Tuesday, October 8, 2013

A universal group cannot have a local group as a member.

Issue: Unable to convert Mail Enabled Groups from EMC in Exchange 2010.

Microsoft Exchange Error
Action 'Convert to Universal Group' could not be performed on object 'IT Managers'.

IT Managers
Active Directory operation failed on dc1.ZtekZone.com. This error is not retriable. Additional information: A universal group cannot have a local group as a member.
Active directory response: 00002146: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

The server cannot handle directory requests.


Exchange 2010 and Group Scope

  • To refresh your knowledge here is Active Directory Group Scope and Group Types
Group Scope Group Type
Domain Local Security
Global Distribution

Exchange 2007 and Exchange 2010 wants all mail enabled groups Scope to be “Universal” regardless of the Group type. This is almost the other way around in Exchange 2003 world, as Exchange 2003 did not care about this much.

Lets take a look at our problem Group and try to understand the issue.


This Group Type is “Domain local” it is a Distribution Group, Exchange 2010 is not happy with this group scope type,  as you can see from the picture even Icon for this group is faded out (-:


How to solve this problem? We could perfectly locate this group with ADUC and change .the Group Scope to “Universal” and click apply.


Now we go back to EMC and take a look at same Group, to see if  Exchange is happy with new Group Type “ Universal” , the answer is yes.As you can see the Icon is changed.


Why Exchange forces Mail enabled group Types to be “Universal” ONLY!!!?

Here is the reason Universal group membership is replicated to all Global Catalogs , ALL DC/GC Servers, unlike Global and Domain local Scope type. The Universal groups replication boundaries and expansion capabilities FOREST Wide, thus Exchange 2007 and 2010 wants mail enabled groups and their Group Scope only to be “Universal” This is the case when it comes to Exchange and unfortunately Exchange does not care even you have single Label Domain name space.

Please note that there is no other reason or limitations any other functions goes. So if you are in the middle of the migration and finding this out do not freak out , This is fairly simple to deal with and it has no other side effects to existing functioning Distribution groups goes, since changing Group scope Type does not make any changes on the group membership, ACL’s permissions and etc.

One thing is to remember it could increase the network traffic when it wants to expand if it has forest wide members, but this ensures all members gets the e-mail (-: so give and take thing (-:

Now if you have many of these how to convert them?

Get-DistributionGroup | where { $_.Grouptype -Like "Global*" } | Set-Group -Universal


Get-DistributionGroup | where { $_.Grouptype -Like "Domain*" } | Set-Group -Universal


*Note you might be getting errors when you run this script , if a mail enabled group has another mail enabled group as its member, and both Group Scope are not Universal , if you persistently keep running these scripts, you will be able to take care of them and  and when Exchange server is happy you get all these nice futures with the mail enabled groups


Oz Casey, Dedeal

( Exchange Server North America MVP)

MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

No comments: