928] [2] Processing object "Mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}".

[04/24/2015 13:06:27.0928] [2] Checking if the specified user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management" is a Security Identifier.

[04/24/2015 13:06:27.0928] [2] Checking if the specified user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management" is a SAM account or a foreign forest account.

[04/24/2015 13:06:46.0413] [2] [ERROR] Unexpected Error

[04/24/2015 13:06:46.0413] [2] [ERROR] Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

[04/24/2015 13:06:46.0460] [2] [ERROR] The trust relationship between the primary domain and the trusted domain failed.

[04/24/2015 13:06:46.0460] [2] Ending processing Add-MailboxPermission

[04/24/2015 13:06:46.0460] [1] The following 1 error(s) occurred during task execution:

[04/24/2015 13:06:46.0460] [1] 0.  ErrorRecord: Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

[04/24/2015 13:06:46.0460] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Common.LocalizedException: Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust. ---> System.SystemException: The trust relationship between the primary domain and the trusted domain failed.

   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)

   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)

   at System.Security.Principal.NTAccount.Translate(Type targetType)

   at Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter.GetUserSidAsSAMAccount(SecurityPrincipalIdParameter user, TaskErrorLoggingDelegate logError, TaskVerboseLoggingDelegate logVerbose)

   --- End of inner exception stack trace ---

[04/24/2015 13:06:46.0491] [1] [ERROR] The following error was generated when "$error.Clear();

          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;

          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;

          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;

          if( $dismbx -ne $null)

          {

            $srvname = $dismbx.ServerName;

            if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )

            {

              Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };

              if( $mountedMdb -eq $null )

              {

                Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";

                mount-database $dismbx.Database;

              }

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };

              if( $mountedMdb -ne $null )

              {

                $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;

                $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;

                if( $dmRoleGroup -ne $null )

                {

                  Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;

                }

              }

            }

          }

        " was run: "Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.".

[04/24/2015 13:06:46.0491] [1] [ERROR] Couldn't resolve the user or group "Mail.orange.k12.nj.us/Microsoft Exchange Security Groups/Discovery Management." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

[04/24/2015 13:06:46.0491] [1] [ERROR] The trust relationship between the primary domain and the trusted domain failed.

[04/24/2015 13:06:46.0491] [1] [ERROR-REFERENCE] Id=MailboxServiceControlLast___05b3bbd421504e0c93fefa6d5d1ae590 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup

[04/24/2015 13:06:46.0491] [1] Setup is stopping now because of one or more critical errors.

[04/24/2015 13:06:46.0491] [1] Finished executing component tasks.

[04/24/2015 13:06:46.0522] [1] Ending processing Install-MailboxRole

The error is stating it could not resolve user or groups for Discovery Management - there is only one discovery user created by default with Exchange 2010 called:

DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}

 As a result I decided to recreate this mailbox by deleting it and recreating it.  This was done with the following commands:

Disable-Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}"

Enable-Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -Arbitration

Next I assigned the Discovery Management user permissions to the new mailbox with the following command:

Add-MailboxPermission -Identity:"mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -User:"Discovery Management" -AccessRights:"FullAccess"

Ran the Service Pack 3 setup again and it worked this time.

Installed Rollup 9

Reference

http://clintboessen.blogspot.com/2014/10/couldnt-resolve-user-or-group.html

• Marked as answer by Parvinder_Randev 11 hours 26 minutes ago

The error is stating it could not resolve user or groups for Discovery Management - there is only one discovery user created by default with Exchange 2010 called:

DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}

 As a result I decided to recreate this mailbox by deleting it and recreating it.  This was done with the following commands:

Disable-Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}"

Enable-Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -Arbitration

Next I assigned the Discovery Management user permissions to the new mailbox with the following command:

Add-MailboxPermission -Identity:"mail.orange.k12.nj.us/Users/DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -User:"Discovery Management" -AccessRights:"FullAccess"

Ran the Service Pack 3 setup again and it worked this time.

Installed Rollup 9

Reference

http://clintboessen.blogspot.com/2014/10/couldnt-resolve-user-or-group.html

• Marked as answer by Parvinder_Randev Friday, April 24, 2015 8:00 PM