MS Exchange 2016 CU19 更新错误:操作失败,因为提供的添加/修改的 UPN 值在整个林范围内不唯一

MS Exchange 2016 CU19 更新错误:操作失败,因为提供的添加/修改的 UPN 值在整个林范围内不唯一

我正在尝试将 Exchange 更新至最新的 CU。

我们与 O365 采用混合设置,由于我们几乎不使用服务器,因此我们的更新已经落后。

上次更新是在我来这里之前,所以我没有直接更新的经验。

我已阅读完文档但出现以下错误。

我们没有过于复杂的多域 AD 基础设施,所以我相信我们应该能够仅使用向导来完成更新,而不需要提前准备 AD,但我可能是错的。

该错误表明它指的是Install-UserAccount -Name $federatedMailboxId -LastName $federatedMailboxId;

但我不确定它具体指的是哪个联合邮箱。

希望有经验的人可以给我指明正确的方向,因为我正在尝试确保服务器能够抵御微软刚刚宣布的最新零日攻击。

以下是完整错误:

Error:
The following error was generated when "$error.Clear(); 
          if (!$RoleIsDatacenter)
          {
            $federatedMailboxId = [Microsoft.Exchange.Management.Deployment.UpdateRmsSharedIdentity]::SharedIdentityCommonName;
            $federatedEmailUsers = @(Get-User -Filter {LastName -eq $federatedMailboxId} -IgnoreDefaultScope -ResultSize 1);
            if ($federatedEmailUsers.Length -eq 0)
            {
              $federatedEmailUsers = @(Get-User -Arbitration -Filter {LastName -eq $federatedMailboxId} -IgnoreDefaultScope -ResultSize 1);
            }

            if ($federatedEmailUsers.Length -eq 0)
            {
              Install-UserAccount -Name $federatedMailboxId -LastName $federatedMailboxId;
            }
          }
        " was run: "Microsoft.Exchange.Data.Directory.ADConstraintViolationException: An Active Directory Constraint Violation error occurred on XX-XX-XXXX.xxxxxxxx.com. Additional information: The operation failed because UPN value provided for addition/modification is not unique forest-wide.
Active directory response: 000021C8: AtrErr: DSID-03200BE9, #1:
    0: 000021C8: DSID-03200BE9, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: A value in the request is invalid.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine, String memberName)
   at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
   at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
   at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientObjectSession.Save(ADRecipient instanceToSave, String callerFilePath, Int32 callerFileLine, String memberName)
   at Microsoft.Exchange.Management.Deployment.InstallUserAccount.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

答案1

该错误告诉您它正在尝试修改 AD 用户 OU 中的 federatedEmail 内置用户。它无法执行此操作,但它也不是一个唯一名称,因此无法添加它。这可能是因为它不在应在的位置,或者可能已被禁用。

请参阅本文以获取有关这些帐户的更多信息。

https://www.azure365pro.com/how-to-recreate-system-mailbox-federatedemail-discoverysearchmailbox-in-exchange-2010/

答案2

运行以下命令来检查具有相同 UPN 的对象:

Get-ADObject -LdapFilter "(userPrincipalName=<UPN>)" -IncludeDeletedObjects

这是有关错误的博客“附加信息:操作失败,因为提供的添加/修改的 UPN 值在整个林范围内不唯一。”检查以了解更多详细信息:SPN 和 UPN 唯一性

相关内容